Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/14/2019
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Reasons to Take an 'Inside Out' View of Security

When you approach security from the inside out, you're protecting your data by determining the most vital applications and using a risk-based strategy, which focuses on the most valuable and vulnerable assets.

Sun Tzu, the famous military strategist and philosopher, once said, "If you know the enemy and you know yourself, you need not fear the result of a hundred battles."

This quote from two millennia ago could not be more pertinent to today's cybersecurity landscape. Too often, security leaders — across the private and public sectors — neglect the essential questions regarding the cyber defenses and capabilities they already have. In the cybersecurity realm, this boils down to asking, "Do I know my inside controls are working like they're supposed to be working? How is our cyber hygiene?"

Understanding inside weaknesses and vulnerabilities is more important than ever. During periods of company inactivity — like the most recent government shutdown for example — organizations are especially prone to data breaches. Security certificates can expire during those times, leaving agencies weaker and more vulnerable to a number of threats. Security teams also lose time for essential tasks because of loads of backlogs to sift through.

To truly prepare for the cyber threats, it's crucial that organizations start operationalizing a view of security from the inside out while focusing on cyber hygiene right at the heart.

Cyber Hygiene at the Heart
Traditionally, companies tend to manage cybersecurity based on assumptions: assuming their vendors' products are working correctly, then assuming those products have been deployed and configured correctly.

What's missing is the validation that the information surrounding an organization's cyber defense is accurate, with no gaps or points of misinformation. Agencies need to validate controls in a continuous manner rather than viewing measurement of security as one snapshot at a time.

This is what the Department of Homeland Security (DHS) promotes through its Continuous Diagnostics and Mitigation (CDM) program. CDM is aligned to give government agencies real-time visibility into their security systems with continuous monitoring. Instead of penetration tests or audits, which are static, continuous monitoring gives more holistic visibility into systems over a longer period of time. Agencies can then quantifiably validate whether their controls are protecting critical assets. At the same time, security leaders and teams can manage their cybersecurity programs with more meaningful metrics to drive decision-making, optimize operations, and, ultimately, improve their cyber posture over time.

Look "Inside Out"
Despite the progress being made through programs like CDM, continuous monitoring still needs validation of the implementation of solutions as well as surrounding data. That's why it's increasingly important for private companies and government agencies to approach cybersecurity with an "inside out" view by doing the following:

1. Identify exact points of vulnerability within the attack life cycle. The first point of vulnerability is your organization's own people. Security leaders should focus on helping their teams understand an attacker's behavior in a particular segment they're trying to defend. Then test defenses by testing incident response process. Do personnel know who to call and how to quantify what they're seeing in context? Do they forward a phishing email to the correct party? By understanding how teams currently respond to threats with practice scenarios, leaders can determine where to make defenses stronger.

2. Measure ROI on cybersecurity investments. Government must be extremely judicious about spending taxpayer dollars, while businesses must ensure trust with their partners and clients. This is why it's especially important to verify that your organization is attaining the expected ROI out of cybersecurity investments — rather than assuming so. Security leaders need data that shows exactly where the security gaps are and where you need to invest more heavily.

3. Apply risk-based decision-making, not compliance-based. Traditional models of measuring cybersecurity effectiveness tend to be siloed and compliance based, where cybersecurity measures are managed across separate enterprise channels and important data is underutilized. This also tends to result in a "checklist" mentality, which can leave your company vulnerable. Instead, cybersecurity must be aligned with your organization's biggest risks and mission-critical business needs with products that deliver holistic and actionable insights.

4. Determine which technologies can be improved and which can be removed from the stack. For cybersecurity personnel, there are many products they have to manage. But it's important to verify which products in the environment are working and which are not. Solutions for one organization may not be the right match for yours. Determine what technology products can give you the most value and what fits best with your current architecture so that you're not purchasing redundant products that you already own. Having security controls mapped in an automated fashion also makes it easier to tag and label identified threats.

Know Thyself
When you tackle security from the outside in, you're simply trying to deny intrusion. When you approach from the inside out, you are protecting your mission-critical data by determining the most vital applications and using a risk-based strategy, which focuses on the most valuable and vulnerable assets. Tackling cybersecurity from the inside out will not be easy. But as budgets continue to spike — even as the data breaches keep happening — security leaders must tie security to accountability. Whether government or private sector, every organization at the end of the day is a business, and an inside-out approach makes the most business sense.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Major General Earl Matthews, USAF (Ret.), is an award-winning retired Major General of the U.S. Air Force with a successful career influencing the development and application of cybersecurity and information management technology. His strengths include his ability to lead ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17789
PUBLISHED: 2019-09-20
Prospecta Master Data Online (MDO) allows CSRF.
CVE-2019-11280
PUBLISHED: 2019-09-20
Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain ...
CVE-2019-11326
PUBLISHED: 2019-09-20
An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2. The web interface of the product is protected by a login. A guest is allowed to login. Once logged in as a guest, an attacker can browse a URL to read the password of the administrative user. The same pro...
CVE-2019-11327
PUBLISHED: 2019-09-20
An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2. The web interface of the product has a local file inclusion vulnerability. An attacker with administrative privileges can craft a special URL to read arbitrary files from the device's files system.
CVE-2019-14814
PUBLISHED: 2019-09-20
There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.