Before buying expensive cybersecurity tools, consider honing your IT operations.
Another budget cycle, another upgrade. It’s time for a new firewall/SIEM tool/UTM appliance. Why? Because the new one has the latest next-generation fluid threat analysis technology/features a patented endpoint threatness system/comes in green.
There are good reasons for an IT department to buy some of these new features, sometimes. But before running off to blow your cybersecurity budget on flashy new gizmos (many of which they might not know how to use properly anyway), isn’t it worth looking at lower-hanging fruit?
Many IT departments are leaving themselves open to attack by not implementing the basic IT management processes that should underpin any technology operation.
Take patch management, for example. The Australian Signals Directorate estimates that 85% of targeted attacks that it sees could be prevented by following four basic strategies: application whitelisting, restricting administrative privileges, and patching both applications, and operating systems. These last two in particular are interesting, because they should be basic operational procedures in any competent IT shop.
Patching is a key example of process-driven security, said Ben Sapiro, senior director of security, privacy and compliance at Vision Critical. “Do it religiously, do it fast, do it for everything. Sure, there are zero-days out there that you don’t have a patch for but you’re usually being targeted with exploits for known and older vulnerabilities,” he said.
Writer and cybersecurity practitioner Todd Dow, who will be speaking at SecTor this year, believes that organizations should rely on existing guidance when crafting IT processes that will also be beneficial to security.
“Ideally, you want to base the controls on your specific environment, business needs and staffing setup,” he said. “ITIL, COBIT and other similar frameworks are quite thorough in defining and structuring enterprise governance around technology.”
One of the first things to do is define the baseline expecations for your technology, such as compliance with privacy laws, and targets for application uptime and performance. Putting processes in place to meet these expectations can often create associated security benefits. Uptime and performance monitoring are good examples, he suggests.
“You’re looking for trends over time. Deviations from the trends are good signals that something has changed. Those signals can be triggers for investigating further,” Dow said.
There are other processes that can be tightened up without spending thousands on new kit. Raul Alvarez, senior security researcher and AV team lead at Fortinet, will also be presenting at SecTor in October. He puts user management near the top of the list.
“Single sign-on and federation services can ensure that user privileges are provisioned (and deprovisioned) correctly and automatically,” he said. “If an employee is terminated, for example, you want to make sure that all of their access to various cloud services and on-premises data is revoked immediately.”
Dow lists other process improvements than can have a significant effect on cybersecurity. These include centralizing documentation, building a redundant and scalable architecture to maintain availability should any issues occur, and of course, effective disaster recovery.
It’s easy to see how these measures can spill over into concepts like cloud computing, which can increase the level of redundancy and scalability if done right, while also making server management easier by virtualizing them into files for easier standard builds, backup, and patching.
Sapiro points to other processes that reach outside the organization, such as vendor assessment and better management of software procurement, which can tighten up your digital supply chain. This came up at SecTor’s Predictions panel last October.
How much will all of this cost? A lot of money will be tied up in skills and processes rather than tools, suggests Alvarez. “Some very powerful configuration management and automation tools like Chef and Puppet are open source, but implementation can take considerable time and resources,” he said.
Implementing better processes in areas like configuration and change management, standardization, and centralization can create big wins in multiple areas, ranging from security through to system performance and service responsiveness. These projects may also be paid for out of different line budgets than security. Perhaps achieving some security goals through these means may leave security funding to be spent on other things. And maybe then, that next-generation threaty-threat technology can wait for another quarter or three.