Ziad Sawtari, Regional Director for the Middle East, Skybox Security, says those seeking to ensure their cybersecurity should quit firefighting and eradicate security management gaps. Greater insight into where your biggest security management problems lie will create an opportunity to bring lasting change to your security programme, he says.
Keeping pace in the cyber-realm is hard. Sometimes it can feel like you’re stumbling through the dust kicked up by hot-heeled cybercriminals, trying to play catch-up without falling foul of any traps they’ve set along the way.
You’re forced into a pattern of reaction – firefighting – when you have all the tools at your disposal to be proactive, strategic, effective. If this sounds familiar, it’s likely that you have security management gaps that continue to allow attacks to occur and that are preventing you from keeping pace.
Organisations have made significant investments in a myriad of networking and security technology. They’ve brought in firewalls in order to keep criminals out of their infrastructure.
They have scanners to keep vulnerabilities on assets from being exploited. And they use security information and event management (SIEM) systems to rapidly find and fix security issues and mitigate damage.
To the uninitiated, it would appear that an organisation with all of these tools in place shouldn’t be too troubled by cyberattack concerns. But, of course, this simply isn’t the case.
Your security investments aren’t paying off
The goals behind security programme investments may never be achieved. It’s a cold fact, but it’s true. The full value of many solutions is never realised because the resources, context and processes aren’t there to manage them.
Firewalls aren’t impenetrable: you need to ensure that the security which was designed in policy is continuously adhered to within your actual, living network. This is a job which demands constant attention and vigilance – difficult to achieve when your resources are already stretched.
Scanners are a fundamental security tool but, in reality, it’s difficult for them to spot the critical-risk vulnerabilities hiding among the thousands (or millions) of occurrences within your network.
Scans are all too often outdated by the time they’re acted upon, they may miss off-limits network segments and devices, and major risks can end up being overlooked simply because of a generic severity score.
Additionally, SIEMs can give you a laundry list of security issues but can lack in terms of relevant context. This means that you’ll struggle to understand the significance of each indicator of compromise (IoC) and to ascertain exactly how far an attack might reach.
These examples of security management gaps and others like them are leaving your organisation prone to successful attacks. Often, gaps are the result of missing context – the solutions are there, the data is there, but it’s unclear of how it all fits together in the big picture of your security status.
To close security gaps and take a holistic approach to securing your environment, three key ingredients are needed: data integration, contextual analysis and intelligence-driven processes.
Make centralising your data repositories a priority
To start closing the security management gap, you first need to create complete, centralised data repositories. These repositories will need to be updated frequently (usually daily in enterprise environments) and accessible on demand by multiple teams, processes and technologies.
In order for the centralised repository to be useful, you need to ensure that you automate the regular collection, normalising and merging of data from all cyber-relevant sources in your organisation:
- Network infrastructure: Public and private clouds, on-premise IT and operational technology (OT)
- Assets: Endpoint detection and response (EDR) systems, patch management systems, configuration management databases (CMDB) and homegrown databases
- Vulnerabilities and security weaknesses: Active vulnerability scanners, app and web app scanners, asset configuration weaknesses and custom vulnerabilities
- Threat intelligence: Public and private security feeds of analyst-verified research
Gain context or perish
When you have centralised data repositories, you need to turn your data into intelligence that can be acted on.
Without the right intelligence, you can’t fully understand how your actions are improving or harming security posture.
Correlating and analysing disparate data sets is one way to yield context. But actually modeling the data can have incredibly useful applications and can lay bare where security gaps exist.
Data models can serve as an offline environment that can be used to troubleshoot issues, identify risk in your unique organisation, predict how changes could affect risk and more.
Turning data into visual representations and interactive models can be an even greater benefit as security personnel can ingest complex information more quickly.
Seeing an accurate representation of your environment – instead of being ensconced as a principle in your policies or SLAs – gives you far greater insight into where your biggest security management problems lie. This insight can help improve the value of your existing security investments:
- Firewalls: Modeling helps close the security gaps in firewall solutions by enabling you to compare your organisation’s policies against aggregate network access, device configurations, routing rules and more. It gives you grounded insight into the effectiveness of your policies.
- Vulnerability scanners: Modeling helps to refine scan results to identify remediation priorities. The model provides a way to match vulnerabilities to assets, where they reside in the network topology and what are the surrounding security controls that determine exposure to potential attacks.
- SIEMs: Leveraging a model can also shorten response times after an incident occurs, contextualising SIEM results to understand potential impacts, how attacks could spread and which alerts are simply false positives.
Use context to improve processes
It’s only when you understand the context of your entire environment that you can really start to improve your processes and bridge the security management gap. Systematically incorporating contextual intelligence in processes not only improves the efficiency of those processes, but their impact on security status as well.
To effectively manage firewalls, you need to ensure that they’re adhering to policy and maintaining security even as your environment changes. For example, when new access is requested, contextual intelligence from model-driven approaches can show if the requested rule change would expose a vulnerable asset – before the change is ever made. Having this knowledge not only ensures tighter security, but also reduces time wasted on rollbacks.
In terms of patch management, using complete context to prioritise vulnerabilities by risk ensures patches rolled out are having the biggest impact on security. Additionally, the model-driven approach also makes it easy to find mitigation options like configuration or rule changes that would reduce the risk a vulnerability poses if it can’t be patched. This is especially useful in organisations with OT networks that prize uptime above all else, and patch windows are few and far between.
Nowhere is on-demand contextual intelligence more valuable than in incident response. Giving security operations easy access to intelligence on any asset, any device or any vulnerability in question greatly reduces the time spent on investigations; it also can quickly eliminate any red herrings and identify your best response options.
Don’t let your investments go to waste
When you’re constantly in fire-fighting mode, it can be difficult to envision a different way of working. But a better way is out there. It’s possible that a lot of your current problems are not the fault of the resources you’ve already invested in, but with how they’re connected to each other and forming the fabric of your security programme.
To close security management gaps, it’s not a question of throwing one investment away and replacing it with another. It’s understanding how to make your investments work together, enhance each other and achieve their full value.
The visibility, context and insight that’s gained from fixing the fundamental issues creating security gaps means you’ll have a great opportunity to enact lasting change in your security programme and your business. You’ll not only improve your security posture today but have built mature structures that can adapt as your organisation and threat landscape changes.
About the author
Ziad Sawtari is a cybersecurity evangelist and a frequent speaker at industry keynote events across the Middle East. He has 15 years of experience in the software industry, with the last 10 years spent in the cybersecurity space. He currently serves as the regional sales director for the Middle East region at Skybox Security, a global leader in cyber-risk management solutions. Prior to joining Skybox, Sawtari held various roles in cybersecurity organisations including Netscout, FireEye and Tenable.