Decrease the Risk Assessment Time Gap Towards Continuous Assessment
Semi-annual penetration tests get a box checked and keep you out of compliance jail, but cybersecurity has moved to near-real time and so too must your assessment. Continuous monitoring has been an important goal, but we need to advance it to making continuous decisions based on that continuous monitoring.
Even events such as authenticating to use a VPN are too infrequent to make actionable judgements: in between those authentications there can be many indicators of compromise (IOC) that give a high enough assurance that you or your account/device/asset/data has moved from acceptable to unacceptable risk.
Continuous assessment means always looking for vulnerable or compromised elements and taking action. If my device is vulnerable, or my email account is spewing malware or the signs of having been phished there should be an immediate risk-based decision taken. Time is the friend of the attacker. Let’s be less friendly with them.
Increase Non-Standard Security Telemetry
The standard events we examine in security have not only gotten a bit stale, but the attackers know them well enough to avoid being caught up in them. That’s the whole basis for attacks to move laterally and through unconventional paths such as IoT and things likely not known to be part of your attack surface when they are.
Attackers know where the motion alarms are for standard security alerts and telemetry and avoid those. Alongside knowing your attack surface better, go and gather more new kinds of security-relevant telemetry.
Extended detection and response (XDR) and continuous assessment gets smarter, faster, and more accurate when there is more data to assess beyond your parents’ firewall alerts. Telemetry regarding connections, rates of missed authentications, changes in application activity, DNS usage, system tools running in new places, never seen before pairings of privileges and the granting admin, unusual backups… there’s a data lake to fill with these. The more telemetry you have, means you can combine them into more meaningful indicators that are less likely to be a false positive or false negative.
Choosing the Right Security Tools
Underscoring all of this is the fact you need the right security tools in place. While you may opt to diversify your security stack, don’t fall into the trap of deploying point products that don’t play nicely together. As I said, visibility is the foundation of all other defense – using siloed solutions will only give you bits and pieces of the entire picture.
You don’t need to rip and replace your entire stack – that’s costly and time-consuming. However, you can leverage a unified cybersecurity platform that brings together the telemetry from different security solutions into a single pane of glass. Beware, some vendors may try to sell you a suite of siloed solutions as a platform. A true platform is composed of integrated vendor solutions and allows broad third-party integrations.
As a bonus, look for a platform that’s backed by the capabilities I mentioned earlier like XDR, virtual patching, automation, continuous monitoring, and more to provide security across the attack surface – from users, to endpoints, to email, to clouds, to networks, etc.
So, let’s make Cybersecurity Awareness Month actionable and meaningful. And in the spirit of continuous assessment don’t wait until the next Cybersecurity Awareness Month to check and refine your progress.
For more information on attack surface and cyber risk management, check out the following resources: