The 3 Essentials of Proactive Preparedness in CybersecurityAdam Mansour of ActZero Outlines the Strategy to Harden, Reduce Threat Surfaces
Cybersecurity often feels like a never-ending battle, as new threats emerge almost as quickly as resource-stretched security teams can quash them. It seems that just as one vulnerability is patched, another one appears. And lately these threats are often deeply buried in the software supply chain, making them increasingly hard to find.
That’s why it’s crucial that your cybersecurity practice adopts a strategy focused on proactive preparedness and takes actions - in advance of an attack - that harden and reduce the threat surfaces that hackers exploit.
If you're simply reacting to security threats, you've already lost the battle. Being proactive with your cybersecurity might seem obvious - and, as such, easy - but if it was, would we see such a litany of news stories surrounding high-profile breaches?
3 Essentials of Proactive Preparedness
Still, it's not impossible to be proactive, even when resources are tight. You must consider three key areas to reinforce defenses and achieve a more proactive posture. Sadly, these are the same areas many midsized enterprises struggle with, especially given the amount of time - and bodies - an IT team in such a company can dedicate to security.
Strengthening your security doesn’t stop at the borders of your own network. Today, access from the edge and cloud must also be hardened to maintain a proactive defense.
Even if you don’t implement additional endpoint security tools, you should at least use the ones freely available. Here are some actions you can take:
- Take advantage of the Software Restriction Policy on the company desktops and laptops. Almost every piece of malware needs an executable or script, so it's essential to lock down the ability for unknown software to run.
- Use the OS's built-in antivirus software. Will paid AV solutions recognize slightly more attacks and therefore be a better defense? Yes. But are Microsoft Defender or Gatekeeper better than nothing at all? That’s a resounding yes.
- Nearly every computer has an inherent endpoint firewall. Configure it and allow only who and what is necessary to access the machine. Also, strictly limit applications going out to counter malicious applications attempting to "phone home" or exfiltrate data.
- Institute group restriction policies to control privileged access. Don't give any single account wide-scale access to all machines. After all, attackers can only access based on the credentials they’ve stolen, so restrict that access to only what a user or application needs to perform their job.
On the cloud side, institute identity protection, single sign-on and multifactor authentication with context-based Zero Trust policies.
MFA applies in the cloud for sure, but really everywhere you can. Passwords get leaked. Zero Trust is more important now than ever, given the software supply chain attacks, such as SolarWinds, Exchange-HAFNIUM, Kaseya (see: 6 Steps to Secure Your IT Supply Chain) and the most recent Okta breach - which shouldn’t dissuade you from the pursuit of SSO, irony notwithstanding.
Collecting and analyzing cloud logs and monitoring for malicious - or at least abnormal - behavior are also key, though more expertise is required the further down the rabbit hole you go.
Lastly, you should harden to best practice levels. I contributed to a guide for that too, focused on M365 and Azure. For more general cloud hardening, CIS benchmarks should be put in place yearly.
Vulnerability Scanning and Remediation
Digital transformation is great, but with every new application or piece of software comes a growing list of vulnerabilities that bad actors can exploit. Everyone knows that scanning for and patching these ever-increasing vulnerabilities is paramount, but it poses significant challenges, especially for budget-strapped small and midsized businesses.
As anyone who's had a particularly rigorous Patch Tuesday can attest, remediation efforts can create unintended consequences. For example, your attempts to close a security hole could also close off a critical business process or prevent it from functioning properly.
Also, not everything can be easily patched. Many organizations have aging but vital equipment containing software that's well past its end of life, or worse, its end of service. When the support for these systems is gone and the patches stop coming, they sit vulnerable to exploits.
The key to successful vulnerability remediation is to close the weaknesses you can and build a web of defensive depth to catch what you cannot.
Results: Likelihood and Impacts
While improving these three key areas won't prevent every possible breach, it will reduce the surface on which attacks can land and the reach within the organization they can spread. This will go a long way toward increasing the likelihood of preventing an incident, as well as containing the damage an attacker can do and buying time when an attack occurs.
It's important to note that the measures discussed can be done incrementally, even by a small IT team or security team of one, so you can become more proactively protected day by day.
But these measures are just a first step to being truly proactive and prepared for attacks. IT leaders who are forced to choose between these efforts and monitoring for specific attacks often choose the latter. See the recording of my webinar on why that tends to be the wrong choice for teams with less mature, or even maturing, cybersecurity capabilities.
To learn more about these and other security functions that you can prioritize to help your security practice, check out our white paper "The Opportunity Cost of Making 'Impossible' Cybersecurity Trade-offs."