Another day, another data breach. The seeming inevitability of s successful attack can breed a sense of hopelessness among infosec pros.
But a white paper issued this week by the SANS Institute says they shouldn’t give up. “There are proven techniques in use today by large and small companies with limited staff and budgets that can fend off or avoid most attacks and dramatically reduce the damage of attacks that do succeed,” says the document.
“For example, organizations that emphasize proactive security efforts to reduce vulnerabilities in critical business assets are less likely to suffer major business damage than organizations that don’t have the skills and tools to prioritize and focus security
efforts. Successful security programs rely on more than just faster incident response to take on the challenge of damage avoidance and reduction.”
There’s nothing new in the recommendations, but the paper is a reminder that taking well-known steps to avoid some vulnerabilities and mitigate many others will reduce the odds of an organization being victimized.
“The key is for security teams to understand business impact, be able to express risk in those terms and be able to demonstrate how improvements in security result in measurable reduction in business impact,” the paper says. “By developing situational awareness (timely and accurate knowledge of what we need to protect, what vulnerabilities exist, and what real threats are active against those targets), and combining it with tools and techniques for prioritizing prevention and mitigation actions, security teams can quickly take actions to avoid the most damaging incidents and to exponentially reduce the business damage of unavoidable incidents.”
One key point the paper makes is that defence-in-depth — adding lots of layers and tools — alone isn’t a solution. Prioritizing staff resources and procurement of security products and services to address the areas of highest risk first and most frequently is key to both effective and efficient cybersecurity.
So, for example, an organization needs to set security policies, create a baseline ( inventory hardware/software, discover your vulnerabilities), assess risks (and address them), mitigate risks (through patch and change management), eliminate root causes of risks (through software analysis, network architecture, awareness training, privilege management) and monitor and report (though incident response, security analytics of logs).
Use a framework
Documenting and connecting procedures is vital to creating repeatable and adaptable security processes. Using a cyber security framework (such as the NIST Cyber Security Framework, CIS Critical Security Controls, PCI Data Security Standards Prioritization Guidelines, Health Information Trust Alliance (HITRUST) Common Security Framework) is important. In fact SANS — like other experts — maintains that following first six CIS Controls (such as creating and maintaining a hardware/software inventory and controlling administrative privileges) can defeat the vast majority of real-world attacks.
” The basic security processes and controls needed to identify, mitigate and shield vulnerabilities are well known,” says the paper. “There is no shortage of information on threats and attacks. To succeed within real-world constraints of budget and staffing, cybersecurity managers need to focus first on integrated processes that can keep up with both the speed of business and the
rapid evolution of attacks and then implement “force multipliers” to support accurate and timely prioritization of security resources.
“By focusing resources on protecting the most critical business assets against the most damaging potential threats, security
programs can avoid many breaches and drastically reduce the business impact of any that do occur.
The white paper, sponsored by security vendor Balbix, is available here. Registration with the SANS Institute is required.