Top Cybersecurity Priorities

The cybersecurity landscape is changing, and our priorities must also change. Wise leaders know that an organization’s security is never fully built and must adapt to the changing requirements of their user base. Today’s boards and management ask how security solutions will work with the business to increase revenue and reduce risk. Though not every organization’s needs are the same, here are five priorities to start the process of defining your priorities.

DevOps teams are increasingly deploying tools using containers and microservices. While these are fantastic tools for easing deployment woes, they increase security concerns. The security concerns are valid primarily because they break traditional models of security deployments. How will you install an extended detection and response(EDR) agent on your microservices? You can’t.

What about container security? Certainly, EDR agents will work in my containers. Unfortunately, the answer to this one is “maybe.” Even if the agent works in a container, it will likely operate in a degraded mode or break the container security model. Most EDR agents require kernel-level access, but this isn’t possible with most containers while applying the same security model that made them popular in the first place.

In short, container security requires dedicated tools. Even with the right tools in place, organizations also need complementary processes to account for the different architectures used by the tools.

There’s no doubt about it: the perimeter is dead. Cloud adoption started hurting the perimeter over the last decade, but COVID was its death blow. As we sent people to work from home en masse at the beginning of 2020, it was clear that the perimeter as we knew it would never be the same. Many organizational leaders assumed that allowing workers to operate remotely would lower productivity overall. Despite sending workers home without much planning with the backdrop of a pandemic, that largely hasn’t been the case. It’s doubtful that most workers will return to the office after the pandemic. Those who do will likely not do so full-time.

Given this tectonic shift in work habits, how we approach workforce security will significantly impact the organization’s security. Virtual private network(VPN) usage has moved from niche to commonplace. Some data loss prevention(DLP) tools, and even policies, have difficulty operating when there’s little in the way of a defined perimeter. Organizations must consider ensuring a remote workforce’s security while maintaining privacy.

Cloud Access Service Brokers (CASB) control and monitor access to cloud assets, usually software as a service(SaaS) solutions. CASB solutions are traditionally thought of as a method to offer a single login to multiple cloud services or a way to add multifactor authentication(MFA) to those services that don’t natively support it. Much of our critical data has been moved from on-premises solutions to SaaS environments. Unfortunately, monitoring and logging in the SaaS environments are far from on-par with what we see in on-premises equivalents. However, CASB solutions offer additional benefits:

• Data loss prevention (DLP) in SaaS environments
• Unified logging picture across multiple SaaS environments
• The ability to alert on abnormal use of SaaS assets by individual accounts (think User Behavior Analytics(UBA)

CASB need not be a big-ticket deployment either. Since SaaS solutions are here to stay, it makes sense for intelligent infosec leadership to consider how to implement CASB solutions. Solutions such as Microsoft Cloud Access Security (MCAS) are incredibly cost-effective, especially for E5 subscribers (MCAS is included with the E5 licensing package). However, some will find that the features offered by MCAS are not granular enough for their needs, indicating a need to shift to other more complex and costly solutions. CASB can operate either as a proxy or based on API callbacks. The latter generally has lower overhead but lacks the maximum flexibility the proxy solutions offer.

Every year, I ask, “How is this still a thing?” And yet, every new year brings new data breaches directly attributable to failures in vulnerability management. Many clients ask what tool to buy to “fix the vulnerability management problem.” Of course, the reality is that a combination of tools and processes usually addresses security. Tools alone have failed to solve the phishing problem over the last two decades. Why should vulnerability management be any different?

Comprehensive vulnerability management programs require:

• Vulnerability scanning tools (e.g., Nessus, Nexpose, etc.)
• Ticketing software to ensure remediation of discovered vulnerabilities
• Asset inventory linked to asset owners
• Executive sponsors to ensure compliance with patching/downtime requests
• Staff (seriously, you need a team)

Vulnerability management is more than just a vulnerability scanner. But that is where you should start if you haven’t yet. Start by scanning the environment and determining what your highest risk vulnerabilities are. Set risk-based priorities for remediation and schedule service outages for anything that is both publicly accessible and has unpatched vulnerabilities or publicly available weaponized exploits.

Threat hunting involves assuming that the network has already been breached and looking for indicators of compromise(IOCs) even when there’s no immediate reason. The paradigm “assume breach” is typically used with threat hunting. The organization assumes that there may be some method by which the attacker has breached perimeter (is that even a thing anymore?) defenses undetected. By assuming breach, organizations don’t suffer as much from failures in their defensive posture—threat hunting ties in well with vulnerability management. When teams fail to remediate vulnerabilities quickly, they are more likely to be exploited. If these exploitation attempts bypass endpoint defenses, they are less likely to be detected later. Threat hunting turns persistence into a disadvantage for the adversary. Every technique attackers use to persist necessarily creates artifacts on the endpoint. These artifacts are detectable by threat hunters – if they know what to look for.

Assuming breach highlights a critical fact about threat hunting. Like vulnerability management, success is driven through the process rather than tooling. While tooling, such as EDR, can make threat hunting much more manageable, it doesn’t help threat hunters know what they should be looking. Even experienced threat hunters must learn the organization’s specific noise baseline in the environment. No two organizations are alike in this regard, and failure to understand this background noise of operations will lead to false positives. It is the primary reason that threat hunting will not be fully automated for the foreseeable future.

Everyone is Unique. Your Security Solutions Should be too!

These cybersecurity priorities should give information security leaders ideas of where to prioritize efforts. Still, the list should not be considered all-encompassing or the top priority for every organization. Each organization operates differently. With that comes the need for different security solutions. BreachQuest does not operate with a cookie-cutter, one size fits all approach. We understand your business is unique, and your security solutions should be customized to work in harmony with your business. We can help you identify and implement your priorities. For more information, email us at secure@breachquest.com.