Friday, May 26, 2023

How To Take Your Risk Assessment One Step Further - Procuring The Right Controls

 


One of the things that I have written about before on many occasions is the need for a business to conduct what is known as a Risk Assessment.  In very simple terms, it is where the CISO and their IT Security team come together and literally inventory all of the physical and digital assets that their company possesses. 

From here, all of them are then ranked according to their degree of vulnerability using some categorical ranking, for instance, where 1 would be least vulnerable and 10 would be most vulnerable.

Once this has been done, it then serves as a steppingstone to decide what kinds of protective controls need to be procured and deployed.  That is where most Risk Assessments stop.  But I have advocated taking it one step further.

For example, use the results also to determine where these controls can be most strategically placed at.  In other words, try to make do with the existing controls you have, but place them in a more efficient manner so that they can offer maximum results.

In other words, one should never buy new Cyber tools just for the sake of beefing up your lines of defenses.  Put another way, get away from the proverbial way of thinking that there is safety in numbers.  There really is not any. 

If you buy tools just for the sake of deploying them, you are not only going to overburden your IT Security team with false positives, but you will also be greatly increasing the attack surface just that much more.

But, on the flip side, there will be instances when reshuffling your existing controls and updating them will not be enough.  You simply need to get newer ones. It’s like an old car.  The money that is spent on fixing it can be used to get a newer one, which probably last a longer time.  But once again, just don’t go out on a buying spree.

You still need to take time to figure out what it is you really need.

So, in an effort to get you started in this kind of mindset, here are some tips that you should follow:

1)     Is technology proactive enough?

All Cyber vendors that make their own products and/or solution like to state that they are extremely proactive.  But what does that mean exactly?  This term can have different sorts of connotations, but in very general terms, it is when a tool will provide alerts and warnings as they happen, and not as a lagged function.  Or better yet, a proactive tool is where it can detect even the smallest hint of malicious or suspicious behavior and try to project what it will mean, using the help of ML or AI.  But be careful here as well, as many Cyber vendors like to tout that there products and/or services also have AI built into them, and customers get suckered into it.

2)     Can it gather intelligence?

In the world of Cyber, collecting intelligence and interpreting it is one of the key facets in trying to stay one step ahead of the Cyberattacker.  But usually this is provided once again by either an AI or ML tool, and this in turn needs a huge amount of data to be fed into it so that it can learn, and try to project the future of the Cyber threat landscape.  Trying to get a human to do all of these tasks will take weeks if not months, and no company has that kind of time to waste. So, make sure that whatever tool you plan to get will provide some sort of reasonable intelligence for your IT Security team to use.

3)     Can it work by itself?

This has always been a point of contention in the Cyber world.  Can you really have a tool that is truly, 100% autonomous without needing human intervention?  IMHO, not it is not. Probably the best example of this is the Pen Testing community. A lot of the vendors here like to claim that there tools are completely automated, and do not need human intervention.  But in my view, they are taking this a little bit to the extreme.  Every tool needs some kind of human input, but the trick here is to find that tool which can be at least 60%-70% working by itself.  Having automation like this in Cyber is very important, but don’t ever get hung up when a vendor claims that their tool is 100% free from humans.  It is not, and will never be.

4)     Can the tool match your future needs?

The technical term for this is known as “scalability”.  In other words, can this new tool match your security requirements if it ever changes over time (and most probably will)?  You want a tool that can do this, as you don’t want to either discard (if your requirements lessen) or have to buy a new one if it increases. In this regard, you should probably look at getting security tools that are available from the major Cloud providers, as the AWS or Microsoft Azure.  Not only are their tools easy to deploy in just a matter of minutes, but they are also “scalable” within a matter of seconds, which leaves you, the CISO, nothing to worry about.

5)     Can it co mingle?

Unless you are planning a full-blown migration to the Cloud, and still have On Prem infrastructure, you are not simply going to rip out your old systems so that your new tools will work in your business.  But at the same token, you simply don’t want to add in a new security tool and hope that it works with everything else.  Thus, you have to make sure that whatever new tools you purchase will co mingle nicely with the existing infrastructure that you have.  This is the main problem that Critical Infrastructure has today.  A lot of the technologies that fuel these systems today were built in the late 1960s to the early 1970s.  But back then, nobody even thought of Cybersecurity.  But today, it has now become a grave vulnerability for the United States.  Finding the tools of today to beef up the security for the for the legacy Critical Infrastructure is now an almost impossible task.  But here, the Cloud can be best your friend.  If you are 100% here, all of the tools are brand new and updated, so you will not have to worry about any co mingling issues.

My Thoughts On This:

Any Cyber vendor worth their grain of salt will allow you to try their product and/or service for a free trail period.  Always take advantage of this, so you can make sure that whatever your are thinking of procuring in your environment will actually work, and not only meet, but even surpass your needs.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...