One of the biggest complications of modern security is that it requires a completely different mindset, with IT taking on strategic significance and cloud computing undoing the traditional notion of a secure perimeter.
This means organizations must approach cybersecurity with a completely different mindset and wake up to the fact that practices considered good enough in the recent past are no longer sufficient.
This was the conclusion of the CompTIA State of Cybersecurity 2021 report which indicated refreshed thinking on cybersecurity policies, processes, people and products would be necessary for organizations to reverse the perception—and perhaps the reality—that they are falling behind in their security preparedness.
The report also noted that beyond IT architecture, cybersecurity now has many additional facets, such as risk management and user education, while the stabilization of the fundamental computing platform has given rise to myriad solutions.
Restructuring the Approach
CompTIA suggested organizations can find success by structuring their approach around four elements: The policies that guide cybersecurity decisions, the processes required to maintain a strong posture, the people responsible for cybersecurity outcomes and the products that protect digital assets.
The report strongly advocated for adopting a zero-trust approach to security, and highlighted multifactor authentication, network analytics and microsegmentation, which provides granular control of traffic so that targeted security policies can be applied, as key elements of a successful security strategy.
Seth Robinson, senior director of technology analysis for CompTIA, said for smaller firms with constrained budgets and resources, it is critical to perform risk analysis and prioritize cybersecurity activities.
“This will identify the systems and applications that require the most stringent security,” he said. “It will also drive mitigation plans around any future breaches.”
He noted multifactor authentication is a well-established security measure that can greatly improve identity validation.
“Microsegmentation not only provides granular control of cybersecurity across a network but also creates the opportunity for fine-tuning network settings for the many types of traffic,” he added.
Simply monitoring for incidents is largely a static activity, where monitoring tools are configured around known attack types and programmed to send notifications when those attacks are detected.
“Organizations should focus on building more defensible infrastructure to reduce their long-term security needs,” said Sounil Yu, CISO at JupiterOne, a provider of cyber asset management and governance solutions. “Defensible infrastructure includes cloud infrastructure and trusted SaaS applications.”
If an organization starts with defensible infrastructure, then they need fewer security countermeasures, and if organizations continue to deploy poorly maintained services on-premises, then they will continue to need complex countermeasures and more security budget to address the growing threat landscape.
Yu added that any zero-trust strategy requires strong identity management and governance functions.
Tools to enable a zero-trust approach to security may include modern identity management, privileged access management, device management and access management.
“Trustworthiness needs to be established and asserted in a zero-trust architecture and strong identity is the foundation for those trust assertions,” he said. “Most identity assertions are established through identity on the device through device certificates and the identity of the user through a username/password plus a one-time passcode.”
However, depending upon the criticality of the resource being accessed, more identity assertions may be warranted.
“Furthermore, organizations will need to maintain an up-to-date inventory of these identity credentials and track the accesses that they grant to other resources in the organization’s environment,” Yu said.
Shifting the Cost Mindset
Matt Klein, cybersecurity executive advisor at Coalfire, a provider of cybersecurity advisory and assessment services, said from his perspective, what is often overlooked are no-cost or low-cost activities that provide wide security benefits.
For example, all organizations should review the basics, or “hygiene” activities, that have an outsized impact on reducing the chance for the most common threats to be successful—think phishing and exploiting common vulnerabilities.
Those activities include tuning your email security solution appropriately to prevent malicious emails from reaching users’ inboxes, patching systems and remediating system and application vulnerabilities in a timely fashion and limiting access to sensitive data.
“Organizations should also consider implementing two-factor authentication where appropriate but especially for administrative access to systems, applications and platforms and all access to all systems that store, process or transmit sensitive data,” he said.
Klein pointed out that artificial intelligence (AI) and machine learning (ML) are technologies that can enable efficiencies and automation to lessen the burden of some security activities and decrease the amount of time it takes to uncover threats to an organization.
“For example, one common area that can benefit from AI/ML technology is security log review,” he said. “Those technologies can significantly increase the amount of data analyzed and synthesized into actionable data and tasks and reduce the time waste of false positives.”
Robinson also pointed out that AI and ML would increasingly be embedded in security tools as a way to drive automation and perform enhanced monitoring.
“One challenge for security teams in using these emerging technologies is validating the results,” he explained. “For example, AI may flag a false positive when monitoring for network anomalies. The security team must be prepared to catch this error and retrain the algorithm.”
Changing the Training and Awareness Mindset
Klein noted the best approaches to workforce security education include multiple tiers of training depth and training approaches.
“The entire organization may go through annual high-level security training around their security policy and common threats like phishing,” he explained. “But the best strategies go further to provide specific education to the board, executives, privileged system administrators and specific departments that frequently interact with sensitive data or interact with significant business processes like wiring funds.”
Robinson added that, from his point of view, the most important factor in workforce assessment and education is making it intentional: Simply providing generic security education may not address the areas most in need of improvement.
“Workforce assessment and education should follow the overall cybersecurity strategy, and there should be defined metrics for measuring the effectiveness of any initiatives,” he said.