The five most important steps to improving cybersecurity in your organization
1. Have a response team
No matter how good your organization is in risk management and implementing security measures it is certain that sooner or later it will experience a severe security incident or a breach. When this happens the only thing that can effectively minimize the impact and quickly recover from the incident will be a response team equipped with proper tools and response actions that they will be able to execute when the crisis comes. If you have this in place, you’ll be able to use reports created by this team to identify root causes of incidents in your environment what will help you in prioritizing improvements. This is simply what you need to start with.
Tip: Avoid creating countless incident response workflows or detailed step by step playbooks. You’ll waste a lot of time because situations that match your flows will almost never happen. Instead have your communication and escalation process straight, key stakeholders identified and aware of response team responsibilities, maintain and periodically test actions that are needed during different phases of an incident response process. Run drills and test different situational scenarios with the response team and the key stakeholders so everyone knows their role and how to work together depending on the reality that will only become known when the incident strikes. Analyze what could have been done better during such exercises. In the end incident response is more an experience than checklist driven activity.
2. Cover the basics
Things listed here are the absolute prerequisites to a responsible cybersecurity approach. They are so basic that some of them are not even purely security but rather an IT responsibility. To do these effectively you do have to have a decent Configuration Management Database (CMDB) first.
- Patch management – test and then deploy security updates regularly and with shortest possible delay,
- Perform regular vulnerability scanning, prioritize and manage identified vulnerabilities,
- Have a complete AV software deployment – make sure your goal is 100% coverage, keep your AV management infrastructure secure, make sure updates are distributed effectively and review your detection reports. If your solution provides host firewall feature configure and use it (if not go the default system firewall way),
- Network segmentation – the only thing worse than a flat network are systems left out with default credentials on them so do make sure segments of your networks are properly isolated with firewalls,
- Least privilege approach – identify what are the minimal privileges required by different groups of users in your organization and grant only these.
3. Collect and store your logs and flows
These will be needed every day. They are the starting point of investigations, compliance driven reporting and primary visibility into what happens in your environment. Depending on the resources your organization has you will find opportunities to further optimize the use of this data. Examples include threat hunting activities or advanced analytics including machine learning for entity behavior anomaly detection.
4. Deploy 2FA/MFA
Phishing in different forms remains to be the most common attack vector. In many cases its goal is credential harvesting. On top of that we see new reports about breaches exposing users’ credentials all the time. Passwords as a single factor to authenticate really are dead. Through all these years InfoSec community failed to develop secure and usable approach to password management that would become absolute standard easy to use for all the users. Mistakes were made like nonsense password complexity rules and frequent forced password changes. Password managers help a lot but are still not in common use. For enterprise environments multi-factor authentication (MFA - at least two of: what you are, what you have, what you know) is now a must.
5. Deploy EDR
It wasn’t easy for me to identify the fifth one. There were many contenders but this being a subjective list Endpoint Detection & Response finally won despite being a relatively new invention compared to the previous ones. In my experience deploying a good EDR solution while having enough personnel to operate it brings the most instant value to detecting and responding to intrusions on endpoints. It’s not particularly difficult to deploy, doesn’t have many prerequisites and for organizations who can afford it can cover their full endpoint estate. I did not see many other measures that can give such levels of visibility and detection capabilities in the end resulting in the reduction of time and effort needed to detect, investigate and contain a threat. And you can’t fight something you don’t see. On top of that the collected telemetry brings opportunities to analyze the data for user behavior anomalies, trends in attack techniques, presence of newly identified indicators of compromise or even building an application inventory. Be careful though as you will need skilled staff or a good service provider to make the most out of it.
While compiling the above shortlist I was thinking about which security controls play the largest role in addressing the most common security threats organizations face every day. In my experience these are the ones that you will see the most often saving the day. For a more complete approach, please read my other article “How to make smart investments in cybersecurity”.