It’s not about whether you implement foundational controls but about how well you do it. Only when excellence in the essentials of security and compliance are achieved, will an organization be able to have confidence that it is able to mitigate most cyber threats.
We as cyber-defenders have an embarrassing problem. We are routinely susceptible to cyber incidents and breaches due to the same issues over and over. These issues include common vulnerabilities and poorly configured systems, ineffective patch management, and slow detection and response.
The good news is that the ways to address these issues are already fairly well established. One best practice involves implementing the foundational controls maintained by the Center for Internet Security. These controls are all about basic security hygiene—such as knowing what’s connected and what’s running on your network, minimizing vulnerabilities to reduce the attack surface, and hardening systems through secure configurations.
Curiously, many organizations say they already have these essentials in place. So, why are we still being exploited through the most common means?
Much of the problem is due to an overabundance of options. Organizations today must filter out a lot of noise to focus on what really matters. As good as the latest, most advanced tools in the marketplace may be, they can distract us from implementing the foundational controls in an effective way.
“It’s common in information security to look at the most recent innovative attack in the news and imagine that you need a shiny new tool to deal with it. A fair amount of the information security industry is based on just this pattern. The fact is, however, that foundational controls are foundational because they deal with the breadth necessary to manage risk in a changing landscape. New controls may become foundational over time, but the old ones largely remain core to successful risk management. Anytime there’s a new threat to deal with, rather than using it as a means to acquire new shiny objects, consider how that might be used to drive more excellence in the foundational controls you have today.”
So, how can you help your organization achieve excellence in the essentials?
Here are five elements to consider:
- It’s important to implement robust vulnerability management, so that we can reduce the number of false-positives. We can do this by profiling assets to run targeted scans for specific types of devices and applications that are running.
- We need to prioritize which vulnerabilities to tackle first. We can do this by focusing on granular scoring and prioritization, so that we can allocate limited attention and resources to the vulnerabilities that matter most to our environment.
- For secure configurations, it’s important to have robust compliance reporting. The ability to quickly – and accurately – assess against common known standards in preparation of audits or against internal policies is key.
- Another common challenge is knowing what’s changed in your environment and being able to detect when an incident or breach occurs. The ability to monitor and alert to those changes in real-time and understanding what those changes mean in the context of your environment is critical.
- Finally, automating remediation is a key component to achieving excellence in the essentials. No platform is an island, and the ability to integrate through workflows can help us respond to threats faster and more effectively.
Foundational controls may be basic security hygiene, but implementing them well is not always easy. It’s a shared responsibility that requires the involvement of security, compliance and IT operations teams.
Maritza Santillan, senior marketing specialist at Tripwire, has an additional thought on how to optimize their use of foundational controls:
“By focusing on specific and obtainable goals, organizations can create significant management and operational benefits, including better visibility, management of resources, and lower costs.”
Ultimately, achieving excellence in the essentials will help your organization gain a much higher state of security readiness.