Why it's essential to focus on security fundamentals
Article by Gigamon A/NZ, George Tsoukas.
Recently the U.S. White House released a statement citing intelligence reports indicating "… that the Russian government is exploring options for potential cyber-attacks." Paired with that statement, the White House issued a comprehensive list of steps organisations should undertake to improve their cybersecurity posture.
To address these issues, practising and mastering the fundamentals is essential. We need to pay attention to and perfect tiny details that might be commonly overlooked.
Practising the basics is important, and cybersecurity professionals understand how critical it is to practice the fundamentals. These include strategies like implementing multifactor authentication, having reliable backups, and emergency planning.
These are the tips we share with our friends, family and colleagues. Frankly, they're probably tired of hearing us repeat ourselves after every high-profile data breach or cyberattack. Yet, the practices are fundamental for a reason: they underpin a sound, proactive cybersecurity posture.
Let's deep dive into three of the recommendations issued by the White House:
White House recommendation #1
"Deploy modern security tools on all computers and devices to look for and mitigate threats continuously."
Firewalls, EDR and SIEMs, are the first line of defence that most security teams consider, but these tools lack the ability to detect malicious activity at the network level.
As networks become more complex, with a mix of private and public cloud and on-premises environments, we also need tools that give security and network teams deep observability across this infrastructure.
Network detection and response (NDR) and visibility fabric address that visibility gap. When researching NDR solutions, look for solutions that provide historical network traffic visibility.
This is especially helpful as attackers' dwell time on networks averages 280 days, or nearly nine months. Pairing NDR with a visibility solution helps to ensure that network and security teams are maximising their ability to detect threats and defend the network against modern attacks.
White House recommendation #2
"Run exercises and drill emergency plans to enable IT to respond quickly to minimise the impact of any attack."
While traditional defence tools are necessary for an organisation to prevent common malware infections, they often fail to detect and prevent more advanced and persistent adversaries.
This is a risk that organisations of all sizes face increasingly. The addition of a threat-hunting program creates an umbrella over the first-line defences to both improve and supplement those capabilities, detecting otherwise unidentified adversaries.
When evaluating security solutions, look for tools that provide guided playbooks that allow your investigators to identify attackers based on real-world behaviours with just a few mouse clicks.
It's a bonus if the tool allows for parallel investigatory capabilities that help coordinate threat hunting and investigation efforts across worldwide teams.
White House Recommendation #3
"Encrypt your data so it cannot be used if it is stolen."
Encrypting at rest is critical, but something equally important is encrypting data-in-motion. Cybercriminals know this and do the same thing – so defenders need visibility to inspect attackers' behaviours too.
SSL decryption is critical to securing today's enterprise networks due to the significant growth in encrypted traffic applications and services. Cybercriminals increasingly use SSL/TLS sessions to hide, confident that security tools will neither inspect nor block their traffic.
When that happens, SSL/TLS sessions can become a liability, inadvertently camouflaging malicious traffic. In other words, the very technology that makes the internet secure can become a nefarious threat vector.
Enabling SSL decryption uses the root certificate on client machines, acting as a certificate authority for SSL requests. This process allows SSL decryption to decrypt, perform a detailed inspection, and then re-encrypt SSL traffic before sending it off to its destination.
This ensures that only authorised SSL traffic is entering the network and that malware hidden in SSL/TLS sessions is exposed and dealt with during SSL decryption.
To meet the organisation's diverse needs, look for solutions that support both inline/man-in-the-middle and passive/out-of-band decryption of SSL/TLS.
The White House statement's comprehensive list of recommendations echoes best practices (fundamentals) that have been repeated throughout the cybersecurity industry and are foundational to maintaining a proactive security practice.
What differentiates this announcement is the sense of urgency around the potential for threats perpetrated by Russia and Russia-based threat actors.
As an industry, we've been beating the steady drum for organisations to implement these best practices for over a decade. But given the heightened state of public awareness and perception of higher stakes, it's easy to get overwhelmed by the volume of information or questions from armchair experts.
It's often difficult to be the voice of reason in the room, pushing back against a sea of buzzword-spewing folks spreading fear, uncertainty and doubt. Take a breath and lean back into experience and trusted practices and solutions.
These concepts don't always account for an organisation's ability to rapidly adopt and implement complex, advanced security frameworks. Implementation takes time. Unfortunately, the reality for many industries is they lack the maturity or resources to succeed.
Vendors tend to focus on 'the latest and greatest' when organisations would be better served to focus on fundamentals to improve their security posture. The White House statement attests to that fact and should look to improve their security posture by providing deep observability through network-level intelligence.