Previously we discussed our plans in this security blog series for a simplified approach to cybersecurity. We discussed the importance of identifying and documenting your data assets—the data repositories that you have or the services that you provide that are critical to the success and growth of your business. We encouraged you to document the risks to your data assets. Then we asked you to consider the impact of compromise to your data assets. In the next post, we emphasized the importance of creating a written security policy to be included as one of your controls to mitigate risk to your data assets.
The next step to developing a cybersecurity strategy is to identify and evaluate the controls that you currently have implemented, and to uncover the remaining risks to your data assets. Within the scope of cybersecurity controls can be defined as the mechanisms that you have in place to mitigate risk to your data assets.
What security products do you currently have in place? List them all out. Some examples of existing controls are as follows:
- Endpoint (Desktop, server) anti-malware
- Web filter
- Email filter
- Access control
Now try to evaluate the efficacy of your current controls. Consider whether they have been keeping up with the ever-changing threat landscape.
The efficacy of current controls can be evaluated as such, for example:
- Minimal: Having even a suboptimal control in a given technology is likely better than having no control at all, but is it sufficient to protect your data assets?
- Compliant: I get it. Compliancy exists! “Checking a box” to avoid potentially large violation fines will cater to the interest of your CFO. Again, though, how effective is it at protecting your data assets?
- Sufficient: This control is as good as the average equivalent of this control. Is average good enough, though?
- Excellent: Due diligence done. This control is as effective as it gets. Products of this control have consistently positive reviews from reputable evaluators. Benchmark tests yield top results.
Consider the above efficacy levels (or choose your own) for all of your current controls. Below are examples of criteria that you might use to evaluate your current controls:
- Is your firewall just a stateful firewall, or is it a Next-Generation firewall?
- Stateful firewalls only look at source IP address, destination IP address, and protocol/port. They have very limited application control. Stateful firewalls are not sufficient protection for todays complex attacks at the Internet edge. A Next-Generation Firewall (NGFW) has the ability to perform deep-packet inspection to identify applications no matter what protocol(s)/port(s) they use. Some NSFWs have the ability to inventory your applications and endpoint operating systems. This contextual security database can be used to enable the firewall to perform other threat-mitigation techniques (listed below).
- Does your firewall provide Application Visibility and Control (AVC)?
- AVC provides the ability to identify and block applications at a very granular level.
- Does your firewall provide Next-Generation Intrusion Prevention?
- Traditional intrusion detection (IDS) or intrusion prevention (IPS) basically looked for patterns in the data stream to try to identify intrusions. Next-Generation Intrusion Prevention (NGIPS) uses the contextual security database to look for vulnerabilities of applications and endpoint operating systems in your environment. This enables NGIPS to watch for and mitigate attacks that only pertain to your specific environment.
- Does your firewall provide anti-malware?
- Stopping malware at the Internet edge, instead of at the endpoint, prevents malware from traversing your network. It also provides some defense in depth regarding malware mitigation. See below regarding continuous file analysis.
- Does your firewall provide URL evaluation?
- Having the ability to evaluate URLs by category and risk helps your NGFW build a more complete picture of your network traffic. It can also help to mitigate URL connectivity to malicious websites.
- What is the false positive and false-negative rate/experience?
- Does your endpoint anti-malware provide continuous file analysis?
- Point-in-time malware prevention only uses signatures to check a file once. Known bad files are dropped, while unknown files are allowed to pass and are never evaluated again. Modern malware often employs sleep techniques and other malware prevention evasion techniques to hide malicious intent long enough to pass point-in-time malware prevention. Continuous file analysis keeps track of all files that the endpoint has ever seen and can send an alert or quarantine a file that was previously allowed through, but is later discovered to be malicious.
- How effective is your web filter at mitigating web threats?
- How effective is your web filter at blocking web sites based on URL category?
- Does your web filter block based on the reputation of the destination web site?
- Does your web filter block based on whether the destination website is malicious, or has recently been compromised?
- Does your web filter provide anti-malware? Does it provide continuous file analysis? Web is one of the top two threat vectors! (Email is the other one)
- How effective your email filter is at mitigating email threats? (Spam is not necessarily a threat)
- Does your email filter block email based on reputation?
- Does your email filter block email based on whether the sender is malicious, or has recently been compromised?
- Does your email filter provide anti-malware for embedded malware and email attachments? Does it provide continuous file analysis? Email is the #1 method of contracting ransomware!
- Does your access control system control who can connect to your network, wired, wireless, or via VPN?
- Does your access control system control what type of device can connect to your network, wired, wireless, or via VPN?
- Does your access control system control what destinations authenticated users are authorized to access?
- Does your access control system evaluate the posture endpoints attempting to access your network (OS, patch level, AV, etc)?
For every security product that you have and maintain, consider the cost of ownership to the service that it products. Justify it’s existence. Is it worth keeping? Should it be replaced with a more effective or scaleable solution? Consider what risks to your data assets remain, despite the controls you have in place. As your data assets change, your controls may need to change to protect them.
Controls should be be re-evaluated periodically (at least annually) to make sure that your controls are valid and effective at protecting your data assets. In future blog posts, we will discuss modern security technologies available to mitigate the risks to you data assets. Then we will wrap up the series by identifying the solutions that fit these security technologies, and to discuss how security solutions should work together as a security system.