The reality of today’s security landscape is that IT teams cannot keep pace with attackers in a real-time race against attempts at compromise. It starts prior to an incident actually being announced, and then there is still the need to identify, contain, eradicate, and recover from the incident. IT Security Staff scramble to patch and enable software updates to remediate the problem; attackers rush to exploit the weakness before it is fixed. To compound this ever-evolving challenge of defending against external threats; now you must contend with the insider. An insider threat will have access to internal policies and practices to enable them to circumvent the response plans.
So how does one stay ahead? A consortium of organizations released the 20 Critical Security Controls for Effective Cyber Defense (commonly called the Consensus Audit Guidelines or CAG) in response to data losses experienced by organizations in the U.S. defense industrial base. These controls were to be the “best practices” of the future.
So what are “Security Controls,” and why do they matter?
Every day we hear we need this point solution to protect, control and respond to what we are told is potential breach of our networks. Only to learn that if the basic controls were implemented the fall out would have been limited. But, what is a “control”, are they really as basic as they seem? We are all guilty of falling back to this most generic means of “control.” Let’s first understand the term “control.” This term is used in so many different ways that its meaning can become blurred. For example, as a CISO we not only have administrative “controls,” but we have technical “controls.” Every week we are dealing with sophisticated new cyber-attacks. Compounded with zero employment in cyber security, putting in the right “control(s)” can be like climbing the Rockies or better yet Lewis & Clark mapping out the great west. These terms really do not come across as everyday expressions that link to everyday business. These terms in themselves really do not outline how they are applied, how I can adopt them, what they do for me, and why I should I care? To keep this simple, I am providing a snap shot called the CISO Mind Map. It will not only confuse you but begs the question “how do I stay ahead?” Who is able to guide me through the process?
So what are basic cyber controls?
There is no shortage of readily available information you can follow to address how to protect your network. There are those that will tell you what controls you need, anywhere from 3 to 20 different types. Before we jump into the controls, let’s take an example of a doctor and how they leverage controls to help their patients. As your doctor will tell you, prevention & detection is better than a cure – meaning playing defense is a better strategy. The same applies to your cyber security controls. Recently, we reviewed the 20 Security Controls from CAG and asked ourselves how do we help customer’s balance risk in their business while keeping it simple. Before you balance, you first need to simplify the term “control”. The best thing to do is to equate the word with a “task” or an “action.” The task can be preventing something from happening; alerting, logging the event, responding to it, or any variety of other possibilities. Now that we have the definition, what are the best controls? Is an ounce of prevention enough to prevent you from being breached?
Cyber security controls don’t need to be complex or cutting edge to be effective. In the next few bullets, I am going to give you small sample of the Top 7 Cyber Controls we (NETSource) recommend starting with:
- First is the human element; improve the awareness of your staff. This starts with access to the Internet. In 60 seconds, 8m searches, 3.3m posts and 29m messages sent in a mere 60 seconds is truly amazing! In this first control, it is nothing more than educating your team on the probability of being social engineered.
- Second, is patch management or what we call “Management Optimization Services” (MOS). By failing to patch and maintain your security posture, you open your organization up to being an easy target for breaches.
- Third, is visibility, too often we assume no one wants what we have? But how do you know? Did you think that they might already have it? Today, all the reports say the average zero day is discovered within an average of 273 days. That is almost ~9 months! Think about that a minute, 9 months, if a bad guy broke into your home and raided your refrigerator, watched your TV for 9 months, would you be upset? Would you feel violated? What would you do?
Navigating this minefield is where NETSource can guide you. We believe in a customer-first approach that strives to improve your organization’s security posture. Look, there is no silver bullet for cyber security protection no matter what a vendor tells you. The fundamental shift starts with aligning our recommendations with your current environment for a higher return on your security investment while ensuring you have the right defenses in place. We call this “Secure by Design”. Our unique approach enables us to offload complexity and truly optimize technologies to make your day-to-day activities simpler, secure, and efficient.
About the Author: John Ayers is Chief Innovation Security Officer at NETSource. He is responsible for thought leadership, product development, technical vision, and market strategy. He currently serves on Product Advisory Councils for Cisco, McAfee and Symantec.