Why It’s Critical to Focus on Security Fundamentals
Article by Gigamon A/NZ, George Tsoukas.
Recently, the US White House issued a statement citing intelligence reports indicating “…the Russian government is exploring options for potential cyber attacks.” Along with this statement, the White House released a comprehensive list of steps organizations should take to improve their cybersecurity posture.
To answer these problems, practicing and mastering the fundamentals is essential. We have to pay attention and perfect the little details that might often be overlooked.
Practicing the basics is important, and cybersecurity professionals understand how essential it is to practice the fundamentals. These include strategies such as implementing multi-factor authentication, having reliable backups in place, and contingency planning.
This is the advice we share with our friends, family and colleagues. Frankly, they’re probably tired of hearing us repeat ourselves after every high-profile data breach or cyberattack. Yet these practices are fundamental for a reason: they underpin a healthy and proactive cybersecurity posture.
Let’s dive into three of the recommendations issued by the White House:
White House Recommendation #1
“Deploy modern security tools across all computers and devices to continuously scan for and mitigate threats.”
Firewalls, EDRs, and SIEMs are the first line of defense considered by most security teams, but these tools lack the ability to detect malicious activity at the network level.
As networks become more complex, with a mix of private and public cloud and on-premises environments, we also need tools that give security and network teams deep observability on this infrastructure.
Network Detection and Response (NDR) and Visibility Framework address this lack of visibility. When researching NDR solutions, look for solutions that provide historical visibility into network traffic.
This is particularly useful because attackers stay on networks for an average of 280 days, or almost nine months. Pairing NDR with a visibility solution helps ensure that network and security teams maximize their ability to detect threats and defend the network against modern attacks.
White House Recommendation #2
“Execute drills and contingency plans to enable IT to respond quickly to minimize the impact of any attack.”
Although traditional defense tools are necessary for an organization to prevent common malware infections, they often fail to detect and prevent more advanced and persistent adversaries.
This is a risk that organizations of all sizes increasingly face. The addition of a threat hunting program creates an umbrella over frontline defenses to both enhance and complement these capabilities, detecting otherwise unidentified adversaries.
When evaluating security solutions, look for tools that provide guided playbooks that allow your investigators to identify attackers based on real behaviors with just a few mouse clicks.
It’s a bonus if the tool enables parallel forensic capabilities that help coordinate threat hunting and investigation efforts between teams around the world.
White House Recommendation #3
“Encrypt your data so it can’t be used if it’s stolen.”
Encryption at rest is essential, but encryption of data in motion is just as important. Cybercriminals know this and do the same. Defenders therefore need visibility to also inspect the behaviors of attackers.
SSL decryption is essential for securing today’s enterprise networks due to the significant growth of encrypted traffic applications and services. Cybercriminals are increasingly using SSL/TLS sessions to hide, believing that security tools will not inspect or block their traffic.
When this happens, SSL/TLS sessions can become a liability, inadvertently cloaking malicious traffic. In other words, the very technology that secures the Internet can become a nefarious threat vector.
Enabling SSL decryption uses the root certificate on client machines, acting as a certificate authority for SSL requests. This process allows SSL Decryption to decrypt, perform detailed inspection, and then re-encrypt SSL traffic before sending it to its destination.
This ensures that only authorized SSL traffic enters the network and that malware hidden in SSL/TLS sessions is exposed and dealt with during SSL decryption.
To meet diverse organizational needs, look for solutions that support both inline/man-in-the-middle and passive/out-of-band decryption of SSL/TLS.
The comprehensive list of recommendations in the White House statement echo best practices (fundamentals) that have been repeated across the cybersecurity industry and are fundamental to maintaining a proactive security practice.
What sets this announcement apart is the sense of urgency around the potential for threats from Russia and Russia-based threat actors.
As an industry, we have been steadily beating the drum for organizations to implement these best practices for over a decade. But given the heightened state of public awareness and perception of higher stakes, it’s easy to get overwhelmed by the sheer volume of information or questions from armchair experts.
It’s often difficult to be the voice of reason in the room, fending off a sea of people spewing buzzwords that spread fear, uncertainty and doubt. Breathe and rely on experience and trusted practices and solutions.
These concepts do not always take into account an organization’s ability to quickly adopt and implement advanced and complex security frameworks. Implementation takes time. Unfortunately, the reality for many industries is that they lack the maturity or resources to succeed.
Vendors tend to focus on “the newest and the best” while organizations would be better served to focus on the fundamentals to improve their security posture. The White House statement attests to this fact and should seek to improve their security posture by providing deep observability through network-level intelligence.