How do you know when you have a good security program in place? There are many ways to self check your security program, some based on methodology and some on results.
You can use the CIS Top 20 Critical Security Controls (CIS standards or benchmarks are one of my best go-to resources) or you can start measuring the quality of the info on incidents and vulnerabilities given by your security tools.
The Top 20 Controls will make sure you covered all angles, while assessing your tools will verify you made the right investment choices. Unfortunately, after many years in this field I have to say that a lot of the security tools on the market don’t work, are difficult to set up, some requiring huge amounts of consulting dollars, and in the end they don’t pay off.
One big example are SIEMs. They come with high price tags, claiming they can ingest any possible logs, but then you have to write your own content to see basic things like invalid logins. Another one are network intrusion detection tools. With most of the traffic encrypted, they give very little information, except if you are able to correlate the IP addresses seen with some sort of threat intelligence feed to check if you are talking to any “bad” guys.
The breakthrough comes from some very innovative tools that apply big data techniques to try to reduce the complexity of the log data and show you what’s really important. Making sense of your log data (network traffic and operating system events in particular) is one of the first things you need to do – if you don’t know what goes on in your network, you will never know when you had a breach.
Second most important are vulnerability and patch management. If Microsoft, Apple, Google, or Amazon spend money to develop patches, is it not silly not to take advantage of them and instead let the hackers do it? Most breaches are caused by unpatched vulnerabilities or basic misconfigurations. So a tool that gives accurate info on the patch situation is critical.
Last, application security. Here the situation is quite challenging because there are very few good vendors who can find real vulnerabilities. This is mostly because the approach taken (black box testing or static analysis) is not looking at “code running in a distributed environment”. It’s like your doctor poking at your body here and there, instead of doing an ECG, X-ray etc. It works with very few diseases.
Although there is some hope with IAST, most app sec vendors price their products way too high, making them beyond the reach of a startup, and some also require a lot of resources and time to be able to run. So the only good thing to do with your money is to hire a great pen tester, until the situation improves.
So, here is my mantra:
- Know your network
- Patch your vulnerabilities
- Try to secure (and pen test) your apps as much as you can
If you do these things, and do them well, you have a chance to survive 🙂