6 Tips for Security Pros to Tackle Visibility
Actionable tips from the execs on how security leaders can better attain visibility into everything from network activity to non-corporate devices, user behavior and internal WiFi networks
On the quest for visibility, too often Information Security professionals fall short thanks to trends like cloud and IoT, as well as skyrocketing levels of stealthy cybercrime. In particular, organizations report having significant struggles with blind spots in their network activity, non-corporate devices, user behavior and internal WiFi networks to name a few top challenges, according to this ESG report.
So, we asked a panel of veteran industry executives what visibility means to them. With the help of Ashley Genest at Ink House, we rounded up a list of 6 actionable tips to help security leaders attain it.
- You can’t secure what you don’t know about — Visibility is paramount for security, so the first step is to perform a comprehensive audit of all existing code repositories, application environments/deployments, and any external, third-party services that are being used said mike d. kail CTO, CYBRIC. In conjunction with this audit, document any security tools and solutions that are being used or have been deployed. An important part of this process is to also meet with several members of the dev, devops and security teams to get a view into a cultural bias and differing views of security. Do not underestimate the value of this part of the process as the cultural transformation will be more challenging than the technical aspects of execution.
- Security visibility needs to be continuous — The aforementioned audit is not a “one and done” exercise. In order to truly provide security assurance, the auditing and testing across the entire asset portfolio needs to be performed on a continuous basis. Hackers are constantly looking for new and open attack vectors and the common practice of periodic (monthly, quarterly, etc.) audits and testing is not sufficient. Kail said we need to level the playing field and mind the gap that exists between companies and their adversaries today.
- Effective asset and vulnerability management is critical to maintaining visibility — Richard Henderson, global security strategist, Absolute said you must be able to identify each device, its current status and state, and the state of all the applications residing on the device. Your asset management solutions should be able to both actively and passively scan devices — passive scanning is designed to watch your traffic flows to identify active devices, and active scanning is centered around overtly probing your network looking for previously unseen, dormant or idle devices. When you put the two together, you’ll have a much better picture as to the current state of your infrastructure.
- Focus on building solutions that target your most critical assets — If you’re not currently using a modern solution to collect, scrub, analyze, and respond to anomalous log events, said Henderson, then start small with the devices belonging to C-suite executives and their assistants, your privileged accounts and devices belonging to your administrators, and your various system accounts that often have credentials that seldom (or never!) change. Start there and expand as time, resources, and budgets allow.
- Your visibility solution can’t just limit itself to desktops and laptops — You’ll need to monitor anything with an IP address that connects to your network resources: smartphones, tablets, IoT devices, and other employee-owned devices should all be monitored. The end goal should be to collect and process data from everything. If your visibility into your infrastructure is narrow and shallow, any risk calculations you make will almost always be a shot in the dark and exceedingly inaccurate… leading to some tough questions by the powers-that-be after a significant incident happens said Henderson.
- Visibility=Event Logs. False. — As an example, Steve Moore, VP and chief security strategist, Exabeam said, if we want visibility from an internal application, that’s generally thought of as a binary thing — do we have the logs or not? If yes, then maybe the auditors ask, “Have you looked at the logs “bad” events today and how did you document said work?” The linear nature of this work is monotonous and of very little value (but security teams are still tasked with this work). Why? The entire conversation lacks enrichment and context; and due to this, it cannot then be actioned upon.
- Enrichment because raw logs are hard to read and often aren’t tied directly to a person. Even with things like an IP address or maybe an account name as humans we make the best decisions when the base event is tied to someone we might know — a human identity.
- Context is also lacking because while we began this conversation talking about one application and its logs (visibility) — those logs only work from one perspective and on one axis of thinking. Application behavior is of little value, even with logs, without knowing the larger behavior those interacting with it.
Visibility doesn’t exist nor does it matter unless the following formula is followed: Visibility = Enrichment + Context + Action.
- Aim for data element-level visibility — Lack of visibility into information proliferation across endpoints poses a significant risk to today’s enterprises said Tony Gauda founder and CEO, ThinAir. CISOs and IT administrators have been in the dark about where data is and how it’s being used, at the peril of their organization ‒ the faster a data breach can be identified and contained, the lower the costs, according to Ponemon Institute’s 2017 study. Organizations should strive to automatically analyze every data interaction with supreme granularity, for example, tracking and recording every single time a person touches a piece of credit card information. Identifying suspicious actions in real-time helps keep threats from turning into expensive, and public, breaches.