How To Build A Cyber Security Strategy For 2019
Technology changes faster than most business can keep up with. The proliferation of mobile technology, the Internet of Things (IoT) and cloud computing has changed the types of “assets” connected to networks. Implementing cyber security “best practices” across an increasingly unstructured and decentralized network is one of the most vexing challenges facing companies today.
Traditional cyber security approaches revolved around the medieval concept of “protecting the crown jewels” – a concentric circle view of layered security focused on protecting the important data at the center through successive layers of defenses such as application, host-based, network (internal and external perimeter) and physical controls. This defensive strategy works in a centralized, controlled and managed-device network, which is becoming increasingly extinct.
Companies have the most control over devices that they purchase, configure and issue to users. But as consumer-driven technology drives new devices and systems, organizations are losing control over devices their users and network interacts with. More often than not, companies fail at deploying traditional security controls to “nodes” connecting to their network.
For example, with IoT devices, it isn’t possible to change or install software. In an enterprise context, IoT includes medical devices in hospitals or monitoring devices deployed in manufacturing or agriculture. This technology is particularly attractive for these traditionally unconnected industries as it offers new leaps into interconnected systems and monitoring what was once impractical due to safety or geographical reasons.
The question then becomes how to apply “best cyber security practices” to this new ecosystem? Organizations need to rethink how they view capabilities in terms of security controls. Companies need to reevaluate and establish the context of the users and actions taken on their systems. And, most importantly, businesses need to challenge themselves through constant improvement that provides the necessary feedback loop to make real changes.
Companies can address current network challenges with a future-proof cyber security strategy for 2017 and beyond by integrating the following concepts into their near-term plans.
Build your foundation.
Approach your security capabilities from a device-level, bottom-up perspective instead of the centrally-controlled, top-down view. Security capabilities have not dramatically changed — traditional controls such as firewalls, intrusion prevention systems (IPS) and two-factor authentication (2FA) remain relevant. It’s the application of these controls that needs to be re-applied depending on the context of the device or node.
Context is king.
Context helps a company understand what a device is, whether it can be trusted, and how the network can interact with it. The more control over the device, the higher ability you have to interrogate it and establish context. When you have more control over your nodes, you can establish paths of access and consider devices more trusted. But if you have less control, you can only observe behavior.
For IoT devices, which offer the least control, consider the larger “ring-fence” approach. Drawing a perimeter around devices that require access to similar resources can help categorize their abilities, even though the devices cannot ultimately be controlled. Context is not about getting all the available data, but getting the right data.
Play offense and defense.
Consistently challenge your organization through proactive testing, often referred to as “red team, blue team exercises.” Develop a continual feedback process between these teams to test your assumptions and prioritize or close each discovered attack avenue. Through exercises such as penetration tests and threat modeling, a red team will pinpoint residual and unaddressed attack vectors as well as assist in remediation efforts. Your defensive side blue team can help improve on what was previously missed, increase available information over time, and develop metrics to demonstrate improvement.
In this rapidly changing technology landscape, the mindful decentralization of your organization’s security controls becomes an asset. It’s security by (known) obscurity, where the obscurity is only seen as such by external entities and attackers. What could resemble an unraveling of controls transforms into a stronger web of both traditional and new technical capabilities? This allows for a more customized approach to security in the face of new technologies and more vectors over which you have less control.
By: Christie Terrill