Organizations young enough to have begun with an understanding of how serious cyberthreats are most likely built security into their systems. For more-established companies, security must be added on after the fact. It’s the difference between agile security and retrofitted, patchwork security.
Adding security solutions is certainly less expensive than ripping and replacing the entire security framework—at least initially. But having several different appliances that must be managed as one-off point solutions makes the environment overly complex and adds costly overhead. This situation raises the total cost of ownership and leaves a business dependent on the vendor or vendors that sold the solution. Integrating appliances that weren’t part of the design from the start will almost certainly leave gaps that bad actors can exploit.
Security as an Afterthought
Business today moves quickly, and security has often been viewed as a hindrance rather than an enabler. So, thus far, the possibility of a security breach and the penalties that would follow has been less of a concern than the possibility of slowing down the business with a strict security protocol.
It’s a juggling act for IT-security teams: they must both make every part of the architecture as safe as possible (reducing risk to an acceptable level) and avoid slowing the speed and growth necessary for modern businesses. This situation has existed for the entire digital age after the Internet’s invention and quick adoption as a platform for outreach, sales and marketing. Security was a secondary concern, and the only thing that mattered was getting the business online.
The arrival of the cloud hasn’t changed this sentiment. Organizations continue to focus on business, but now they’re just hosting their data on someone else’s servers and relying heavily on that someone else for security—sometimes to a fault. For example, in the Department of Defense (DoD) AWS breach, security was only as good as the people implementing it. The DoD had all the proper systems in place, along with its AWS hosts, but a contractor left the S3 storage publicly accessible, allowing top-secret data to be downloaded along with the system image for Linux-based virtual machines.
Whereas traditional security infrastructure involved the creating a strong perimeter, cloud computing, if not designed properly, is flat—enabling unchecked lateral movement. The threat landscape is ever changing, and the focus has shifted from keeping the attacker out (which, of course, remains important) to “What do we do and how will we know if they’re already in?”
For business to grow but also be secure, the business conversation must bring in security professionals as early as possible. Doing so will allow them to lay out a plan that allows the business to grow but also stay secure, making sure that all of the proper countermeasures are in place so that as the company’s footprint increases on premises or in the cloud, the attack surface remains as small as possible.
Best practices for robust security today include minimizing privileges, monitoring and controlling interactive access, and treating all network traffic as untrustworthy. Organizations must adopt a “zero-trust model” and actively inspect all network traffic to validate the authenticity of user activity.
Organizations can follow these basic steps:
- Limit the scope and rights of network access.
- Shrink the attack surface with patching and configuration control.
- Divide the networks into segments and reduce single points of failure.
- Build resilience so teams and products can recover quickly from incidents.
- Consider using end-point detection and response (EDR), an emerging technology. It’s a category of tools and solutions that focuses on detecting, investigating and mitigating suspicious activities and issues on hosts and end points.
- Consider using network behavior anomaly detection (NBAD)—the real-time monitoring of a network for any unusual activity, trends or events.
- Monitor cloud, app and database behavior to identify anomalies that can indicate threats and compromise.
Make Time for Training
The stoutest defense system is no match for a careless or uninformed employee. Start training employees on day one so they start thinking about cybersecurity best practices. Security should matter to everyone, from the admin to the CEO. This approach will build resilience into products and teams.
Essential security-hygiene training includes the following:
- Create strong passwords and password-management practices and solutions.
- Look for calls from outsiders trying to obtain your information (social engineering).
- Use caution when clicking links online and in emails.
- Make sure your software is up to date.
- Always back up your data in case of a ransomware attack.
- Make sure your antivirus software is up to date.
- Keep sensitive data secure and off your laptops and mobile devices.
- Don’t leave your devices unattended.
Security for All
Cybersecurity has become such a serious issue that C-level executives and board members can sometimes be held accountable for network breaches. Newly formed companies build security into their environment from the beginning, but established companies don’t have that luxury. Instead, they’ve had to piece their security strategy together, possibly leaving gaps that criminals will exploit. In either case, adhering to the best practices listed above will help all organizations better defend their networks.
About the Author
Craig Riddell is senior solutions architect at SSH Communications Security. He is an IT security-systems architect with over 10 years’ experience across all major business platforms, primarily in evaluating, designing, implementing and supporting enterprise solutions.