Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/18/2018
02:30 PM
Joel Fulton
Joel Fulton
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Make Security Boring Again

In the public sector and feeling overwhelmed? Focus on the basics, as mind numbing as that may sound.

Cybersecurity is a fast-moving target, particularly in the public sector. With constantly changing mandates and compliance requirements, it is hard to keep up. Since the Office of Personnel Management compromise in 2015, government security leaders have been in overdrive trying to strengthen their organizations' security measures to stave off the next major breach. This focus on cybersecurity in the public sector has also made the "government needs to be more like industry" cry louder than ever. Unfortunately, it is also more wrong than ever.

I know this because I routinely hear from and ask questions of security leaders from both commercial and public sector organizations, and the top problems are categorically identical: talent recruitment and retention, skills gaps, budget challenges, and a constant stream of new threats for which to look out.

The hard truth is, despite 30-day cyber sprints, creating a promising Continuous Diagnostics and Mitigation Program, acquiring the latest tech and checking off every other "best practices" box, we are playing catch-up with our adversaries. And we will continue down that path until we change tack.

What is the solution I offer to end your adversarial woes? First, discard that question. Your route to success: Go back to basics and roll up your sleeves.

You Can't Protect What You Can't See
Past midnight, a beat cop comes upon a chief information security officer (CISO) on his hands and knees under a bright street lamp. The CISO is searching the road for dropped keys. After 30 fruitless minutes of assisting with the search, the impatient officer asks, "Where did you lose them?"

"Over there," the CISO says, pointing at a darkened alley, "but the light's much better here."

I won't win any plaudits for this pearl of wisdom: You cannot secure that which you cannot see. Nor for this: What you need to secure may not be where you're looking. Before you nod in obvious agreement, check in with your security operations centers. Do they lack visibility across the IT, network, cloud, and security infrastructure stacks? To paraphrase Donald Rumsfeld, how would they know their unknown unknowns?

"But," you answer, "I have visibility and monitoring tools… a dozen of them!" Do those tools give you a holistic view of your infrastructure? Have you evaluated both gaps and overlaps or duplicates? Is your infrastructure complete but fragmented?

By the time you piece together that puzzle, has your environment changed? In my experience, dealing with a tangled mess of wires in a data center is more appealing than facing the answer to those questions. I've been there.

Identity Matters
How do you begin to sort out your data? The most critical step is starting with a thorough risk assessment of your practices by asking the boring but right questions. For starters:

  • Where is your data?
  • Who and what have access to that data?
  • How complete is your inventory?
  • How thorough is your configuration management database (CMDB)? How up to date is it?
  • Are you seeing what is necessary or simply what is convenient?

Also, determine what success looks like for your agency. Is it enhancing the way you collect and use data to guard against inbound risks? What level of breach or compromise are you comfortable with? This last question is one I find most people hesitant to address but perhaps is the most significant.

This work is tedious. It looks less like vendor dinners or rolling out a new tool and more like listening to your team, comparing notes with other CISOs, and reading, learning, doing. But I promise it will be worth the work, and even more, now is the best time to be conducting this effort. Your success is in the excellent delivery of monotonous tasks.

Artificial Intelligence and Machine Learning Can Help
Once your agency has determined its goals and figured out what you can see and need to protect, it is time to put your talent into action, define your tactics, and finally line up supporting technology.

Remember that CMDB? Now that the grunt work is complete, your confidence in it should be higher than ever and well placed. The law of entropy assures us that the universe tends toward chaos. A massive expenditure of energy is needed to halt and reverse that natural degradation. That brute force and total commitment to the rudiments and fundamentals will buy you breathing room to deploy scripting and automation to hold the new line.

Now you have a path to those shiny artificial intelligence (AI) and machine learning (ML) tools you've been eyeing. When they are properly deployed, relying on the solid foundation established by your earlier diligence, you may find those tools will even help alleviate the stress on your overworked security team. A refreshed and re-engaged security team focusing on higher-order questions and problems is a game changer you'll not soon forget.

But AI and ML are only as good as the data you can provide. That's why the tedious stuff is imperative — so the fun stuff can be even more fun.

Act Now 
I know there are a lot of people in both the public and private sectors who will read this and say "Obviously." But I also know there are more who will get nervous thinking about how much mind-numbing work I just prescribed. I would remind both of the truism: Well done is better than well said.

Because again: I've been there. In fact, I'm still there, because the nature of security is never-ending and there is always more to be done.

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Joel Fulton, Ph.D., is Chief Information Security Officer for Splunk, leading the Splunk Global Security teams, where he also supports product development as well as customer and partner relationships. Prior to joining Splunk, Joel held security leadership positions at ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-2322
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
CVE-2021-20019
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
CVE-2021-21809
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
CVE-2021-34067
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
CVE-2021-34068
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.