If cybersecurity incidents are the byproduct of self-inflicted wounds and neglect for most organizations, then how do we stop hurting ourselves?
When we look at the vast majority of cybersecurity incidents, they are because of a failure to update, failure to modernize, misconfiguration, an atrophied system update, adoption paralysis and, of course, lack of security awareness training.
There are other attacks and attack vectors that are politically, nationally or more elaborately motivated and executed, but again, the majority of cyberattacks that the average organization would deal with are things like Trojans, ransomware, phishing, viruses and exploits -- and these, for the most part, are preventable.
So how do we prevent them?
Realize That We Are Not Perfect
We have to acknowledge that in technology, we are bad at chores and that we cannot scale to levels required to do all of the necessary maintenance. With the overutilization of IT, priorities govern. That makes investigations like hunting unpatched devices for just 1-2% of the install base a non-starter because being 98% patched is “good enough."
System atrophy happens on all layers of an organization’s technology landscape and then manifests in an event where someone uses the 802.11 exploit to load a virus on one of the endpoints in the 2%, which then migrates horizontally over to an internet of things device, which then moves to a server and encrypts it with ransomware. At which point, the chaos theory continues and the 98% "good enough" strikes again when it is learned that the backup job had been failing for the last three weeks for that specific system with no active investigation.
In general, we must accept the idea that we will never be able to get everything 100% managed.
Get Management Under Control Quickly And Easily
We have to realize and accept that 98% isn’t good enough and that we lack the resources and the tech to get to 100%. The cloud can help to close the gap. Using cloud-based management/patching/AV/monitoring systems does not add to the infrastructure (which itself has to be managed) and can provide relief for internal/external concerns, as well as client\server-side communications issues. With zero infrastructure footprints, cloud solutions do not compound the atrophy problem and provide tools companies need to manage more with less.
Slim Down
The quickest and easiest place to start is reducing IT infrastructure across the board. With the proliferation of virtualization came server sprawl, and with the advancements in end-user compute came the multidevice experience. Now we must trim down the overall footprint and give IT less to manage, less to update and less to maintain.
Technologies to facilitate consolidation exist and are waiting to be leveraged. Virtualization was one of the first, and hyper-converged took that even further by requiring far less management of physical components. In the operating systems environments (OSEs), there are GUI-less or GUI extractions from servers as well as containers to mitigate the need to constantly create new VMs for applications and services. Then there is the public cloud, which enables organizations to condense multiple times over by removing the hosts entirely.
Vendors often tout the benefits of these more encapsulated systems as ease of management, and security is typically spoken about in the form of certifications and controls, but rarely is consolidation highlighted. Reduce the surface area of attack to better fortify all resources at hand.
If an organization moved just one n-tier application from a traditional on-premises infrastructure deployment to a cloud-hosted container service, it would reduce its potential attack entry points by dozens and dozens of possibilities.
Often you will hear about security in layers. Adding 50 security layers to 10 items is easier and more accomplishable then adding 10 layers to 100 items
Modernize And Offload
Aside from infinite compute, dynamics scale and immediate on-demand resources, public cloud infrastructure also comes with the shared responsibility model we have all seen time and time again over the last five years. Migrating a serverless container service to a public cloud provider reduces your overall exposure and maintenance requirements while shifting the majority of those components along with associated security aspects to the cloud provider.
Furthermore, the cloud provider, in almost all cases, has dedicated resources and an exponentially larger budget for fortification and incident response.
Even after all servers are migrated to the cloud, the ongoing management of those components can be offloaded to a managed service provider. That pertains to the OSEs, the public cloud fabric and on-premises networking equipment.
A very common trend now is to receive patch\monitoring\maintenance services from internet service providers (ISPs) for edge equipment as part of an internet contract. ISP-managed services help to reduce the number of chores and maintenance items and moves toward the shared responsibility model through contract-driven SLAs with a vendor that is already rendering services.
Incorporate Training
Security awareness training is often overlooked but is as important as any anti-malware system within an overall security strategy. This simply comes down to getting people exposed and trained and is often easily accomplished.
Use a training site and get trained. Have ongoing and remediation training and once trained, build a cybersecurity training curriculum. Have these training lessons built into the onboarding process, and hold people accountable for learning the material.
Bringing It All Together
We often think about and strive to execute security in layers.
By taking these approaches, we can reduce the amount of surface area that exposes our organizations. This allows us to apply more prescribed layers of security, be more directly responsible for what we protect, be better educated on those security measures as there are less of them, and provide deeper and more meaningful training. All of this is a win for IT and the business alike.