By Nathan Burke, CMO, Axonius
By now we’re all well aware of the transformative technologies accelerating across the enterprise today. Trends like cloud, virtualization, BYOD, work-from-home, mobile devices, and IoT have completely transformed the way we work. However, in the process it removed the perimeter from the security picture, creating a massive, distributed attack surface.
As a result, organizations are under a continual onslaught of cyber-attacks leading to well-publicized data breaches. As their security defenses become more sophisticated, attackers will become increasingly opportunistic, looking to exploit lapses in IT environments.
This is especially true for organizations with complex IT environments. In 2019, companies that exhibit the following four characteristics are most likely prime targets for attackers:
- Proximity to Value: Whether it’s money or data, organizations that store valuable information will be targets. Banks are an obvious target since they are just one step away from actual dollars. However, organizations that store personal data (such as identity) to open a credit card or bank account need to be on guard.
- Centralized Data: Companies that centrally store valuable information will be attractive targets to attackers. Taking the Marriott breach as an example, it was far easier for the attackers to obtain 500M records from the hotel’s centralized reservation database than it would have been to go after individual franchise networks.
- Heavy Reliance on third-parties: As we saw during the Target breach, the more organizations rely on third-parties, ecosystem providers and supply chain players, the higher risk of a breach that is outside of the organization’s control.
- Cloud and Speed: Companies that prioritize speed and convenience over adhering to security best practices to ensure all of their cloud instances are covered will be prime targets for costly data breaches.
So how can these types of organizations best shore up their security postures?
If you can identify with any of the above characteristics, the best course of action is to identify weaknesses and address the security fundamentals. Here are a few steps:
- Understand What Assets You Have
You can only secure what you can see, and until you know which assets are in your environment, it’s impossible to know whether those devices are satisfactorily secure. Understanding your inventory of laptops, desktops, servers, VMs, mobile devices, IoT devices, and cloud instances sounds simple, but organizations have a remarkably difficult time doing this. The first step should be establishing an ongoing device discovery, classification, and inventory process to help you keep track.
- Distinguish Between Managed and Unmanaged Assets
In any environment, assets can be split into two distinct categories: known/managed and unknown/unmanaged. Managed assets are known to security management systems (think endpoint agents and Active Directory.) Meanwhile, unmanaged devices may be known to the network, but do not have any security solutions installed so you aren’t able to access its risk profile. Both types of devices are important but should be treated differently.
For example, a smart TV in a conference room is different from the CEO’s laptop. While the Smart TV doesn’t need an endpoint security solution or isn’t part of a patch schedule, the laptop does. Creating a process to identify and take action based on asset classification is critical.
- Address the Gaps in Security
Every organization has devices that are missing security solution coverage, whether it’s iPhones without Mobile Device Management, or AWS instances not known to a VA scanner. Addressing these gaps in an ongoing basis is necessary, especially given the dynamic and elastic nature of these assets.
By following through on Steps 1 and 2, you’ll be in a position to know all of the assets and their type in your environment, making it easier to identify where security holes are and how to best close those gaps.
- Establish Ongoing User Access Auditing
For large organizations especially, keeping track of user permissions can be difficult. Are there users in your environment with local administrative access to all machines? Users with passwords that are not required or set to expire? Service accounts with keys to the kingdom? Even with strict access controls and regular policies, creating an ongoing auditing process is needed to ensure proper access rights.
- Implement Security Policy Validation
The biggest question left to ask is this: How can I be sure that my security policies are being adhered to continuously? Whether you mandate that all assets must be scanned weekly, or you’ve determined that all Windows machines must have a specific endpoint agent, any security policy on paper is only as good as it is enforced and validated in reality.
Implementing a security policy validation process is the only way to make sure that nothing is being missed and that exceptions are being addressed and fixed instead of being exploited.
A Basic Framework
Putting solutions and technologies aside, cybersecurity is a discipline centered around understanding, addressing, and minimizing risk. Until you have a credible, comprehensive understanding of your environment and are able to understand where coverage gaps exist, you’re at a disadvantage to those looking for a simple way in. With an understanding of all assets, gaps in security coverage, and the ability to see where the security policy is not being adhered to, organizations are in the best possible position to minimize their attack risk.
About the Author
Nathan Burke is the Chief Marketing Officer at Axonius. Passionate about bringing new technologies to market to solve real problems, he has held marketing leadership roles at Hexadite (acquired by Microsoft), Intralinks (acquired by Synchronoss), MineralTree, CloudLock (acquired by Cisco), and is a frequent speaker and contributing author on topics related to the intersection of collaboration and security. He lives on Cape Cod with his wife, daughter, and dogs, and enjoys watching the unfairly dominant New England Patriots. Nathan can be reached on Twitter at @nathanwburke, through LinkedIn, and on www.axonius.com.