A fair percentage of clients that I have provided incident response services to over the last 12 months are operating without security or oversight on the Internet, meaning not a single person employed at that organization is solely dedicated to working on security issues. While this is common for small companies and startups, these clients matured over the years to the point where they had hundreds or thousands of employees and even more computing devices on the network. What had not occurred, however, was the investment in security commensurate with the growth of the company.
Organizations which deploy RSA Authentication Manager (SecurID) for enforcing two-factor authentication frequently think of their RSA SecurID solution only as an additional security control to enforce strong authentication to resources. However, by analyzing the wealth of log data that is generated by RSA Authentication Manager, organizations can gain valuable intelligence that can be useful to detect attacks and perhaps even predict new attacks.
After having conducted a number of such Breach Readiness Assessments over the past year or so with customers in a variety of industry sectors – including, aerospace, financial, telecommunications device manufacturers, and health care technology – we’ve compiled a list of the Top 10 gaps that we’ve observed during these engagements. The following list is roughly ordered in frequency of occurrence (gaps at the top were seen at more customers than those further down the list), but all were observed at numerous customers.
I just returned from a weeklong trip to Europe, where I contributed my voice to the wildly successful series of RSA Security Summits. With near unanimity in London and Zurich the audience accepted our premise that as a result of the changing IT landscape – including cloud, mobile, big data, extended workforce, supply chains – and the realities of today’s sophisticated attackers, the approach to security in organizations needs to dramatically change. Furthermore there was also general agreement that today’s preventive security systems, that are largely perimeter and signature-based, no longer provide sufficient defenses, and that to compensate organizations must improve their detective and response focused security controls. This quickly led to the practical and real challenge of how organizations can best make those improvements. How in an environment of fixed security budgets can organizations invest to create or significantly enhance their monitoring and response capabilities?
Over the last few weeks I have outlined several elements of Security Operations that are bubbling to the surface in my blog series “Next Generation Security Operations”. The series really focused on the reactive side of security management and a key theme was the connection between nuts and bolts security with broader processes. A key point I wanted to communicate was not only the need for companies to remain vigilant and evaluate the detective side of security management but also look outside of the technical infrastructure for inputs to improve the reaction time within Security Operations. As most of my readers are GRC Practitioners, this connection stimulated some interesting conversations I had with customers from the GRC side of the house and I hope made some of the same connections from the security side.
Over the last few blog entries, I outlined some of the dimensions that security operations need to think about during 2013 and beyond. In some respects, this is the tip of the iceberg – there is only so much you can cover in a blog. However, I think there are some important items to put on the radar.
Years ago, companies had to worry about the “brick and mortar” threats – physical theft, property destruction, natural disasters. Next, it was the “bits and bytes” threats – intellectual property theft, website defacement, denial of service attacks. Now, there is a new element to our threat landscape – the “flesh and blood” threats. I don’t mean personal physical attacks but rather attackers exploiting an individual for nefarious purposes.
To continue with my series on the Next Generation of Security Operations, I want to look at how well the operations are positioned for the be-all, end-all of security – the actual Security Breach. Security incidents have a life of their own. How it all turns out is very dependent on how soon the problem is detected. Initial detection and preventing an attack early in the ‘kill chain’ can minimize or even stop any issue from escalating. However, that is not always possible and security operations must be prepared to escalate throughout the entire process until closure. There are some traditional stages when it comes to Security Incident response.
A common issue seen in many of our Advanced Cyber Defense (ACD) engagements are customers who have reasonably mature monitoring and incident response procedures but are inefficient in their capabilities of putting context around the artifacts of an incident.
When it comes to defending our networks we have to be right 100% of the time but a cybercriminal has to be right just once. We must shift this balance if we are ever going to be in a position to truly protect and defend our networks. In fact, defence is probably no longer appropriate [...]