I have seen that there’s often a flaw in logic with organizations when it comes to cybersecurity. The market has been flooded with products and services that “AUTOMAGICALLY” take care of security and stop attackers.
That’s right, “automagically.”
I really used to think this was a cool concept, a nearly ingenious and automatic solution to any security problem facing an organization. However, it has quickly fallen into the same category as the “cybersecurity silver bullet” in my mind… there’s not one. I think there are a lot of great products out there that can take some burden off an IT shop. However, it has become clear to me that nothing can replace human intuition when it comes to understanding an organizations infrastructure, users, and culture.
Investing in People is Investing in Cybersecurity
Organizations must invest in strong, competent IT leadership. Leadership who is committed to owning, maintaining, and securing the organization’s environment. Here’s the kicker…The leaders and staff that you have on your team MUST welcome and encourage the challenge of having their hard work put to the test. Organizations MUST be willing to invest in testing. If penetration testing is a taboo topic around your IT shop, or anywhere in your organization for that matter, there’s an issue.
Penetration Testing is Critical to Success
I recently spent time with a client that wanted to plan out cyber initiatives for the coming year. The conversation was refreshing and shocking all at the same time. To sum it up, this Information Security Manager basically said he wanted us to take a hammer and pound on his network as hard as we could. This is something our team does anyway during penetration testing, however, you don’t often hear that said by the client. This request derived from previous testing with said client. In these previous penetration tests, we uncovered multiple instances of very expensive “automagic” cybersecurity solutions and services that failed to detect our team’s activity during penetration testing… and trust me, testing can be very noisy at times. So, it begged the question in the client’s mind…
“If we’re not seeing obvious, abnormal activity during penetration testing exercises, how will we know if there’s a lone attacker camped out inside the network?”
Chances are, with the systems currently in place, they won’t. It’s because these systems and solutions are marketed and sold as being easy-to-manage, maintain, and will “automagically” protect the network. There’s that word again…
It doesn’t work like this!
There’s a technical debt with every system installed on a network. The debt is time needed to monitor and manage that system. The more systems, the more DEBT!
Takeaways for a Stronger Cybersecurity Strategy
Here’s where we’re at: There’s no “automagic” solution that will cancel out the technical debt associated with strong cybersecurity. An effective, offense-oriented approach requires time, knowledge, and money… all used in the right way. Here’s a few takeaways:
- You can’t manage what you don’t measure! There’s very basic information about your organization’s network environment that your people should know related to behavior of users and infrastructure - average failed logins, average bandwidth utilization between sites and systems, etc. Attain benchmarks so that malicious behavior stands out over time and does not go unnoticed. Enable your team with the appropriate time and resources needed to become proficient in this area. In-house or hosted SEIM or SOC will likely come into play here.
- Know what is being deployed in your infrastructure. If you can’t tell when a new device is added anywhere on your network, there’s an issue. Organizations are compromised everyday via third-party systems or shadow IT that they didn’t know was on the network. There are several ways to accomplish this and can often be implemented internally using network information already available to your team.
- That brings me to, Trust but verify. It’s alarming the number of organizations we see that are being left vulnerable by third-party vendors and solutions. Solutions are often installed with the IT departments knowledge, but grossly misconfigured. Anytime a new device is deployed, security configuration should be reviewed to ensure accounts, passwords, and appropriate access restrictions are properly configured. The engineer implementing the system should not be the same engineer that verifies its security. Strong security welcomes a second set eyes to proof read and verify its resiliency.
- Invest in a relationship with cybersecurity experts on the front-end. Unless you have dedicated (meaning it’s their only job) cyber experts on staff who periodically test all technologies implemented, you need help from a third-party source.
- Be wary of products and solutions that are marketed to completely protect your organization. I’m not talking about the traditional requirements of firewalls, intrusion detection/prevention, but rather the “automagic” and “silver bullet” cybersecurity solutions of the world. There’s no easy button… there’s just not. Cybersecurity is complicated. It takes hard work and dedication to be successful.
I love working with organizations who want-to-know, helping them learn what it looks like when our team is inside their network behaving as a real attacker would. The light bulbs start going off and it’s exciting. Every organization can have that moment… Don’t let your security be compromised because there was a failure to give your people the time and resources needed to have a winning security strategy.