Cyber Security Visibility Still Isn't What It Should Be

Add bookmark

Lisa Morgan
06/01/2021

One of the biggest challenges most companies face is failing to understand their entire attack surface. Before the pandemic, many security and IT teams lacked visibility into and across assets. Then, in 2020, the rush to enable remote work meant relaxing security protocols as an emergency measure but meanwhile the attack surface had expanded to employees' weak password-protected Wi-Fi routers, company asset use by family members and the use of family tech for business purposes. Meanwhile, permissions granted before lockdowns may have persisted without appropriate controls in place.

Now that some workers are returning to the office, the time has come to once again assess where the weak spots reside.

Secure Users

Role-based permissions and IAM are essential for controlling who has access to what, but even together are inadequate, which has fueled the adoption of MFA. In addition, cyber security vendors are now using machine learning for user behavioral monitoring, not only to identify errant behavior, but also individuals' personal deviations from their own normal behavior. User monitoring has several benefits including logs which memorialize the behavior, the ability to establish baselines for individual users and the ability to detect behavioral changes at an individual level. The overarching benefit is speed of threat detection and also escalation such as through alerts. The notifications may be used to trigger automated responses.

Meanwhile, BYOD, remote work and IoT/IIOT have all have underscored the need for robust endpoint security. Antivirus/antimalware software has also been extended to the IoT, sometimes embedded in a router.

Secure Network traffic

Network security monitoring was designed to detect and respond to network breaches. Like user monitoring, these systems collect and analyze data to detect threats and trigger security alerts. Modernly, these tools also take advantage of machine learning to speed detection and response as well as to identify patterns that traditional rule-based systems can miss.

Secure Apps

Today's apps include more third-party code than ever before in history. As software development and delivery cycles have accelerating with the pace of business. As a result, development teams are using more open source software and third-party libraries out of necessity and they're connecting to various resources via APIs. As a result, the software composition may be unknown (which necessitates composition analysis) and application dependencies may not be entirely understood. The result can be hidden vulnerabilities that can be easily exploited. 

Running a quick vulnerability scan late in the software development lifecycle (SDLC) doesn't cut it. More fundamentally, security needs to be baked in throughout the SDLC which includes shift-left testing and a necessary transition from DevOps to DevSecOps.

Application security monitoring is also necessary to understand the security status of the application and to discover vulnerabilities before bad actors do.

Meanwhile, applications are becoming more data-driven which not only means collecting, generating and analyzing data but also pulling in data from other applications and data sources as well as potentially pushing data to other applications which may need to be encrypted. Also, the connections between the application and other resources (and the connections from one container to another) should be secured and monitored since containers and their connections can be compromised.

Secure Data

Data access needs to be secured using permissions like network permissions and application permissions. Authorization and authentication go hand-in-hand, but because individuals don't always protect their credentials like they should, data access, use and sharing should also be monitored, including data erasure and deletion attempts. 

If the data is at all sensitive, it should be encrypted in motion and at rest and there should be programmatic handling of compliance requirements and data governance rules.

Dashboards and Reporting

Cyber security reporting is evolving with business requirements and technological advances. On the business side, organizational leaders often complain that cyber security reporting it too technical, disjointed and complex. Worse, cyber security teams may not have the visibility they need to provide a holistic picture. In addition, depending on how the reporting is done and presented, it may lack the prioritization and coherence it needs to demonstrate how well technology investments and processes are or are not working. While there's greater awareness the need for "end-to-end" visibility, there are often blind spots here and there that are ripe for exploitation.

Today, dashboards are supplementing traditional reporting. The dashboard itself should reflect relevant KPIs, but they don't always. Worse, the simple indicators dashboards use, such as green, yellow and red color coding can give practitioners a false sense of security when a green indicator reflects that all is well when all may not be well.

Fundamentally, cyber security leaders and teams should think critically about reports and dashboards to ensure they're actually helping the organization more effectively manage and make decisions about cyber risks.

Cyber Insurance

Cyber insurance is a staple that enterprises shouldn't do without because its essential for managing liability costs. Companies use such insurance to help pay for lawsuits, regulatory fines and the costs associated with a breach. It's a specific type of insurance that, when absent, causes a company to pay all costs out of pocket.

CISOs should be familiar with the requirements and limitations of cyber insurance because it helps inform what their teams should and should not be doing which could negatively impact the validity or amount of a claim. However, CISOs should not review such policies in a vacuum (e.g., in the absence of legal counsel), nor should organizations simply purchase insurance and hope for the best when the CISO has no idea what the policy says.

Companies are having difficulty assessing how much cyber insurance they need, with some concerned about what's perceived as a high cost. In fact, the cost of cyber insurance is expected to rise between 20% and 50% as a result of the growing number of cyberattacks and their severity.

RECOMMENDED