The holiday season is often a time of reflection, a time for organizations to look back and ask themselves ‘are we doing things right’.
Judging by the continuous news stories spotlighting the latest data breach, it appears most organizations still aren’t getting security right. Organizations are scared and worried about security but they are not focusing in on the areas that really matter. As we reflect upon 2014, we will look at five lessons organizations need to learn from 2014 so that they can have a better, more secure 2015.
Tis the season to be merry is a common catch phrase around the holiday, yet in reality, people often find themselves stressed and overwhelmed during this time of year. Looking back, they realize all the goals that are still unmet. The cyber security holiday season is no different. While some organizations might be happy they did not get breached this year, behind closed doors everyone, including the CEO, is likely wondering at what point a breach will happen; will it be in 2015? The answer, which no one wants to hear, is that a breach will happen. However, if handled correctly, the damage can be very minimal. Consider these lessons from 2014:
Lesson #1 — Organizations will be breached; timely detection and response are key
2014 was a year of enlightenment; people began to realize just how vulnerable organizations are and that anyone can be breached. However, much confusion remains. The issue is not that an organization was breached, rather it is the length of time that the breach went undetected and the resulting damage. If an organization is attacked but they have timely detection and control, the damage is usually not too bad. However, if a breach remains undetected for a length of time, the damage becomes increasingly worse. Therefore, the intrusion itself is not the problem, it is the lack of detection and the amount of damage that is problematic. Organizations must focus efforts on timely detection and minimizing the impact.
Lesson #2 — Allocate proper headcount
A typical knee-jerk reaction in response to the breaches we have witnessed over the past year is for organizations to spend money in the hopes of finding the silver-bullet to help them avoid falling victim to a hacker. Yet it is not a matter of spending more; it is often that they are not allocating enough head count for the security team.
In order to solve these security problems the proper resources must be allocated. Resources are not only monetary resources but also human resources to configure, monitor and maintain security devices. In many organizations there are not enough people to manage the security devices that they have. Therefore, if more security devices are purchased, an organization is actually making the problem worse by spreading their already taxed resources (people) even thinner. Organizations need to allocate proper head count to properly manage the security devices they have, before they spend more money on additional devices.
Lesson # 3 — Don’t underestimate the value of a CSO
2014 is considered the year of the breach. While there are many contributing reasons these intrusions occurred, a key issue is executives are unaware of how insecure their networks actually are. Cyber security has gotten to the point where it is a boardroom discussion, if it isn’t, it needs to be. Executive teams need to get information directly from the person in charge of security. Burying security under the CIO does not work.
Information uptime and cyber security are two different problem sets. They are critical enough to an organization that they require a separate reporting structure, a CIO and a CSO. The CSO must report directly to the CEO and have a clear metric for implementing security.
Lesson #4 — A solid foundation is critical
Building and implementing an effective security program takes time; it is not something that can be simply pieced together. Similar to a home, a security program requires a solid, well thought-out foundation to be successful. There must be a clear plan of action and a robust architecture design when building out a security program. Therefore, while there might be a firewall, IDS and DLP, without the proper foundation the infrastructure will collapse very quickly as soon as the winds of adversity start blowing.
For organizations that have not built their security program correctly, they need to put the foundation items in place. The core foundations of security are 1) asset identification, 2) configuration management, and 3) change control. If an organization does not know what is on its network, how they are configured and properly control change, the organization is going to lose and get breached. An organization must have a proper foundation which allows all the devices connected to the network to be controlled and managed.
Lesson #5 — You can’t protect critical data if you don’t know where it resides
In 1933 when Billy Sutton was asked “why do you rob banks”, his reply was “because that is where the money is”. For an organization, its money is its data; that is why adversaries break into organizations. This is perhaps one of the most important lessons the industry has learned in 2014.
Today’s attacks are focused on the critical data and ways to exploit this data for the attacker’s advantage. If an organization does not know where its critical information is, it can’t protect or control it. Therefore it is critical that organizations identify what their critical information is, locate which servers it resides on, and provide proper measures to protect it. Organizations must perform data discovery to identify and control their critical intellectual property.
Those who do not learn from the past, are forced to repeat it. Based on the amount of security activity that occurred this year, organizations are truly at a reflection point. Are they going to keep doing what they have been doing, which evidently does not work or are they going to step back and change how they approach security? In many cases, organizations need to start over. By putting in the proper foundation, allocating the proper resources, setting up the proper infrastructure and focusing on timely detection of breaches, organization can overcome the sins of 2014 and have a more productive 2015.
Eric Cole is a SANS Faculty Fellow and director of the SANS Cyber Defense Program.