Jason Clark, Chief Information Security and Strategy Officer at Websense, provides nine security tips for a fresh approach to security for the Spring… or the rapidly approaching Summer if you prefer.
With the hectic travel schedule of first quarter wrapped up I had some spare time to think about advocating a fresh approach to security for the Spring. I know it’s not the beginning of the year, but if your schedule is anything like mine, this may be the first time you’ve had a minute to spare since the calendar moved to 2012.
With everything in the threat landscape changing so frequently, it’s important to reassess your current status and plan for the coming year, whenever we can come up for air. So, I came up with the following nine tips to help you get a fresh start this Spring:
1. Ask, “What new threats and risks do I have this year that I didn’t last year?” Maybe they’re coming from the cloud: mobile devices (and BYOD in general), social networks, etc. Have you opened up offices in other countries (especially high-risk countries)? You definitely have to consider new types and strains of malware, too. All of these risks require significant change that may require you to update your three-year strategy if you want to continue to be nimble and agile.
2. Follow the money. Are you spending on effective security? I know some CSOs who are still pumping 80 per cent of their security spend into antiquated technologies. Clean house on legacy applications like IDS and AV by moving to lower-cost solutions that provide the same level of protection. Use the savings to invest in highly-effective real-time content security that is context aware. And make sure that your personal resources are also allocated correctly; systems that require high maintenance can sometimes be replaced with new technologies that require less management.
3. Assess your risk and determine what the bad guys are going after. Over the last year, the bad guys have changed their methods. Many are shifting their targets from PII to going after IP, board conversations, customer lists, etc. Make sure you protect the right stuff.
4. Compare your internal awareness campaign with the latest issues and highest risks. For most organisations, is a real issue and high risk which you need to do something about. You may think spear-phishing is old news but this is far from the truth. Spear-phishing techniques are increasingly being used as the initial wave in more sophisticated malware attacks designed to steal confidential data. The recent RSA breach, for example, has been widely attributed to spear-phishing as the original infection point. Are your company’s employees aware of the danger, how to spot it, and how to avoid it? Have you tested them to see how many people click on that link? You need to be confident they can stop attacks and most security guys I meet don’t feel confident about it today. The only strategy I am confident in is a two-fold approach using awareness combined with sandboxing technology. I recommended using Phishme for awareness while also showing you the risk of someone clicking, then combining that with the only email SaaS solution that stops spear-phishing using a unique combo of Websense intelligence and sandboxing of any URL we have never seen before or think is shady in anyway.
5. Clean your Active Directory accounts. Are they up-to-date? Do they reflect current employees and appropriate access? Make sure you aren’t leaving doors open to cybercriminals by not cleaning these regularly.
6. Time to review the logs! How much data do you have from all the security logs, IDS, firewalls, DLP, web gateways, WAFs, etc.? Spend some time analysing that data to better understand how the bad guys are trying to get to you and where you might be vulnerable.
7. While you’re at it, make sure that you are being efficient with those logs, and that your staff is reviewing and monitoring them on an on-going basis. Consider breaking logs into priority-based tiers. Separate mission-critical apps and the systems/processes that handle your riskiest attack surfaces as your top tier (and make sure they receive the most attention). If you are already managing logs by prioritised levels, consider re-levelling log destinations based on the updated landscape. Some things may have become more critical or vulnerable and others, less so. You’ve also got to make sure that you have the right logs; since your last buying cycle, lots of new systems may have come online.
8. Review your incident response plan. This is especially important around a data leakage/theft event. Schedule and execute a simulation. This should include the legal team, PR, the CFO, and all of IT. Create a response team with defined responsibilities and processes; otherwise once it happens (and it will) all fingers will be pointed at you.
9. Outline your accomplishments. Doing so will serve as your internal marketing programme, and will get your team recognition. In the past, I’ve spoken and written about ways you can do this — feel free to apply them.
Post by Jason Clark, Chief Information Security and Strategy Officer at Websense.
Take the security challenge and make sure your organisation is ready for whatever’s out there.
Tell us about your security issues, share your thoughts in our LinkedIn Group and discover our BT Assure resources and tools to rethink the risk to see security differently.
An abundance of exceptional writing below. But only if I’d identified this kind of website faster. Congrats!
With almost everything that seems to be building within this subject material, your opinions tend to be quite stimulating. In any case I did take pleasure in reading through it.