David Brown
Organisations create security policies and security frameworks to help reduce vulnerabilities and to build a culture of security efficiencies both internally and externally. However, once built the challenge is also to revisit them and update them in areas that help to build resilience and reduce vulnerabilities.
Policies and configurations
For example, security controls and configurations go through changes throughout their life; sometimes functionality requirements change; there are unpredictable needs; and sometimes there are unauthorised changes.
In other words, the need for continuous assessment and review of policies and configurations cannot be overlooked.
Whatever the reasons, changes to an organisation’s security policies must follow a systematic change request process. On a planned basis this can include regular quarterly assessments; mapping all valid change requests; changes required in a fixed window pattern of 30, 90, 180 days with auto-expire or auto revalidation.
Any changes made to security policies and configurations, that have not been mapped would then trigger an internal security event.
Continuous review of security policies and configurations should not be confused with operational patching cycles. Round-the-clock, patching routines, and cycles are determined by vendor releases and other threat vulnerability intelligence. Priority for patching routines is based on risk levels as well as those with the shortest time to apply.
Attack surfaces
Managing the attack surface of an organisation is an important part of its resilience security strategy. An immediate implication of the lack of understanding of an organisation's attack surface is poor cyber hygiene. Poor cyber hygiene creates doors for initial access and lateral movement of threat actors. On the other hand, a well-understood and managed attack surface helps the organisation to build layered defences that are proactive and reactive.
Baselining
Another important activity to build a resilient security strategy is to baseline an organisation’s network and host layers. Information system types can also be used as a baseline and can track growth in capability and capacity.
While monitoring baseline activity is often talked about, in practice it is seldom rolled out and maintained, if initiated. From an organisation’s point of view, baselines are very effective to flag, through automation or human monitoring, when something is not normal.
An organisation’s resilient security strategy will be incomplete without an attack surface management programme and monitoring of baseline of activity.
Continuous improvement
A policy of continuously improving the levels of cyber hygiene in an organisation leads to an enhanced level of situational awareness. This enhanced level of situational awareness helps the enterprise to mitigate threats early in the attack lifecycle.
For enterprises that build an enhanced level of situational awareness, they are able to reduce the meantime for vulnerabilities appearing on its attack surface. They are also able to prioritise which vulnerabilities to remediate, with well-defined clear actions and controls.
Enhanced level of situational awareness also helps to create proactive plans such as incident response and preparedness plans. This plan provides clear actions and remediation paths in a simplified format for non-technical stakeholders and a fully detailed structure for technical stakeholders.
Continuous improvement in cyber hygiene helps to build practices for network and system hardening, information assurance and vulnerability management processes. It also helps to support data classification systems, all of which are secured with a 3-2-1 back schema as a critical component.
On the flip side, an enterprise that lacks an understanding of its cyber hygiene practices can only open itself to adversary actions who can finally only achieve their objectives.
(The writer is Security Operations Director of Axon Technologies)
Oman Observer is now on the WhatsApp channel. Click here
