Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Webcast Recap: “Is Your User Security Program Risky or Risk-Focused?” with Dr. Eric Cole

Posted June 19, 2014    Chris Burd

When you’re trying to determine how to control and manage the biggest threats to your IT infrastructure, you need to start by considering several possible breach points and narrowing in on the most dangerous. But attackers aren’t just targeting Microsoft, Linux, or Mac systems. They’re targeting a system that’s much harder to secure: the human OS.

Dr. Eric Cole of SANS, a key participant in the development of the Critical Security Controls (CSC), recently joined BeyondTrust for the webcast, “Is Your User Security Program Risky or Risk-Focused?” where he presented straightforward tips for mitigating internal threats and reducing user-based risks.

Below are key takeaways from the webcast and on-demand video recording of the complete presentation – plus answers to questions asked by attendees of the live session.

5 Steps to Managing User-Based IT Risks

1. Start with Your Critical Data – Not Your Devices

Far too many organizations take a device-centric approach to security rather than a more efficient data-centric approach. New end-user devices and constant updates make it difficult to keep up, so Cole suggests focusing first on where critical data is stored – before concerning yourself with the devices that will be accessing that data.

2. Align Defense with Offense

Many companies invest their time in patching and locking down services. While this is well and good, Cole reveals that moving to a risk-focused security protocol requires you to think like the offense and address three other parts of the process: conducting reconnaissance, scanning, and covering your tracks. It’s up to you to find and understand your security exposures before attackers do.

3. Know Thy Organization

You can’t protect what you don’t know about, and you can’t catch an attacker if you don’t know what they’re attacking. Whether internal or external, when an attacker knows more about your systems than you do, your defensive efforts won’t amount to much. This is why every organization should have an accurate, up-to-date network diagram, a network visibility map, configuration management, and change control.

4. Practice Defense-in-Depth

Cole dismisses the propagandists who threaten businesses with the fear of unstoppable attackers and constant data threats. There are certainly serious and targeted threats, but you can minimize and contain the damage if you focus on the right areas. The most comprehensive strategies include inbound prevention, outbound detection, log correlation, and anomaly detection.

5. Generate Common Metrics

Cole closes with a call-to-action for security and IT professionals everywhere: develop consistent, common metrics to run effective security programs that IT can implement, auditors can validate, and executives can understand.

You need only check the most recent headlines to hear about data breaches where users where involved – either maliciously or unintentionally – but that doesn’t mean these types of breaches are unavoidable. Check out the video presentation below to learn more about managing user risk with a risk-focused security program that incorporates the Critical Security Controls.

>> Learn more about BeyondTrust’s Privileged Account Management solutions for mitigating user-based risks

Live Q&A

Here are Dr. Cole’s answers to questions from the live webcast:

Would you elaborate on how SOCs can be designed to make most of SIEM?

The trick is to create use cases that focus in on the most critical threats to the key intellectual property. The real focus of a SIEM is to detect unusual activity, which is tied closely to a compromised machine. In essence, the SIEM is the correlation engine of the SOC for tracking and monitoring everything that is occurring across a network.

What is an affordable way to label and classify data?

The trick is to keep it simple. At the most basic level, there are really two tiers of classification: public and private. Everything should be classified as private by default.  Only information that needs to be disclosed and does not represent a risk to the company is classified as public. It is also important to start classifying new data before focusing in on existing data.

Doesn’t network segmentation conflict with cloud computing models?

From one aspect, cloud is the ultimate segmentation because each user and service is on a separate segmentation. The trick with cloud is to have strong SLA (service level agreements) in place to hold the cloud providers to the same level of security that the company has defined.

What is your thought on getting workstation logs in the SIEM? Does it bring any value? 

While workstation logs can be very valuable, they generate a lot of data – so in most organizations it is not worth the extra overhead.

, , , , ,

Leave a Reply

Additional articles


A Quick Look at MS14-068

Posted November 20, 2014    BeyondTrust Research Team

Microsoft recently released an out of band patch for Kerberos.  Taking a look at the Microsoft security bulletin, it seems like there is some kind of issue with Kerberos signatures related to tickets. Further information is available in the Microsoft SRD Blogpost So it looks like there is an issue with PAC signatures.  But what…

, , , ,
Password Game Show

Managing Shared Accounts for Privileged Users: 5 Best Practices for Achieving Control and Accountability

Posted November 20, 2014    Scott Lang

How do organizations ensure accountability of shared privileged accounts to meet compliance and security requirements without impacting administrator productivity? Consider these five best practices…

, , , , , ,
Triggering MS14-066

Triggering MS14-066

Posted November 17, 2014    BeyondTrust Research Team

Microsoft addressed CVE-2014-6321 this Patch Tuesday, which has been hyped as the next Heartbleed.  This vulnerability (actually at least 2 vulnerabilities) promises remote code execution in applications that use the SChannel Security Service Provider, such as Microsoft Internet Information Services (IIS). The details have been scarce.  Lets fix that. Looking at the bindiff of schannel.dll, we see a…

, , , , ,