SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Questions every security and risk management leader should ask
Tue, 30th Apr 2019
FYI, this story is more than a year old

Although some industries may be targeted more often than others for cyber attacks, every organisation across every major industry, from utilities and manufacturing to the public sector, must take necessary security precautions and make cybersecurity a top priority and investment, according to Forescout.

Forescout APJ senior director Steve Hunter says, “Making the best investment with a potentially limited security budget can be a daunting task for security and risk management (SRM) leaders. Some of the reasons for this include the fact that no two organisations are identical, which means that the security mindset is also different. Cyber threats are also evolving at a remarkable pace, making it difficult to ensure protection against the latest threats.”

In addition to evolving threats, the cyber landscape is also changing rapidly. Traditional IT networks and infrastructure are becoming increasingly intertwined and connected to operational technology (OT) networks and infrastructure. Consequently, devices typically limited to the IT environment, if unsecure, can put entire OT networks at risk. Each device expands the attack surface, giving bad actors more opportunities to access the network.

Add to this the number of security vendors exploding dramatically in recent years, with some estimates suggesting there are more than 1,200 vendors competing for a slice of the current global cybersecurity market value of more than $120 billion.

Hunter continues, “Overcoming these challenges in decision-making is critical not only to the defence of individual organisations but also to the defence of entire industries across the globe. As we've seen time and again, cyber adversaries are quick to capitalise on singular weaknesses to gain a foothold elsewhere.”

To help businesses and organisations simplify the decision-making process and also minimise the time to deployment, and ultimately a more secure network environment, Forescout has assembled a list of seven key questions, based on key research from Gartner, that every SRM leader should ask before deciding which security product is the best one for their organisation.

1. Is the solution vendor-agnostic? Too often, organisations identify what they think will be a security silver bullet, only to discover after purchase and implementation that the product is not compatible with other products or applications on their network.

More than a poor investment, those organisations also suffer the headache of frustrated end users and wasted resources, and, their organisation is ultimately no more secure than before the purchase was made. It is critical that products are vetted to ensure they are compatible and vendor-agnostic.

2. Does the solution provide asset discovery to enable operational continuity and system integrity? Asset discovery is a critical foundation for effective defence, as well as ensuring reliable operations. Often organisations, even those with good asset inventory and asset management practices, will fail to account for every device that's on their network. A good security solution will let organisations identify and inventory every connected device on their network in real time, regardless of device type.

3. Does the solution detect and alert on known common vulnerabilities and exposures (CVEs)? Whitelisting and generic anomaly detection are common OT security approaches. Whilst important, the best approach should include a well-mapped OT system CVE discovery for faster detection and to improve risk management from Day 1. In today's cyber terrain, early understanding of an organisation's OT exposure can mean the difference between headline news and swift remediation and mitigation.

4. Can the solution evolve from mirror mode to in-line security? Active prevention may be a desired, long-term goal when it comes to monitoring and detection, however, many organisations lack either the security maturity or necessary resources to enable such features as part of initial deployment.

However, as the organisation matures, it's important to have the option to switch from passive detection to active prevention. Ensuring this feature is available up front will also prevent the need for additional expenses down the road.

5. Does the solution provide IT support in addition to OT? This question is especially important to ask when seeking to protect an OT environment. Because OT attacks have historically started in the IT environment, then stealthily moved laterally into the OT environment, it's important to detect IT-originated but OT-targeted attacks before they reach the intended target. In short, decision-makers should ensure the product is effective in both IT and OT environments.

6. Does the solution support secure IT/OT alignment? IT-OT convergence is on the rise; yet, the supporting infrastructure and networks differ significantly and can't be treated the same when it comes to cyber defence. In other words, the security best practices and technologies that work in an IT environment cannot always be expected to effective, if even possible, in an OT environment.

It's critical, then, that decision-makers evaluate a product not only on its ability to protect both environments but also on its ability to integrate with other security solutions, protocols, software and hardware.

7. Is the solution designed to live in an OT environment from a hardware or operating environment perspective? Many solutions are designed to function within the comfort of a temperature-regulated server room with a backup power supply or generator; the type of facility typically provided in IT environments.

OT environments, on the other hand, do not always afford such controlled environments and, as a result, can test the limits of many solutions. It's important to account for the environmental conditions where the product will be used and ensure the solution can run in sites requiring support for hazardous environment operations.

Steve Hunter concludes, “Choosing the security solution that's best for an organisation isn't easy and when evaluating the various vendors, the true value of one solution versus the other can be difficult to quantify.

“However, it's worth investing effort up front to flesh out the evaluation criteria in detail with envisioned use-cases plus expected benefits. That, along with asking vendors the tough questions on how'll they'll support the use-cases and deliver the expected benefits, will not only help organisations find the right solution but also help them arrive at that conclusion faster.