Cybersecurity In-Depth

The Edge

Cybersecurity: What Is Truly Essential?

In an effort to protect their organizations, security professionals can overdo it. The result often works against them.

My wife and I recently became homeowners. In the weeks leading up to the move, we spent a lot of time going through our belongings to decide what to keep, what to give away, and what to throw away or recycle.

During this process, it struck me that despite the fact I'm organized and don't like to accumulate "stuff," I could probably eliminate 50% to 75% of what I have and never even notice. I bet that's true for many of us. It got me thinking about what's important in life, and for me that's health, happiness, family, friends, and freedom.

And because security is such a big part of my life, I quickly realized how the moving exercise related, too. As security professionals, we should ask ourselves: "What is truly essential?" I'd like to discuss this question as it applies to five specific areas within the security profession.

With so many security organizations suffering from alert fatigue and drowning in false positives, it begs the question, "Why do they find themselves in this situation?"

Often, the answer is the organization has not taken the time to think about what is truly essential for alerting. Many organizations have alerts that were built organically – someone put in one set of alerts, a vendor recommended another set of alerts, management requested these alerts, there was an incident once that resulted in those alerts, etc.

The result of this tactically driven alert building is usually a lot of noise in the form of false positives. Worse yet, all those alerts may not actually mitigate a whole lot of risk, not to mention they pull the attention and time of valuable analyst resources away from more pressing and important matters.

So what can organizations do to build more essential and value-add alerting? Start with the highest priority risks and threats. Translate that into infrastructure, assets, and data that, if compromised, would cause the gravest damage to the organization. Matrix the risks and threats with infrastructure, assets, and data to understand the points at which alerts are most needed. Write precise, incisive alerts to identify the activity that is of concern without generating a large number of false positives. This will produce far more reliable and actionable alerts without drowning the organization in noise.

I'm still amazed by how draconian organizations can be about regulatory compliance. Of course, compliance is an important subject, and I certainly don't take it lightly. However, it requires more effort to understand what a regulation, policy, or audit finding actually requires than it does to just err completely on the side of caution.

The problem with this approach is it often introduces unnecessary cost, friction, and productivity loss into the organization, none of which are good for the long-term reputation, health, and profitability of the business. It pays to invest in understanding what is truly essential for compliance versus what is simply the result of lack of an effort to understand requirements.

We've all had moments where we've been completely frustrated by overly complex password policies. While that's just an example, it illustrates a larger point: When policies are created without a fundamental understanding of what is truly essential, they often force overbearing rules on users while providing little to no additional security and risk mitigation.

To avoid this trap, organizations need to invest in understanding how effectively their policies mitigate risk and reduce exposure to threats, rather than prolonging the life of the ineffective conventional wisdom of yesterday.

During my years on the operational (customer) side, I saw many processes or portions of processes that appeared redundant, ineffective, or inefficient. I'd ask, "Why does the organization follow this process?" More often than not, the answer would be something like, “I don't know, but we've always done it that way.”

Obviously, this isn't a good reason for a process to exist. Taking a step back allows us to understand which organizational challenges and issues require process around them, along with what type of process makes sense. This goes a long way toward solving real problems without creating extraneous processes that serve no real strategic purpose.

In an enterprise, stakeholder buy-in and support are essential to move any effort forward. It is also important, however, to have both the correct stakeholders and the correct number of stakeholders. Too many or the wrong stakeholders can sidetrack an effort by introducing additional confusion, miscommunications, politics, and opposition. Taking the time to understand which stakeholders are truly essential to a given effort pays huge dividends down the line.

Understanding what is truly essential is easier said than done. It takes an investment of resources to analyze and understand what is required versus what is extraneous. However, this investment, when done properly, is well worth it, as it produces outcomes that are far better for the enterprise.