When you’re trying to determine how to control and manage the biggest threats to your IT infrastructure, you need to start by considering several possible breach points and narrowing in on the most dangerous. But attackers aren’t just targeting Microsoft, Linux, or Mac systems. They’re targeting a system that’s much harder to secure: the human OS.
Dr. Eric Cole of SANS, a key participant in the development of the Critical Security Controls (CSC), recently joined BeyondTrust for the webcast, “Is Your User Security Program Risky or Risk-Focused?” where he presented straightforward tips for mitigating internal threats and reducing user-based risks.
Below are key takeaways from the webcast and on-demand video recording of the complete presentation – plus answers to questions asked by attendees of the live session.
5 Steps to Managing User-Based IT Risks
1. Start with Your Critical Data – Not Your Devices
Far too many organizations take a device-centric approach to security rather than a more efficient data-centric approach. New end-user devices and constant updates make it difficult to keep up, so Cole suggests focusing first on where critical data is stored – before concerning yourself with the devices that will be accessing that data.
2. Align Defense with Offense
Many companies invest their time in patching and locking down services. While this is well and good, Cole reveals that moving to a risk-focused security protocol requires you to think like the offense and address three other parts of the process: conducting reconnaissance, scanning, and covering your tracks. It’s up to you to find and understand your security exposures before attackers do.
3. Know Thy Organization
You can’t protect what you don’t know about, and you can’t catch an attacker if you don’t know what they’re attacking. Whether internal or external, when an attacker knows more about your systems than you do, your defensive efforts won’t amount to much. This is why every organization should have an accurate, up-to-date network diagram, a network visibility map, configuration management, and change control.
4. Practice Defense-in-Depth
Cole dismisses the propagandists who threaten businesses with the fear of unstoppable attackers and constant data threats. There are certainly serious and targeted threats, but you can minimize and contain the damage if you focus on the right areas. The most comprehensive strategies include inbound prevention, outbound detection, log correlation, and anomaly detection.
5. Generate Common Metrics
Cole closes with a call-to-action for security and IT professionals everywhere: develop consistent, common metrics to run effective security programs that IT can implement, auditors can validate, and executives can understand.
You need only check the most recent headlines to hear about data breaches where users where involved – either maliciously or unintentionally – but that doesn’t mean these types of breaches are unavoidable. Check out the video presentation below to learn more about managing user risk with a risk-focused security program that incorporates the Critical Security Controls.
Here are Dr. Cole’s answers to questions from the live webcast:
Would you elaborate on how SOCs can be designed to make most of SIEM?
The trick is to create use cases that focus in on the most critical threats to the key intellectual property. The real focus of a SIEM is to detect unusual activity, which is tied closely to a compromised machine. In essence, the SIEM is the correlation engine of the SOC for tracking and monitoring everything that is occurring across a network.
What is an affordable way to label and classify data?
The trick is to keep it simple. At the most basic level, there are really two tiers of classification: public and private. Everything should be classified as private by default. Only information that needs to be disclosed and does not represent a risk to the company is classified as public. It is also important to start classifying new data before focusing in on existing data.
Doesn’t network segmentation conflict with cloud computing models?
From one aspect, cloud is the ultimate segmentation because each user and service is on a separate segmentation. The trick with cloud is to have strong SLA (service level agreements) in place to hold the cloud providers to the same level of security that the company has defined.
What is your thought on getting workstation logs in the SIEM? Does it bring any value?
While workstation logs can be very valuable, they generate a lot of data – so in most organizations it is not worth the extra overhead.