Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Webcast Recap: “Is Your User Security Program Risky or Risk-Focused?” with Dr. Eric Cole

Posted June 19, 2014    Chris Burd

When you’re trying to determine how to control and manage the biggest threats to your IT infrastructure, you need to start by considering several possible breach points and narrowing in on the most dangerous. But attackers aren’t just targeting Microsoft, Linux, or Mac systems. They’re targeting a system that’s much harder to secure: the human OS.

Dr. Eric Cole of SANS, a key participant in the development of the Critical Security Controls (CSC), recently joined BeyondTrust for the webcast, “Is Your User Security Program Risky or Risk-Focused?” where he presented straightforward tips for mitigating internal threats and reducing user-based risks.

Below are key takeaways from the webcast and on-demand video recording of the complete presentation – plus answers to questions asked by attendees of the live session.

5 Steps to Managing User-Based IT Risks

1. Start with Your Critical Data – Not Your Devices

Far too many organizations take a device-centric approach to security rather than a more efficient data-centric approach. New end-user devices and constant updates make it difficult to keep up, so Cole suggests focusing first on where critical data is stored – before concerning yourself with the devices that will be accessing that data.

2. Align Defense with Offense

Many companies invest their time in patching and locking down services. While this is well and good, Cole reveals that moving to a risk-focused security protocol requires you to think like the offense and address three other parts of the process: conducting reconnaissance, scanning, and covering your tracks. It’s up to you to find and understand your security exposures before attackers do.

3. Know Thy Organization

You can’t protect what you don’t know about, and you can’t catch an attacker if you don’t know what they’re attacking. Whether internal or external, when an attacker knows more about your systems than you do, your defensive efforts won’t amount to much. This is why every organization should have an accurate, up-to-date network diagram, a network visibility map, configuration management, and change control.

4. Practice Defense-in-Depth

Cole dismisses the propagandists who threaten businesses with the fear of unstoppable attackers and constant data threats. There are certainly serious and targeted threats, but you can minimize and contain the damage if you focus on the right areas. The most comprehensive strategies include inbound prevention, outbound detection, log correlation, and anomaly detection.

5. Generate Common Metrics

Cole closes with a call-to-action for security and IT professionals everywhere: develop consistent, common metrics to run effective security programs that IT can implement, auditors can validate, and executives can understand.

You need only check the most recent headlines to hear about data breaches where users where involved – either maliciously or unintentionally – but that doesn’t mean these types of breaches are unavoidable. Check out the video presentation below to learn more about managing user risk with a risk-focused security program that incorporates the Critical Security Controls.

>> Learn more about BeyondTrust’s Privileged Account Management solutions for mitigating user-based risks

Live Q&A

Here are Dr. Cole’s answers to questions from the live webcast:

Would you elaborate on how SOCs can be designed to make most of SIEM?

The trick is to create use cases that focus in on the most critical threats to the key intellectual property. The real focus of a SIEM is to detect unusual activity, which is tied closely to a compromised machine. In essence, the SIEM is the correlation engine of the SOC for tracking and monitoring everything that is occurring across a network.

What is an affordable way to label and classify data?

The trick is to keep it simple. At the most basic level, there are really two tiers of classification: public and private. Everything should be classified as private by default.  Only information that needs to be disclosed and does not represent a risk to the company is classified as public. It is also important to start classifying new data before focusing in on existing data.

Doesn’t network segmentation conflict with cloud computing models?

From one aspect, cloud is the ultimate segmentation because each user and service is on a separate segmentation. The trick with cloud is to have strong SLA (service level agreements) in place to hold the cloud providers to the same level of security that the company has defined.

What is your thought on getting workstation logs in the SIEM? Does it bring any value? 

While workstation logs can be very valuable, they generate a lot of data – so in most organizations it is not worth the extra overhead.

, , , , ,

Leave a Reply

Additional articles

Cavalancia-Headshot - Medium

Making Windows Endpoints the Least of your Worries

Posted September 2, 2015    Nick Cavalancia

We’re all concerned that someday an external hacker will try to gain access to your company’s critical data and systems. The problem? Your endpoints – both your workstations and servers – bypass (and often leave) the safety and security of your environment daily.

, ,

Why Customers Choose PowerBroker: Low Total Cost of Ownership

Posted September 2, 2015    Scott Lang

In a survey of more than 100 customers, those customers indicated that BeyondTrust’s low powerbroker-difference-2total cost of ownership was a competitive differentiator versus other options in the privileged account management market.

, , ,

Passwords: A Hacker’s Best Friend

Posted September 1, 2015    Larry Brock

After all the years of talk about biometrics and multi-factor authentication, we still have passwords and will likely have them for a long time. Because many “high risk” systems require complex passwords (zk7&@1c6), most people that use them believe their passwords are secure. But they aren’t.

, ,