Cybersecurity maturity is something best achieved through prioritized initiatives in the context of your company's threat landscape and risk tolerance.
While any formal security program requires oversight and investment, arriving at a quick snapshot of your maturity level needn't be a protracted effort. Here are some effective actions to consider that not only provide the basis for a maturity assessment but can also yield near-term, high impact return against the chronic risk of a breach.
- Invest in/retain top security talent. Technology alone cannot manage the risk of breach. Organizations often deploy the latest security control/device but do not have it properly configured or monitored to make it effective. Apply the right level of human oversight and skill to optimize solutions you already have in place, either by hiring, outsourcing or a combination of both.
- Insist on a culture of security awareness. Awareness and training are critical. Set a tone at the top by insisting on employee accountability for adhering to security policies, processes and procedures, not just within IT but across the business and among functional leaders.
- Improve visibility across your environment. The new perimeter for security is clearly your end users based on initial access points we have seen in countless breaches. The question you should ask is "Does my organization have visibility into threat activity on all employee leveraged devices even when they aren't in your traditional corporate environment? How can I instrument those remote access touch points to increase my visibility to drive rapid detection?" Embrace the cloud as an extension of your security domain. For many years to come most organizations will live in a hybrid environment where business discussions will drive adoption of the cloud. How do you have the same level of confidence in your visibility of security controls across multiple domains?
- Develop an incident response plan that is well constructed, resourced, and rehearsed on a regular basis. Ensure your teams are ready and have either qualified experts in house or on retainer to manage the complexity of a breach response. Rapid detection and rapid response are not negotiable priorities.
- Improve network design and data segmentation. Most organizations have not formally identified what assets are most critical to them, or accurately documented their network, but it's an essential first step. Only then can you segment critical data and systems to apply a layered defense with better network design to protect it.
- Implement two factor authentication. Of SecureWorks' 700 incident response engagements for FY16, our number one recommendation was to implement two-factor authentication. We found that compromised user name and passwords were often used to simply "log on" to client networks via remote access systems (e.g., Outlook Web Access, VPN, VDI), appearing to be normal activity. As a result, detection failed. Adding an additional layer of authentication – something you know (password) + something you have (e.g., a token) is a critical security control.
- Control the use of privileged accounts. Network administrator privileges should be the exception, not the norm. Limit the number of individuals who have privileged accounts to install software, and, if possible, "whitelist" what software is allowed on your network. Additionally, admin accounts should be audited as frequently as possible to ensure they map to an actual Network Admin who still has a valid need for privileges. Admin accounts in general should never be used for routine business.
- Sandbox technologies. Phishing was the predominant attack vector in SecureWorks' incident response engagements in FY16. Using advanced sandboxing technologies to detonate email attachments and web links before employees view them is critical as part of an organization's "prevent" strategy. It's human nature to be curious and helpful, so in spite of the best awareness training targeted phishing continues to be successful in many breached organizations.
- Conduct continuous vulnerability assessments and remediation. Network hygiene is the foundation of any security program. On a regular basis, conduct third party assessments to identify vulnerabilities and ensure there is a plan for closing the gaps. You don't know what you don't know.
- Identify threats already in your environment. The average time before advanced threats are detected in corporate environments is more than 300 days! Before you implement new security solutions, consider cleaning your house. Targeted Threat Hunting can recognize threat behaviors even when malware isn't present, helping you identify and extricate them before damage is done.