Businesses of all sizes have become entrenched in the inclimate storms of cybercrime, including phishing, ransomware, bad code, and insider threat. Further adding to the problem is an often-inconsistent path in the pursuit of all things “compliance” (e.g., GDPR, NIST, HITRUST, SOC2, etc.). Industry analysts and vendors alike anticipate an extension of the compliance movement that focuses on the actual IT audit, which may further confound efforts to reunite IT operations under a common banner.

And as we find ourselves emerging from the first true medical pandemic in more than a century, anxiety among business leaders continues to heighten over when the next “Big Problem” will hit the Internet.

Facing the reality that all Internet-connected systems are doorways of risk is not easy for IT administrators and business owners alike. But since more than 90% of all security risks exploit known system vulnerabilities according to Gartner, the controversy of “where to react” transforms into one of “failure to plan.” Add to this, that in an era of “Ransomware Everywhere,” organizations can no longer hide behind the “we didn’t know what was happening” defense, and matters concerning “security risk management” become issues of “business contingency planning and accountability.”

Umbrellas of Compliance

In recent years, many organizations have felt the heavy hand of standards and compliance knocking on their door – especially government agencies and the banking community. For American-based companies, much of the compliance push comes from the vague and elusive Sarbanes-Oxley (SOX) rules for security risk management and accounting. While SOX continues to stand at the center of the compliance controversy – with its reach extending into European markets as a new potential benchmark – other frameworks and methodologies, such as ITIL, ISO27001, NIST and CIS v7, continue to thunder through the world’s business communities.

But what of the hype that surrounds all of these issues of compliance? The seasoned IT manager has heard this rumbling before – in the recent winds of the Y2K storm that passed by a half-decade ago.

Compliance standards often become reaction-based initiatives, usually born out of the need to meet expectations as a result of a pending audit. These often-ambiguous standards further the confusion IT administrators and their bosses are forced to face as fears of penalties and possible prison time threaten to strike at will. And unfortunately, IT security vendors are all too well-aware that buzzwords like compliance mean good business on which hundreds of IT security vendors build their marketing models.

Preparing for Foul Weather

Focusing on continued efforts to defend their expensive mission-critical infrastructures from the frequent storms of attacks and exploits, business owners are also frequently forced to decide which vendor’s story about security makes the most sense (or cause the least amount of confusion). Determining which tools make the right sense to address security risks, while trying to maintain current operational standards of performance puts even more pressure on administrators.

• “Which anti-malware will best defend my system from phishing?”
• “Will these policy and assessment applications scale to my enterprise?”
• “Do these free spyware tools really work?”
• “What do ‘intrusion prevention’ tools really prevent?”
• “Which tools make the most sense?”

Business owners (as well as any IT administrators they may keep on the payroll), have raised time and again the fact that their concerns aren’t necessarily about the rules found in a set of frameworks, but rather, they worry about what further risks they might be facing by overlooking something while rapidly moving to meet compliance deadlines, or while reacting to specific incidents or reports of attacks.

That said, the following are three basic principles that systems administrators might find helpful when trying to break through the clouds:

1. Compliance is 90% process and 10% technology.

Part of “process” is gaining a full understanding of what’s happening “behind the scenes” before beginning to define any sort of policy or react to any type of mandate.

While there’s a lot written about “Managed Detection & Response” (MDR) technologies, in many situations, an incident has to occur, or a violation of the defined policy must be recorded before MDR tools become meaningful.

2. Defining a policy without first assessing the environment to which it is assigned is too late.

According to McAfee, there are more than 1,200 offering to provide shelter from the storm for business owners. Most of them begin their security lifecycle models at the policy and move forward with varying degrees of success to defend some portion of that policy (assessment, event logging, perimeter defense, etc.). However, since these security policies are often segregated from the rest of the operational controls (i.e., a separate policy for everything else), most times the general market still looks at IT security tools as a way to react to a fraction of a bigger problem (such as a virus outbreak, the threat of denial of service, ransomware, etc.).

Administrators and their employers may find it easier to manage and enforce a policy after first learning as much as they can about their environment, its settings, and what is necessary to optimize that environment. In this case, knowledge before acting is key in determining which decisions will have the best results. Administrators will find that gaining a better understanding of their environments will greatly simplify the need to react to a mandate or some other external control.

3. More than 90% of all the exploited vulnerabilities are based on known problems and poorly configured environments.

In Las Vegas, those odds would make millionaires out of the homeless. When navigating through rough waters and high seas, seafarers know that survival depends on maintaining a true course while ensuring watertight integrity throughout their infrastructure. Knowing that there’s a nine-to-one ratio of where a problem is going to occur (and often with a three- to five-month lead time) plus the capability of gathering thousands of data points about an infrastructure’s most intimate configuration settings moves the concept of “risk prevention” to the level of “security empowerment.”

Following a more administrative approach to addressing potential risks, systems administrators should consider a configuration management database or CMDB-driven data repository as the starting point. Administrators could actually prevent most of the risks to their IT infrastructures by gaining a complete understanding of details associated with system settings and configuration controls at all points throughout the enterprise. Defining the policy on which an organization builds a “gold standard” of operation without this critical step results in an ineffective reactionary-based trend in enterprise IT security.

Over the Rainbow

Once administrators have collected that mission-critical data, they can begin to shape an appropriate policy for what should be considered the “gold standard” of operational expectation. Blending the strong integrity of a CMDB-based approach to policy management further capitalizes on the administrator’s ability to address the need for preemptive control rather than post-event recovery. In a sense, you can’t fix what you don’t know is broken, but you CAN plan for risks when you know what you have and how it’s working before those risks are exploited.

The old axiom that “knowing is half the battle” certainly rings true where your organization’s risk management plans are concerned. Organizations can no longer afford to claim, “The hole is on your side of the boat.”

Guidacent takes every relationship seriously. Our clients include recognized names you come into contact with on a daily basis. They also include mid-enterprise businesses that are making a difference in their markets every day. Regardless of business size, Guidacent has one goal: to help our clients achieve their highest competitive potential by implementing safe, secure, and proven processes as they make the journey. If your business is ready to climb to new heights, let’s talk!

By: Drew Blandford-Williams, CISO / ThreatRecon Practice Lead

Our Cybersecurity Services range from Cybersecurity Assessment Services, or if your business needs advisory services, we offer Cybersecurity Professional Services with consulting on-demand.