Only a few minutes before the end of 2017, a heavy year on cybersecurity from huge breaches through ransomware spreading and new vulnerabilities disclosers, to new defense technologies loudly evolving all around. I feel however almost tactless when I look the other way around and try to depict all of this in the real-world projects I worked on for nearly six years now. I think the primary reason for this is the huge gap that still exists between what we want to achieve as cybersecurity professionals and the existing organization’s environments that encompasses technologies, goals and most importantly, minds: the cybersecurity basics.
No revolution without maturity
It is fairly clear among security professionals that the main driver for a big chunk of cybersecurity solutions implementation projects or security program changes is regulations. On the other hand, a security program lack of maturity in a given organization is the main concern that prevents a successful role-playing in supporting its business objectives. That is sadly still to go on for the next years, as technologies and services offerings in the area are taking a twist toward more complicated approaches yet beyond the cybersecurity basics: all new offerings are evolving around technologically new concepts like cognitive and AI but rarely focusing on establishing reliable cybersecurity basics. Unfortunately, a lot of organizations do fall in this setup as they tend toward buying new solutions although still relying on poorly designed security policies or outdated architectures. Sometimes the decision of getting a new control can be justified as per regulations requirements, but not always.
Some important missing basics?
I have been in a lot of situations where the customer lacks some of the basic requirements that a solid security program supporting project would rely on if established. Among those very basic requirements that I encountered missing are:
- A good understanding of the infrastructure architecture. The infrastructure architecture sometimes needs to be completely reviewed to integrate security by design principles. Yes, it is hard but really worth considering in order to go forward. For example, a huge risk is taken when not considering network segmentation no matter how large or small the organization is.
- A dedicated security operations team (apart from sysadmins) with clearly defined roles and responsibilities. Some organizations try to leverage sysadmins or other operational teams in order to fill the required security operations positions. This does not only expose the organization defense systems to failure but also put the organization’s business objectives in real danger as separation of duties is doomed in this situation.
- A well-established and documented relationship between the IT environment (including systems, services, and data) and the organization business goals: this is the number one go-to when trying to classify assets based on risk analysis and mitigation controls prioritization.
- In the IT management side, a vital component that is surprisingly sometimes missing as well, is a reliable centralized configuration management system with at least some basic APIs. For example, threat intelligence supporting systems and SIEMs heavily rely on the CMDB in order to provide the expected benefits.
- Continuous auditing of the existing controls and security policies compliances: a repeating issue that I did encounter countless times is the fact that security policies are defined, strategies and procedures are derived, but rare whom are following them. Another ugly fact as well, is that a lot of controls are sometimes already implemented, but misconfigured or intentionally skipped.
If you are still missing one of these basic requirements, don’t rush out and try to get the next year’s budget for an AI-based Intrusion Prevention System, because you won’t be able to get it to work as expected.
What I wanted to briefly highlight in this short post, is the importance of considering reviewing the basics before going anywhere further. Buying the mega expensive next-gen IPS/IDS is not going to support your organization’s goals if you still relying on flat networks with a poor understanding of your business data flow for example.