Cybersecurity Strategy – Start from the Basics
Sivan Tehila
Cybersecurity is a constantly evolving industry. New threats can emerge at any time and without warning, as with zero-day exploits. Implementing security measures to protect against all threats may not always be possible. Additionally, security implementations are not universal; the tools required will vary on a case-by-case basis. Some fundamental best practices should be adopted by all organizations, regardless of their industry and specific needs. It is upon these that additional, organization-specific solutions can be added. However, without that solid foundation, any further controls will be less effective and may even slow down business operations by interrupting the smooth flow of information.
This article will introduce four concepts that should be at the core of every effective cybersecurity strategy. It starts with Security by Design, a key element of the planning phase as the security architecture develops. Following this blueprint, security practitioners can build outward to execute a Defense in Depth model that surrounds their assets with a robust, layered cybersecurity infrastructure. And lastly, once human and non-human tools are incorporated into the environment, Least Privilege and Zero Trust policies can be enacted to set firm boundaries and authentication requirements for these users to traverse the network and access resources.
1. Security By Design
As the name implies, Security by Design (SbD) originates at the earliest stages of development, namely the design phase. SbD ensures that security is being incorporated into the very fabric of the system. Historically, these more in-depth security discussions have happened in the wake of a major incident when executives look for ways to prevent such events from reoccurring. SbD has fast become a mainstream approach for introducing security and compliance concerns early on in the conversation to prevent breaches from occurring in the first place.
Outlining these specifics allows security teams to allocate the appropriate resources and attention to managing tools across the network moving forward. This is especially helpful when developing software or configuring security implementations. And with the recent rise in popularity, Amazon has begun offering SbD through its CloudFormation service. Using cloud technology helps automate auditing processes and enforce security policies, freeing up security personnel to handle other, more critical tasks.
2. Defense in Depth
Defense in Depth, a term borrowed from the military, describes the use of multiple tactics to protect assets on a network. Given the creativity and persistence of attackers, having various security tools in place can cover more of a network’s attack surface, minimizing the availability of attack vectors and the ease with which they can be exploited.
Defense is depth is much like the medieval castles that dot the landscapes of Europe today. Castles held the empire’s most precious resources: the king’s wealth and jewels, historical artifacts, and, most importantly, the royal family. Those fortresses were equipped with moats, gates, high walls, sentry boxes, and royalty-only areas protected by guards. The organization has replaced the empire in the modern age, and data is the treasure. To protect this logical trove, multiple security tools should be used to, at the very least, slow down attackers as a response is mounted.
Any implemented control can be part of a defense in depth plan, with the choices being limitless. However, there are overarching categories of security measures that should be present in every organization’s security plan. The simplest category is physical security, which can be met by using security guards, security cameras, or key cards that must be scanned to gain entry to and throughout the building. Network security measures, like requiring a username and complex password to sign onto a computer, and antivirus solutions are excellent controls for the endpoint level. Above this are administrator-level protocols covering identity and access management policies, like least privilege and zero trust. And lastly, and perhaps the newest innovations to the cybersecurity industry, are behavior analysis tools that observe network activity from users and applications and seek out any anomalies from the recognized baseline.
While the simplest choice would be to select one control to cover each concern, the best practice is to use a layered approach. Layering measures means adopting multiple measures from each category. One tool is helpful, but if it fails, a huge gap remains for threat actors to take advantage of. Using redundancy means that, even if one control is unavailable, there will be additional measures in place to stand in the way of an attack. For example, an organization may require a strong and regularly changing password. Should a user’s login credentials be stolen, a malicious party could use them to access the network and its information. Requiring Multi-Factor Authentication (MFA) and implementing a policy of least privilege stand as additional safeguards to user accounts and company data in the event of a compromise.
3. Least Privilege
Every player within an organization, both man and machine, serves a purpose. An employee may be responsible for software development, a firewall for perimeter security. Each role is defined and requires specific resources for its achievement. The software developer will need access to BitBucket and perhaps information relating to stakeholder expectations for the product. However, the developer does not require customer information or administrator-level access to code the software.
