When a CISO lands a job in a new organization, one of the first things they look at is whether ‘the basics’ are in place.
‘The basics’ (e.g. the SANS Top 20) are foundational controls that serve two purposes. First they deliver a level of hygiene that, at the very least, should keep commodity threats at bay. Second, they remove a lot of the noise that security operations teams have to deal with when establishing root cause for an incident.
CISOs often find that they don’t have good visibility into the state of hygiene across their estate. Yet when they do start digging, they find there’s a lot of gaps.
Asset inventories are a notorious problem: at worst they’re out of date, and usually at best they’re maintained to meet the needs of IT operations, not security, and lots of information is missing. As a result, security doesn’t have a ‘golden source’ of what devices and applications the organization has.
When it comes to malware protection, CISOs may know what anti-virus solution has been purchased, but often they don’t know how good the coverage of that control is, what its operational performance is (i.e. if it’s scanning or updating in-line with expectations), or the consistency of performance of anti-virus for any given set of assets.
Access management is another thing that’s hard to get a handle on. While it’s not too hard to figure out who has what access in what Active Directory groups, establishing if they need that access, why they have it, when they last used it, and for what, is a mammoth task.
Finally, vulnerability and patch management is always being done, but it’s hard to know if priorities are aligned to mitigate the risks that matter most, or if the avalanche of vulnerabilities across an estate that teams are generally dealing with could be dealt with by means other than patching (e.g. removing software or decommissioning servers).
In addition to these problems of visibility, security is dependent on others to deliver improvement in these areas. Different IT operations teams will be responsible for software roll-outs, testing and applying patches, and administering access. Often, security hygiene is seen by already overworked IT operations teams as another thing to add to an already very long list of things they have to do.
Because no obvious bad stuff is happening as a result of not doing the things security has put in a policy, ‘the basics’ are the things that slip. That is, until something does happen - and it turns out the root cause was risk that should have been managed out as part of business as usual.
This leaves another problem for the CISO. They may know there are big problems across the CIO’s estate, but they can't explain how much of a problem it is, why the CxO they report to should worry, or what the best course of action is. For example, if IT don't have good asset management, it’s hard for security to measure risk to critical assets due to vulnerability and control gaps, because there’s no easily available data to base an analysis on.
Without being able to show how IT risk translates to business assets that drive revenue, security is left speaking about risk at a technical level that executives can’t easily make sense of in terms of how it relates to material impact.
Data analytics can – and should – be applied to solve these problems. The data sets to give security the continuous visibility they need into key indicators of cyber hygiene are readily available.
By using telemetry from the operating environment and correlating security data sets together, CISOs and their teams can begin to measure risk to technical assets – and correlate asset information against IT’s asset inventory. Then, by building up a clear picture of either the factors that are contributing to business risk, or the knowledge gaps that need to be closed to gain that picture, security can work with its stakeholders to make improvements where it matters most.
By improving hygiene first, security teams also set the foundation to apply advanced analytics more effectively. When indicators are found of threats are operating above the control baseline, this can be correlated against assets and control coverage to either close control gaps or understand what investment will have the greatest win in terms of impacting a threat's ability to move through the kill chain. This helps escape the cycle of endlessly chasing more and more incidents that are a result of poor hygiene.
In short, it’s why so many teams are now focusing on hygiene first, turbo-power machine-learning predictive analytics ninjas second.