David Jarvis from UXC Saltbush explains why no tool can guarantee your information assets are safe – but your security strategy is the right place to start.
My colleagues and I are often asked by senior executives how they can make sure their organisation’s data is secure from loss. Security professionals know better than to ask, but they sometimes place false trust in tools that promise greater visibility or better defences. They also often ask us how they can make better sense of all the security data and event logs they’re drowning in.
There is no guarantee, tool or level of resourcing that can possibly protect 100% of your intellectual property 100% of the time. In the digital world, it is simply no longer feasible. But accepting three realities will help you form the best strategy.
Reality #1: Your enterprise is connected
Enterprise security professionals have spent most of the past decades on building fortresses against intruders. But as my colleague Clem Coleman pointed out in his recent article Man the barricades... What barricades?, the assets and users you need to protect can no longer be confined in the ‘castle’ and each system or device requires its own intrinsic, embedded security. It’s become more about stopping your assets or intellectual property getting out than warding off what or who comes in.
As more services and applications migrate to the cloud, there are new channels for leaks to occur. But we can’t plug every leak in advance unless we have visibility over where organisational data exists. Policies and decisions on its protection can’t be made unless we’ve answered the questions: Where is it? How’s it being protected? Is it encrypted when it’s at rest?
Data Loss Prevention (DLP) technologies go some way to helping, by enabling you to impose security policies and business rules over what data users can transfer out of your enterprise. The challenge has also increased the value of Cloud Security Access Brokers, a term originally coined by Gartner to describe security policy enforcement between cloud service users and providers.
They add information about where connections go to, while interposing an enterprise’s security policies as cloud-based resources are accessed.
But before you can get any value from tools like these, your data and cloud security strategies must reflect the realities of being connected.
Reality #2: Your security WILL be breached
Hard though it is, you must accept that your organisation’s security will be breached. Even Cyber Security companies themselves are not spared (as evidenced by RSA and Kaspersky breaches). What’s really important is determining how (and how fast) you will respond. In this scenario, the focus must be on resilience. In my opinion, Kaspersky responded brilliantly – as opposed to Sony’s inaction when they were breached, which cost them dearly.
You need proactive strategies to deal immediately with a breach. This doesn’t mean recruiting a large number of security and forensic staff to deal with the inevitable breach. You wouldn’t have a plumber on staff just in case a tap leaked or cistern burst. But you should have a rehearsed incident response plan and external resources primed and ready to help you deal rapidly with a security incident.
Reality #3: You may not KNOW when your security is breached
One of our clients was sold a cyber-security ‘seeing tool’ to monitor their network and track suspicious activity. The vendor had made it sound wonderful, but unfortunately it was only running on part of their network and, anyway, no one was looking at the logs! This left our client with no strategy for protecting their information.
In my experience, it’s not the tool that fails but the way in which it’s deployed. For example, any security tools you deploy must be tuned; otherwise, you’ll be getting too many false positives. Eventually, even the most assiduous security teams will ignore cries of “Wolf!” Subscribing to a suitable risk management service will deliver early alerts to potential breaches of systems you own or operate – and centralise access to fixes issued by major vendors such as Cisco, IBM, HP and so on.
By being aware that you’re an imminent target, you can be more targeted in your use of resources to prevent a breach. It will also sharpen your risk assessments.
A way to increase the value of security monitoring, and other tools, is to correlate your event logs with Open Source Intelligence (OSINT). This is like listening to internet ‘chatter’ in the same way the military or anti-terrorism agencies do. OSINT can warn you when the bad guys are trying to hurt you or your industry – for example, circulating ideas or tips for targeting utilities or transport systems.
Again, benefiting from OSINT doesn’t mean becoming a military-strength cyber-security intelligence listening post; there are several global risk management services you can subscribe to which tap into OSINT and correlate intelligence to help you protect potentially vulnerable areas of your ICT systems and intellectual property.
It all comes down to strategy
Information security realities have shifted over the years, and this will continue. Similarly, our enterprise perimeters continue to dissolve, new threats evolve and players emerge.
Getting the information security strategy right for your specific enterprise and its appropriate level of risk tolerance is essential. Any subsequent policies you create, tools you deploy, resources you put in place and testing you perform will all be informed by this strategy. Only then can you have any sense of confidence you’ve done the best you can in the areas most important to your business.
- Man the barricades... What barricades?
- IT Security: A Slice of Reality
- Vulnerability Assessment versus Penetration Testing
- 5 critical steps to security and privacy on the path to digital government
- ICT security risk assessor: Cassandra or Chicken Little?
About the Author
David Jarvis is the Cyber Security National Practice Lead at UXC Saltbush. He is accredited to undertake ISO/IEC 27001 certification audits, and the first to accredit an Australian organisation to that standard. He also helped establish the Standards Australia certification arm for Information Security Management Systems (ISMS).