Using the least privilege policy can help restrict specific users from accessing particular resources. Least privilege is an administrative practice that grants users and applications the bare minimum permissions needed to do their jobs. In this manner, a user will be restricted from accessing resources that do not pertain to them intentionally or inadvertently.
To make this even easier, rather than assigning permissions to each user on an individual basis, security practitioners can group users and applications based on their purpose in an organization, using a standard set of rules that applies to all group members. Should an entity require permissions outside of their normal functions, they can be assigned those additional privileges individually. However, they should be removed immediately after the task is finished. Leaving the privileges in place results in a security risk known as “privilege creep.” Privilege creep typically occurs over extended periods of time as employees take on more projects and receive escalated privileges to complete them; eventually, the user may have administrator-level access to sensitive areas of the network and can be leveraged by a threat actor during an attack.
For organizations building a security plan from the ground up, establishing Least Privilege can be done from the beginning. For organizations that are already operational and may be unsure of what privileges their human and non-human users have, it is a simple process to find and implement Least Privilege. The first step is conducting a full audit of all accounts, programs, and other entities within the network to determine what permissions each has. Once this is done, begin using least privilege and separate higher-level accounts from lower-level ones. If users or applications do need elevated privileges, implement expiring privileges, and use auditing to track user activity when granted additional permissions. Audits should be held regularly to prevent potential risks via escalated privileges.
4. Zero Trust Model
Historically, security policies have relied on a “trust, but verify” approach to user access. Returning to the castle analogy, if an individual was permitted inside the castle walls, they were automatically trusted throughout the building. Similarly, if a user were authenticated and given access to the network, their credentials would be trusted everywhere on the network. Using the old method poses a grave risk if an employee goes rogue or an external threat actor obtains legitimate user credentials.
Rather than continue using this unsafe policy, a better alternative is the “Zero Trust” model. Zero Trust changes “trust, but verify” to “never trust, always verify.” Nobody, human or nonhuman, is given free range on the network. Each entity must authenticate itself before being granted access to endpoints, data, or other resources. Authentication can involve the traditional username/password combination, but this cannot be the only method for verifying a user or application identity. Multifactor authentication, like a biometric or being in a specific location, is a common additional means of authenticating users. For applications, authentication servers like Kerberos are effective.
Teams should monitor the networks and track user activity as an added security measure, especially within areas containing more sensitive data. SIEM and SOAR implementations can help facilitate this process by leveraging artificial intelligence and machine learning to recognize normal system activity and quickly pick up on anomalous behaviors, sending off alerts for human personnel to investigate. The same should be done for human users. User activity should be recorded and analyzed overtime to ensure that employees are kept within the boundaries of their roles. Should anything appear out of the ordinary, it may indicate a compromised account and an attempted breach.
Before implementing Zero Trust into an already matured architecture, identify what resources exist on the network and which ones demand the most protection. Roll out the Zero Trust mechanisms slowly, starting with the most critical data. This introduction of Zero Trust authentication tools improves the monitoring and logging systems to better record network and user activity for later analysis. And lastly, with everything in place, make adjustments to ensure that the authentication and monitoring protocols do not interfere with business operations and network productivity.
Conclusion
With the ever-changing landscape of the cybersecurity industry, now is as good a time as any for organizations to reevaluate their security posture. Even for existing infrastructure, improvements can be made to better prepare for any potential attacks. The four topics discussed here can serve as a roadmap or new cybersecurity plans or as a basis for future changes to make an environment more secure. Any proposed adjustments should always begin with a discussion on how to incorporate security in the system’s design and be followed up with the identification of various controls to achieve that goal. Once the system is introduced into the larger enterprise architecture, it should be protected using the policy of least privilege and Zero Trust to keep it and the rest of the network safe from threat actors.