Sun Tzu, the famous military strategist and philosopher, once said, “If you know the enemy and you know yourself, you need not fear the result of a hundred battles.”
This quote from two millennia ago could not be more pertinent to today’s cybersecurity landscape. Too often, security leaders — across the private and public sectors — neglect the essential questions regarding the cyber defenses and capabilities they already have. In the cybersecurity realm, this boils down to asking, “Do I know my inside controls are working like they’re supposed to be working? How is our cyber hygiene?”
Understanding inside weaknesses and vulnerabilities is more important than ever. During periods of company inactivity — like the most recent government shutdown for example — organizations are especially prone to data breaches. Security certificates can expire during those times, leaving agencies weaker and more vulnerable to a number of threats. Security teams also lose time for essential tasks because of loads of backlogs to sift through.
To truly prepare for the cyber threats, it’s crucial that organizations start operationalizing a view of security from the inside out while focusing on cyber hygiene right at the heart.
Cyber Hygiene at the Heart
Traditionally, companies tend to manage cybersecurity based on assumptions: assuming their vendors’ products are working correctly, then assuming those products have been deployed and configured correctly.
What’s missing is the validation that the information surrounding an organization’s cyber defense is accurate, with no gaps or points of misinformation. Agencies need to validate controls in a continuous manner rather than viewing measurement of security as one snapshot at a time.
This is what the Department of Homeland Security (DHS) promotes through its Continuous Diagnostics and Mitigation (CDM) program. CDM is aligned to give government agencies real-time visibility into their security systems with continuous monitoring. Instead of penetration tests or audits, which are static, continuous monitoring gives more holistic visibility into systems over a longer period of time. Agencies can then quantifiably validate whether their controls are protecting critical assets. At the same time, security leaders and teams can manage their cybersecurity programs with more meaningful metrics to drive decision-making, optimize operations, and, ultimately, improve their cyber posture over time.
Look “Inside Out”
Despite the progress being made through programs like CDM, continuous monitoring still needs validation of the implementation of solutions as well as surrounding data. That’s why it’s increasingly important for private companies and government agencies to approach cybersecurity with an “inside out” view by doing the following:
1. Identify exact points of vulnerability within the attack life cycle. The first point of vulnerability is your organization’s own people. Security leaders should focus on helping their teams understand an attacker’s behavior in a particular segment they’re trying to defend. Then test defenses by testing incident response process. Do personnel know who to call and how to quantify what they’re seeing in context? Do they forward a phishing email to the correct party? By understanding how teams currently respond to threats with practice scenarios, leaders can determine where to make defenses stronger.
2. Measure ROI on cybersecurity investments. Government must be extremely judicious about spending taxpayer dollars, while businesses must ensure trust with their partners and clients. This is why it’s especially important to verify that your organization is attaining the expected ROI out of cybersecurity investments — rather than assuming so. Security leaders need data that shows exactly where the security gaps are and where you need to invest more heavily.
3. Apply risk-based decision-making, not compliance-based. Traditional models of measuring cybersecurity effectiveness tend to be siloed and compliance based, where cybersecurity measures are managed across separate enterprise channels and important data is underutilized. This also tends to result in a “checklist” mentality, which can leave your company vulnerable. Instead, cybersecurity must be aligned with your organization’s biggest risks and mission-critical business needs with products that deliver holistic and actionable insights.
4. Determine which technologies can be improved and which can be removed from the stack. For cybersecurity personnel, there are many products they have to manage. But it’s important to verify which products in the environment are working and which are not. Solutions for one organization may not be the right match for yours. Determine what technology products can give you the most value and what fits best with your current architecture so that you’re not purchasing redundant products that you already own. Having security controls mapped in an automated fashion also makes it easier to tag and label identified threats.
When you tackle security from the outside in, you’re simply trying to deny intrusion. When you approach from the inside out, you are protecting your mission-critical data by determining the most vital applications and using a risk-based strategy, which focuses on the most valuable and vulnerable assets. Tackling cybersecurity from the inside out will not be easy. But as budgets continue to spike — even as the data breaches keep happening — security leaders must tie security to accountability. Whether government or private sector, every organization at the end of the day is a business, and an inside-out approach makes the most business sense.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.
Major General Earl Matthews, USAF (Ret.), is an award-winning retired Major General of the U.S. Air Force with a successful career influencing the development and application of cybersecurity and information management technology. His strengths include his ability to lead … View Full Bio