There are two key trends happening in today’s networks the c-suite executives need to be paying close attention to. The first is that IT teams are struggling to keep up with digital transformation demands, including the move to multi-cloud infrastructures and services, the rapid adoption of IoT networks and devices, BYOD and a highly mobile workforce, and the growing number of shadow IT services popping up in their networks. The second is the alarming growth of increasingly automated attacks that are consistently and successfully targeting known device, application, and network vulnerabilities.
The reality is that these trends are related. The unprecedented rate of digital transformation that is consuming your IT resources has also led to basic network and device hygiene becoming the most neglected components of your security posture. And it shows. The biggest attacks of 2017, from Petya to the Equifax breach, all targeted vulnerabilities for which patches had been available for weeks or months. In fact, a full 90% of organizations recorded exploits for vulnerabilities that were at least three years old. Which means that good cyber hygiene still needs to be a fundamental best practice, and is a key to ensuring that your organization’s network is kept secure.
But it can be hard to prioritize. Let’s take a look at where to start and what the most important steps are to take.
One method for prioritizing is to understand what vulnerabilities are most likely to be targeted. Knowing the kinds of vulnerabilities attackers probe for the most can help determine which assets require prioritized patching. Effective IT teams use cybersecurity reports and then ask pointed and important questions, like “Have we seen these alerts?” and “Do our scans detect these vulnerabilities?” Then make managing those vulnerabilities a top priority on any controls you’re using to protect your cyber assets.
It also helps to understand that successful attacks have a higher probability of recurring. Which means that whenever a breach makes the news, look at its attack vectors and check to see if you that same exposure exists in your environment. If so, make it a priority to reduce that exposure or eliminate it altogether.
Perform a Risk Assessment
To really get ahead of vulnerabilities, find out in advance where you need to strengthen your defenses by conducting a risk assessment. The goal of a risk assessment, according to ISACA, is to understand your existing system and environment, and identify risks through analysis of the information/data collected.
NIST’s recent Criticality Analysis Process Model describes “a structured method of prioritizing programs, systems, and components based on their importance to the goals of an organization and the impact that their inadequate operation or loss may present to those goals.”
You should start by gathering all relevant information. Begin with a full inventory of your physical assets, including network infrastructure, laptops/desktops, IoT, data management systems, and other connected devices. This also needs to include security solutions deployed, such as firewalls, intrusion detection systems, and network monitoring tools.
Next, catalog all of the applications and services running in your network, including Shadow IT. You should also understand what information is available to the public about network components, individuals and their roles, applications, and services.
Most of this information can be gathered automatically using a variety of tools, such as a SIEM solution.
Finally, you need to cross-reference all of this information against compliance requirements that define minimum security controls as well as any documented or even informal policies, procedures, and guidelines.
After this information is gathered, a number of tasks need to be performed, including:
- Identifying near- and long-term business goals that affect IT and security
- Reviewing existing security policies, standards, guidelines, protocols, and procedures
- Analyzing assets to prioritize potential threats and vulnerabilities
- Assessing physical protections for computing and network components
- Analyzing security devices, remote access systems, and AAA devices and comparing them against network and business requirements
- Assessing the current level of security awareness and commitment of employees
- Reviewing security agreements with vendors, contractors, and service and cloud providers
Only then can you begin to develop and update your existing risk management and security technologies and strategies.
Combatting the New Normal
There is an incredible urgency for organizations, especially those undergoing digital transformation, to reprioritize security hygiene and identify emerging risks. However, as the volume, velocity, and automation of attacks continues to increase, it is also becoming increasingly important to align patching prioritization to what is happening in the wild so you can better focus your limited resources on the most critical and emerging risks. A risk assessment of your environment will help you to combat today’s new normal. Start by using the best practices outlined above to help you create a flexible security strategy that can adapt and protect even as the threat landscape continues to evolve.