Silver Bullets and Cyber Security
Jul Sun, 2018
What’s a Silver Bullet?
The phrase “silver bullet” relates to an all-encompassing or even miraculous solution to a problem or challenge. In the cyber security space, I have found it curious that vendor marketing and sales teams often proclaim their solution to be the silver bullet, or at least the core component of a strong cyber security strategy. What really constitutes an effective cyber security strategy? Is there a silver bullet?
I started in the cyber security space in 2006 with a PCI compliance provider but had already worked for Novell and other technology companies prior to my introduction to data breach causes, solutions and challenges. I have since been blessed to observe several angles in this space at different companies, such as the elements (and applicability) of penetration testing, vulnerability scanning, code review, and secure coding practices.
I have learned about digital forensics, which I like to refer to as the digital discovery of breadcrumb trails leading to data breach causes and probabilities. I understand the expert specialty involved in such services to include drive imaging and log preservation, as well as drive vector analysis.
I now understand the value of multi-state firewalls with effective ACL’s, DMZ’s, proxy servers, data encryption at rest and in transit, as well as proper key management, network segmentation, authentication, and access control.
I learned about compliance standards such as PCI, SOC, ISO 27001, HIPAA, NIST, HITRUST, CIS and the associated controls which strengthen and harden networks, servers, and critical data.
More recently, I have come to know a great deal about both the value and complexity of network traffic threat monitoring, log collection, threat hunting, correlation, and customer response services.
All of the above are important and constitute key elements in sound cyber security risk management, however along the way I have come to three key conclusions I would like to share:
- Cyber risk is business risk
- Threat visibility is difficult, but critical
- An effective cyber strategy must have month-to-month risk program management an expert oversight.
Cyber Risk is Business Risk™
Business owners often think of cyber security as a technology problem that is the sole responsibility of the IT team. Recently one CXO ignorantly stated, “We have outsourced our IT and they are taking care of our cyber.” He did not know what cyber security strategy was or the significance of it at an organization, allowing the outsourced IT-focused company to only throw a technology solution at the problem. However, throwing any solution at the cyber conundrum without understanding business priorities and processes is folly and a waste of money.
What controls and processes do you implement until you have taken the time to consider what the impact of a data breach would be to your unique business, and whether considerations such as brand and reputation or legal liability are important? Perhaps the most important component is regulatory compliance.
For example, penetration testing will be more valuable to an organization that develops its own web-facing application that gathers and stores critical data, than it will be to one that does not. Similarly, PCI controls will be less important for an organization that only processes a few transactions a year and does not store cardholder data, than it will be for an e-commerce company that does thousands or millions of transactions per year. Other considerations such as what it would cost if a data breach disrupted your business and the cost of remediation may be important. What about your partners and clients? Does certifying that you are cyber secure serve as a business enabler? Does your business have intellectual property to protect, and if so what is it and where is it?
As you can see, each of these questions will be answered and applied differently to your organization. Cyber risk is a risk to your business, but understanding that risk will only come through the proper assessment of your business processes, priorities, and current cyber posture. Business owners/leaders must drive this and not pass it on to IT.
Threat Visibility is Difficult, but Critical
On average, a hacker has been in your network for 188 days before they have been discovered. Does that statistic concern you? How do you have the proper visibility you need into your network (as well as your assets in the cloud)? You can’t fix what you can’t see. Visibility into the impending threats is critical.
Many companies purchase a managed SIEM or threat detection services subscription, only to find they do not have either the bandwidth to consume the data, or the expertise to understand and action it – or both. Even companies with a CISO and a security expert may be so busy managing the cyber functionality that diving into dashboards and alerts doesn’t happen efficiently or effectively.
One client recently stated, “Had I known it would take three FTE’s and a full year to implement and tune our SIEM product, I would have gone with your high-touch managed service sooner”.
The conclusion here is that you need to choose a managed solution that is right for the size of your company, unless you have over a million dollars, and the time and resources to build your own Security Operations Center (SOC) and staff it full-time with at least one threat hunter/analyst.
An Effective Cyber Strategy Must Have Month-to-Month Risk Program Management and Expert Oversight
As an esteemed colleague once said, “When you build a fence, the bad actors use a higher ladder”. The threat landscape is constantly changing. Technologies that worked last year won’t work today. The business is growing and changing, but more importantly, a multi-faceted cyber strategy can’t be implemented overnight. It takes consistent time, prioritization, effort, and expert oversight.
Unless you are a multi-billion-dollar organization with a CISO and an army of dedicated security folks, you may want to consider a cyber provider that can offer virtual CISO or risk program management services. This will help bridge the gap between the current cyber maturity of the organization and the desired goals.
Writing policy – especially incident response which is a critical part of information security policy – takes time. Implementing missing controls takes time, budget, and resources. Sage advisement involving effort, impact, and probability of success becomes critical in the ongoing success of your risk program management. Hiring a consultant or a provider that can provide monthly analysis and risk program management, to keep you on the path and on task is a critical part of your cyber maturity strategy.
The silver bullet in cyber security doesn’t exist. You can’t manage executive priorities you don’t understand. You can’t consume threat data you don’t understand or have the resources to manage. You can’t mature the cyber strategy and posture of your organization without month-to-month management and advisement. Implement these three points above with a trusted advisor and you will be on your way to a more mature cyber security posture.
See it on LinkedIn Here >>