One of the things that I have written about before on many
occasions is the need for a business to conduct what is known as a Risk Assessment. In very simple terms, it is where the CISO
and their IT Security team come together and literally inventory all of the
physical and digital assets that their company possesses.
From here, all of them are then ranked according to their degree
of vulnerability using some categorical ranking, for instance, where 1 would be
least vulnerable and 10 would be most vulnerable.
Once this has been done, it then serves as a steppingstone
to decide what kinds of protective controls need to be procured and
deployed. That is where most Risk Assessments
stop. But I have advocated taking it one
step further.
For example, use the results also to determine where these
controls can be most strategically placed at.
In other words, try to make do with the existing controls you have, but
place them in a more efficient manner so that they can offer maximum results.
In other words, one should never buy new Cyber tools just
for the sake of beefing up your lines of defenses. Put another way, get away from the proverbial
way of thinking that there is safety in numbers. There really is not any.
If you buy tools just for the sake of deploying them, you
are not only going to overburden your IT Security team with false positives,
but you will also be greatly increasing the attack surface just that much more.
But, on the flip side, there will be instances when
reshuffling your existing controls and updating them will not be enough. You simply need to get newer ones. It’s like
an old car. The money that is spent on
fixing it can be used to get a newer one, which probably last a longer
time. But once again, just don’t go out on
a buying spree.
You still need to take time to figure out what it is you really
need.
So, in an effort to get you started in this kind of mindset,
here are some tips that you should follow:
1)
Is technology proactive enough?
All Cyber vendors that make their
own products and/or solution like to state that they are extremely
proactive. But what does that mean
exactly? This term can have different
sorts of connotations, but in very general terms, it is when a tool will provide
alerts and warnings as they happen, and not as a lagged function. Or better yet, a proactive tool is where it
can detect even the smallest hint of malicious or suspicious behavior and try
to project what it will mean, using the help of ML or AI. But be careful here as well, as many Cyber
vendors like to tout that there products and/or services also have AI built
into them, and customers get suckered into it.
2)
Can it gather intelligence?
In the world of Cyber, collecting intelligence
and interpreting it is one of the key facets in trying to stay one step ahead
of the Cyberattacker. But usually this
is provided once again by either an AI or ML tool, and this in turn needs a
huge amount of data to be fed into it so that it can learn, and try to project the
future of the Cyber threat landscape.
Trying to get a human to do all of these tasks will take weeks if not
months, and no company has that kind of time to waste. So, make sure that whatever
tool you plan to get will provide some sort of reasonable intelligence for your
IT Security team to use.
3)
Can it work by itself?
This has always been a point of
contention in the Cyber world. Can you
really have a tool that is truly, 100% autonomous without needing human
intervention? IMHO, not it is not.
Probably the best example of this is the Pen Testing community. A lot of the vendors
here like to claim that there tools are completely automated, and do not need
human intervention. But in my view, they
are taking this a little bit to the extreme.
Every tool needs some kind of human input, but the trick here is to find
that tool which can be at least 60%-70% working by itself. Having automation like this in Cyber is very
important, but don’t ever get hung up when a vendor claims that their tool
is 100% free from humans. It is not, and
will never be.
4)
Can the tool match your future needs?
The technical term for this is known
as “scalability”. In other words, can
this new tool match your security requirements if it ever changes over time
(and most probably will)? You want a
tool that can do this, as you don’t want to either discard (if your requirements
lessen) or have to buy a new one if it increases. In this regard, you should probably
look at getting security tools that are available from the major Cloud
providers, as the AWS or Microsoft Azure.
Not only are their tools easy to deploy in just a matter of minutes, but
they are also “scalable” within a matter of seconds, which leaves you, the CISO,
nothing to worry about.
5)
Can it co mingle?
Unless you are planning a full-blown
migration to the Cloud, and still have On Prem infrastructure, you are not simply
going to rip out your old systems so that your new tools will work in your
business. But at the same token, you
simply don’t want to add in a new security tool and hope that it works with everything
else. Thus, you have to make sure that whatever
new tools you purchase will co mingle nicely with the existing infrastructure
that you have. This is the main problem
that Critical Infrastructure has today. A lot of the technologies that fuel these
systems today were built in the late 1960s to the early 1970s. But back then, nobody even thought of
Cybersecurity. But today, it has now
become a grave vulnerability for the United States. Finding the tools of today to beef up the
security for the for the legacy Critical Infrastructure is now an almost
impossible task. But here, the Cloud can
be best your friend. If you are 100%
here, all of the tools are brand new and updated, so you will not have to worry
about any co mingling issues.
My Thoughts On This:
Any Cyber vendor worth their grain of salt will allow you to
try their product and/or service for a free trail period. Always take advantage of this,
so you can make sure that whatever your are thinking of procuring in your
environment will actually work, and not only meet, but even surpass your needs.
No comments:
Post a Comment