Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Webcast Recap: “Is Your User Security Program Risky or Risk-Focused?” with Dr. Eric Cole

Posted June 19, 2014    Chris Burd

When you’re trying to determine how to control and manage the biggest threats to your IT infrastructure, you need to start by considering several possible breach points and narrowing in on the most dangerous. But attackers aren’t just targeting Microsoft, Linux, or Mac systems. They’re targeting a system that’s much harder to secure: the human OS.

Dr. Eric Cole of SANS, a key participant in the development of the Critical Security Controls (CSC), recently joined BeyondTrust for the webcast, “Is Your User Security Program Risky or Risk-Focused?” where he presented straightforward tips for mitigating internal threats and reducing user-based risks.

Below are key takeaways from the webcast and on-demand video recording of the complete presentation – plus answers to questions asked by attendees of the live session.

5 Steps to Managing User-Based IT Risks

1. Start with Your Critical Data – Not Your Devices

Far too many organizations take a device-centric approach to security rather than a more efficient data-centric approach. New end-user devices and constant updates make it difficult to keep up, so Cole suggests focusing first on where critical data is stored – before concerning yourself with the devices that will be accessing that data.

2. Align Defense with Offense

Many companies invest their time in patching and locking down services. While this is well and good, Cole reveals that moving to a risk-focused security protocol requires you to think like the offense and address three other parts of the process: conducting reconnaissance, scanning, and covering your tracks. It’s up to you to find and understand your security exposures before attackers do.

3. Know Thy Organization

You can’t protect what you don’t know about, and you can’t catch an attacker if you don’t know what they’re attacking. Whether internal or external, when an attacker knows more about your systems than you do, your defensive efforts won’t amount to much. This is why every organization should have an accurate, up-to-date network diagram, a network visibility map, configuration management, and change control.

4. Practice Defense-in-Depth

Cole dismisses the propagandists who threaten businesses with the fear of unstoppable attackers and constant data threats. There are certainly serious and targeted threats, but you can minimize and contain the damage if you focus on the right areas. The most comprehensive strategies include inbound prevention, outbound detection, log correlation, and anomaly detection.

5. Generate Common Metrics

Cole closes with a call-to-action for security and IT professionals everywhere: develop consistent, common metrics to run effective security programs that IT can implement, auditors can validate, and executives can understand.

You need only check the most recent headlines to hear about data breaches where users where involved – either maliciously or unintentionally – but that doesn’t mean these types of breaches are unavoidable. Check out the video presentation below to learn more about managing user risk with a risk-focused security program that incorporates the Critical Security Controls.

>> Learn more about BeyondTrust’s Privileged Account Management solutions for mitigating user-based risks

Live Q&A

Here are Dr. Cole’s answers to questions from the live webcast:

Would you elaborate on how SOCs can be designed to make most of SIEM?

The trick is to create use cases that focus in on the most critical threats to the key intellectual property. The real focus of a SIEM is to detect unusual activity, which is tied closely to a compromised machine. In essence, the SIEM is the correlation engine of the SOC for tracking and monitoring everything that is occurring across a network.

What is an affordable way to label and classify data?

The trick is to keep it simple. At the most basic level, there are really two tiers of classification: public and private. Everything should be classified as private by default.  Only information that needs to be disclosed and does not represent a risk to the company is classified as public. It is also important to start classifying new data before focusing in on existing data.

Doesn’t network segmentation conflict with cloud computing models?

From one aspect, cloud is the ultimate segmentation because each user and service is on a separate segmentation. The trick with cloud is to have strong SLA (service level agreements) in place to hold the cloud providers to the same level of security that the company has defined.

What is your thought on getting workstation logs in the SIEM? Does it bring any value? 

While workstation logs can be very valuable, they generate a lot of data – so in most organizations it is not worth the extra overhead.

, , , , ,

Leave a Reply

Additional articles

VMware Hardening Guidelines-img3

How to Audit VMware ESX and ESXi Servers Against the VMware Hardening Guidelines with Retina CS

Posted February 27, 2015    BeyondTrust Research Team

Retina CS Enterprise Vulnerability Management has included advanced VMware auditing capabilities for some time, including virtual machine discovery and scanning through a cloud connection, plus the ability to scan ESX and ESXi hosts using SSH. However, in response to recent security concerns associated with SSH, VMware has disabled SSH by default in its more recent…

, , , ,

Privileged Passwords: The Bane of Security Professionals Everywhere

Posted February 19, 2015    Dave Shackleford

Passwords have been with us since ancient times. Known as “watchwords”, ancient Roman military guards would pass a wooden tablet with a daily secret word engraved from one shift to the next, with each guard position marking the tablet to indicate it had been received. The military has been using passwords, counter-passwords, and even sound…

, , ,
Privileged Account Management Process

In Vulnerability Management, Process is King

Posted February 18, 2015    Morey Haber

You have a vulnerability scanner, but where’s your process? Most organizations are rightly concerned about possible vulnerabilities in their systems, applications, networked devices, and other digital assets and infrastructure components. Identifying vulnerabilities is indeed important, and most security professionals have some kind of scanning solution in place. But what is most essential to understand is…

, , , , ,