Editor's Note: The following is a guest post from Craig Riddell, senior solutions architect, SSH Communications Security.
With the constant, clear and present danger of cybercrime, organizations must become agile in their ability to quickly defend the network against whatever comes at it. The concept of agile security has arisen, in which security is thought of as part of the design from end to end.
Otherwise, systems must be patched, updated and modified along with other solutions to piece together a secure environment. This is usually inevitable for companies that went online before cybercrime became so prevalent.
The problem with the second option is that having several different appliances that must be managed as one-off point solutions makes the environment overly complex and adds costly overhead.
This raises the total cost of ownership and leaves a business dependent on the vendor or vendors that sold the solution. Integration with these appliances that weren't part of the design from the start will almost certainly leave gaps that bad actors can exploit.
The perils of modern business
Traditionally, security has taken a back seat to productivity and profitability. The potential for a security breach and the penalties that would follow have been less of a concern than the possibility of slowing down the business with a strict security protocol.
For IT security teams, the struggle is real to ensure every part of the architecture is as safe as possible (reducing risk to an acceptable level) without slowing down the speed and growth necessary for modern businesses.
This has been true for the entire digital age with the invention of the internet and how quickly it was adopted as a platform for outreach, sales and marketing.
Security was a secondary concern, and the only thing that mattered was getting the business online.
Now throw the cloud into the mix. Businesses are still hosting data on someone else's servers and relying heavily on them for security, sometimes to a fault. For example, in the Department of Defense (DoD) Amazon Web Services breach, security was only as good as the people implementing it.
The DoD had all of the proper systems in place, along with its AWS hosts, but a contractor left the S3 storage publicly accessible, and top-secret data could be downloaded along with the system image that was used for Linux-based virtual machines.
The cloud calls for a different cybersecurity strategy that the typical perimeter defense. Cloud computing, if not designed properly, is flat — allowing for unchecked lateral movement.
The threat landscape is ever-changing, and the focus has shifted from keeping the attacker out (which, of course, is still important) to "what do we do and how will we know if they are already in?"
Seven security tactics
Companies will benefit from adding security professionals to the business conversation early on so they can devise a plan where the business can grow but also be secure, making sure that all of the proper counter-measures are in place so that as the company's footprint grows on-premises or in the cloud, the attack surface remains as small as possible.
To keep that attack surface small, all network traffic should be treated as untrustworthy, privileges need to be minimized and interactive access should be monitored and controlled.
Organizations need to adopt a "zero-trust model" and proactively inspect all network traffic to validate the authenticity of user activity.
Here are seven steps to take toward greater security:
- Segment networks and reduce single points of failure.
- Minimize access scope and rights.
- Observe cloud, app and database behavior to detect anomalies that can indicate threats and compromise.
- Decrease the attack surface with patching and configuration control.
- Build resilience so teams and products can recover quickly from incidents.
- Look into using Network Behavior Anomaly Detection (NBAD) — the real-time monitoring of a network for any unusual activity, trends or events.
- Look into using Endpoint Detection and Response (EDR), an emerging category of tools and solutions that focus on detecting, investigating and mitigating suspicious activities and issues on hosts and endpoints.
Security training
A company can build the strongest cybersecurity fortress in the world, and its efforts will be wasted if employees keep lowering the drawbridge. Start training employees on day one so they start thinking about cybersecurity best practices.
Security should matter to everyone from the admin to the CEO. This will build resilience into products and teams.
Training best practices include:
- Keep sensitive data secure and off your laptops and mobile devices.
- Don't leave devices unattended.
- Make sure software is up to date.
- Recognize that hackers are constantly targeting businesses and look out for suspicious emails and calls from outsiders trying to obtain information (phishing).
- Be cautious about clicking links online and in emails.
- Choose strong passwords and password management practices and solutions.
- Make sure antivirus software is up to date.
- Always back up data in case of a ransomware attack.
Putting it all together
Companies that entered the online world early on, before cybersecurity was as crucial concern, have had to bolt on security solutions as needed along the way. Newly formed companies are far more likely to put cybersecurity on the business agenda as part of their overall strategy.
Either way, gaps in security are likely — especially if basic security hygiene is ignored and employees are poorly trained. Organizations can use the recommendations above to build a strong security foundation that makes them more likely to defeat cybercrime.