Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/14/2019
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Reasons to Take an 'Inside Out' View of Security

When you approach security from the inside out, you're protecting your data by determining the most vital applications and using a risk-based strategy, which focuses on the most valuable and vulnerable assets.

Sun Tzu, the famous military strategist and philosopher, once said, "If you know the enemy and you know yourself, you need not fear the result of a hundred battles."

This quote from two millennia ago could not be more pertinent to today's cybersecurity landscape. Too often, security leaders — across the private and public sectors — neglect the essential questions regarding the cyber defenses and capabilities they already have. In the cybersecurity realm, this boils down to asking, "Do I know my inside controls are working like they're supposed to be working? How is our cyber hygiene?"

Understanding inside weaknesses and vulnerabilities is more important than ever. During periods of company inactivity — like the most recent government shutdown for example — organizations are especially prone to data breaches. Security certificates can expire during those times, leaving agencies weaker and more vulnerable to a number of threats. Security teams also lose time for essential tasks because of loads of backlogs to sift through.

To truly prepare for the cyber threats, it's crucial that organizations start operationalizing a view of security from the inside out while focusing on cyber hygiene right at the heart.

Cyber Hygiene at the Heart
Traditionally, companies tend to manage cybersecurity based on assumptions: assuming their vendors' products are working correctly, then assuming those products have been deployed and configured correctly.

What's missing is the validation that the information surrounding an organization's cyber defense is accurate, with no gaps or points of misinformation. Agencies need to validate controls in a continuous manner rather than viewing measurement of security as one snapshot at a time.

This is what the Department of Homeland Security (DHS) promotes through its Continuous Diagnostics and Mitigation (CDM) program. CDM is aligned to give government agencies real-time visibility into their security systems with continuous monitoring. Instead of penetration tests or audits, which are static, continuous monitoring gives more holistic visibility into systems over a longer period of time. Agencies can then quantifiably validate whether their controls are protecting critical assets. At the same time, security leaders and teams can manage their cybersecurity programs with more meaningful metrics to drive decision-making, optimize operations, and, ultimately, improve their cyber posture over time.

Look "Inside Out"
Despite the progress being made through programs like CDM, continuous monitoring still needs validation of the implementation of solutions as well as surrounding data. That's why it's increasingly important for private companies and government agencies to approach cybersecurity with an "inside out" view by doing the following:

1. Identify exact points of vulnerability within the attack life cycle. The first point of vulnerability is your organization's own people. Security leaders should focus on helping their teams understand an attacker's behavior in a particular segment they're trying to defend. Then test defenses by testing incident response process. Do personnel know who to call and how to quantify what they're seeing in context? Do they forward a phishing email to the correct party? By understanding how teams currently respond to threats with practice scenarios, leaders can determine where to make defenses stronger.

2. Measure ROI on cybersecurity investments. Government must be extremely judicious about spending taxpayer dollars, while businesses must ensure trust with their partners and clients. This is why it's especially important to verify that your organization is attaining the expected ROI out of cybersecurity investments — rather than assuming so. Security leaders need data that shows exactly where the security gaps are and where you need to invest more heavily.

3. Apply risk-based decision-making, not compliance-based. Traditional models of measuring cybersecurity effectiveness tend to be siloed and compliance based, where cybersecurity measures are managed across separate enterprise channels and important data is underutilized. This also tends to result in a "checklist" mentality, which can leave your company vulnerable. Instead, cybersecurity must be aligned with your organization's biggest risks and mission-critical business needs with products that deliver holistic and actionable insights.

4. Determine which technologies can be improved and which can be removed from the stack. For cybersecurity personnel, there are many products they have to manage. But it's important to verify which products in the environment are working and which are not. Solutions for one organization may not be the right match for yours. Determine what technology products can give you the most value and what fits best with your current architecture so that you're not purchasing redundant products that you already own. Having security controls mapped in an automated fashion also makes it easier to tag and label identified threats.

Know Thyself
When you tackle security from the outside in, you're simply trying to deny intrusion. When you approach from the inside out, you are protecting your mission-critical data by determining the most vital applications and using a risk-based strategy, which focuses on the most valuable and vulnerable assets. Tackling cybersecurity from the inside out will not be easy. But as budgets continue to spike — even as the data breaches keep happening — security leaders must tie security to accountability. Whether government or private sector, every organization at the end of the day is a business, and an inside-out approach makes the most business sense.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Major General Earl Matthews, USAF (Ret.), is an award-winning retired Major General of the U.S. Air Force with a successful career influencing the development and application of cybersecurity and information management technology. His strengths include his ability to lead ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19719
PUBLISHED: 2019-12-11
Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
CVE-2019-19720
PUBLISHED: 2019-12-11
Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file.
CVE-2019-19707
PUBLISHED: 2019-12-11
On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets.
CVE-2019-19708
PUBLISHED: 2019-12-11
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.
CVE-2019-19709
PUBLISHED: 2019-12-11
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.