What Is Your Plan for Identifying and Addressing Cyber Threats? And, More to the Point: Will It Hold Up?
You think your organization’s secure. You’ve tried to consider all the angles. But there’s still that nagging concern in the back of your mind—that Jeff Goldblum voice that tells you matter-of-factly that “hackers find a way.”
Jurassic Park’s Dr. Malcom was right, of course—about those pesky dinosaurs. But what about cyber criminals? Will they find a way? Will they rampage your network like a T. Rex on the prowl?
Well, let me ask you: Do you feel lucky?
Yeah, I just mixed movie references. I do that. It’s a failing. And I probably dated myself at the same time…. No matter how I word it, though, what I’m getting at is: How airtight is your plan?
Are IT and Security Working Well Together?
What could make your organization more vulnerable is a lack of synergy between IT and Security. What if your security team discovers a breach, for example, but your IT Ops team is slow to react? Or IT Ops corrects an application failure that is actually a system hack? With more surface area to cover, more mission-critical assets to protect, and more sophisticated threats to defend against, security issues are increasingly complex. So, these two teams must find a way to work together better to identify and protect vulnerable IT systems.
A focused security strategy—and, what is more, a prioritized set of actions that provide a "must-do, do-first" starting point to improve cyber defense—is a great place to start your own journey.
Do You Have a Legit Plan?
Derived from actual experiences at the NSA, the Center for Internet Security (CIS) Critical Security Controls are a great example of a focused security strategy, reflecting as they do many of the other leading sources of cybersecurity guidance: the Australian Signals Directorate (ASD), the National Institute for Standards and Technology (NIST), the National Cyber Security Centre (NCSC), and more.
They’re also prioritized according to the impact they will have on your security posture. In fact, organizations that comply with just the top 5 CIS benchmarks are already providing an effective defense against the most common cyber attacks—which amounts to about 85 percent of today’s cyber threats.
Do just these five things and you can protect yourself from most attacks you could face. Take that, Dr. Malcolm!
Why Is This a Good Way to Go?
Much of what you do in cyber security is an 80/20 effort: You can get 80 percent of what you need by implementing 20 percent of the framework. As you try to nail down the remaining 20 percent of risk and exposure, you begin spending a lot more time, effort, and money.
The CIS framework is built much the same way. The top 5 controls—25 percent of the framework—deliver layers of defense that, when implemented effectively, can mitigate that impressive 85 percent of cyber threats.
CIS Top 5 Controls |
||
1 |
Inventory and Control of Hardware Assets |
“Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.” |
2 |
Inventory and Control of Software Assets |
“Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.” |
3 |
Continuous Vulnerability Management |
“Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.” |
4 |
Controlled Use of Administrative Privileges |
The misuse of administrative privileges is a primary method for attackers to spread inside a target enterprise. Provide “processes and tools to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.” |
5 |
Secure Configuration for Hardware and Software |
“Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. (As delivered by manufacturers and resellers, the default configurations for operating systems and applications are normally geared to ease-of-deployment and ease-of-use—not security.)” |
Ivanti provides a comprehensive, targeted endpoint security portfolio that addresses the top 5 and other CSC controls, aligning IT Operations and Security to best meet customer cybersecurity needs. Our automated capabilities, such as patch management, dynamic application whitelisting, granular privilege management, and secure configuration, are essential elements of the top 5 CIS Controls.
Of course, you can have all the other tools recommended in your arsenal, but without a complete picture of the organization’s assets, you can’t use those effectively to protect or defend against everything in the environment. Are all systems running business critical applications reducing admin privileges? Are all kiosks and other systems exposed to the public locked down from an application and device control standpoint?
Ivanti brings asset management solutions together with endpoint security to provide the insight into your environment you need to get the most from those security solutions.
How Do You Get Started?
So, what’s the first step in chasing those What If’s from your mind?
For each business-critical asset in your organization, you should compare your existing security controls against the CIS Critical Security Controls. Pinpoint exactly which sub-controls within those you already meet and those you do not. Then, based on identified gaps and specific business risks and concerns, take immediate steps to implement the top 5 controls.
After that? Well, that’s where risk vs. reward comes into play: That’s when you develop a strategic plan to implement the others, as they are deemed risks that needs to be addressed—to close in on that final 15 percent.
And the best part? When you do it this way, you can complete your plan without invoking the dreaded words of John Hammond: “Spared no expense.” You’ll be buying just what you need and no more to give you the best defense against what you’re likely to face today.