“Pillars of Cybersecurity” is an amorphous concept; it’s written about constantly and applied to every type of organization. Some experts name three pillars others five. There are also pillars for small and medium size businesses and pillars for enterprise networks.
Regardless of size, any organization looking for direction on where to focus initial cybersecurity efforts can build a strong program on these three pillars: vulnerability management, monitoring/alerting, and infrastructure configuration.
For any sized organization, managing vulnerabilities is a highly effective way of ensuring that your infrastructure is secure. Cutting edge software and expensive consultants recommend conducting vulnerability management. Implementing a vulnerability management program will naturally draw your organization to other security practices that will ensure “good cyber hygiene.”
There are many ways to administer a vulnerability management program, but effective programs have at least two basic principles: identification and remediation.
The ability to identify vulnerabilities that are unique to your organization and infrastructure is paramount. This can be done using automated tools all the way up to having your own team of threat intelligence analysts. The important thing is to make sure you’re constantly identifying the vulnerabilities in your organization because they will never stop appearing.
Okay, you’ve identified the vulnerabilities, now what? Remediate them, of course. Although sometimes that’s easier said than done. If you’re paying for a product or service that has identified a vulnerability, that organization owes you and answer to remediating it. If they can’t, I suggest you consider using a different product or service.
Even if you are given a remediation strategy, not all remediation actions are realistic for every organization because of cost, compatibility, and so on. If this is the case, work with your team and vendors to look at alternative solutions (i.e. changing network configuration, changing firewall rules, replacing infrastructure.)
Vulnerability management will look different for every organization, but the end goals should be the same: identify and remediate vulnerabilities. Take time to do some research and find what options may work best for your organization.
Network monitoring has become ubiquitous with security. The concept behind network monitoring is very straightforward. It is impossible for your team to be everywhere all the time, but you need to know what’s going on within the confines of your network.
Building an effective monitoring system will help drive a few important things:
You can’t alert on everything, so it’s important that you know what your normal looks like and be able to alert on activities that are not only suspicious but unsafe. Alerting doesn’t just apply to the nefarious but can also help save your team from themselves. Simple changes in how your environment is configured can open large holes in your security net.
A plethora of automated tools exist for performing network monitoring, but effective monitoring takes a deliberate and measured implementation. You may need to build a more intricate monitoring apparatus within your network. Parking a monitoring device/service on one outward facing node will not effectively monitor the internal nature of your network’s communication.
To effectively implement alerting from your monitoring systems, you will need to identify your specific vulnerabilities and dependencies. Taking time to identify what you alert on will improve the function of your alerting system and your knowledge of your environment’s security posture. Use not only the organizationally specific knowledge of your team but also the information that’s been gathered by the larger security community to define your alerting parameters.
Your work in this area will never be done. You should regularly review your monitoring/alerting protocols as your organization changes and grows and new threats and vulnerabilities are identified.
The oldest and most technically complex pillar of security is infrastructure configuration. The way that your network is configured will be fundamental to your security posture. A properly configured network itself will provide more security than any new whiz-bang tool.
With infrastructure configuration we leave the realm of automation and conceptual security. You truly have to get the people with the most knowledge and understanding of how to segment and secure a network. Whether you employ them directly or hire consultants or contractors, you want the industry experts to build your infrastructure in a safe and secure way.
You also have to get the right equipment, because cutting corners to save money on infrastructure—or the people to run it—may end up costing you more in the long run. If your network has grown and your inexpensive or aging infrastructure isn’t cutting it, you will benefit by investing in the correct infrastructure. The experts I mentioned before are the people who will save you money on infrastructure.
Equipment doesn’t have to be brand new or the most expensive, it just has to be the right equipment to ensure you’re operating securely for your environment and organizational goals. For example, setting up a firewall may seem straight forward in less complex environments, but if you’re seeking to grow as an organization or broaden your customer base, professional equipment and personnel are a must.
Consider cloud-based services if possible. Cloud based services are already pervasive throughout industry and many security aspects can be handled by your cloud service, leaving you and your organization time to focus on fewer and more pertinent security measures.
As mentioned before, these three pillars aren’t the end all be all in cybersecurity. In fact, we’ll talk about building a program on the foundation of GRC (governance, risk, and compliance) in a future article. But making sure your organization has invested time and resources vulnerability management, monitoring/alerting, and infrastructure configuration should support a strong security posture as you grow and refine your program and strategies.