In a recent piece, I compared investing in your cybersecurity profile to a financial investment portfolio. In that article, I advocated for companies to take a strategic approach in determining how to balance their security spend across all five functions of the National Institute of Standards and Technology’s framework for cybersecurity. Those five functions would ensure enterprises can identify, detect, protect, respond, and recover from threats. Within each of the categories, there are numerous actions companies can undertake to achieve a solid security infrastructure, from cataloguing resources and technologies, to implementing risk and governance policies, to limiting access to assets and networks, to network monitoring, to isolating and responding to attacks when they do occur.
This is the second article in a series on building the right cybersecurity profile for your business. The first article (“How CISOs Can Create A Balanced Portfolio Of Cybersecurity Products”) covered the first two steps (Determine Needs, Allocate Spending According to Risk) companies should take when creating that portfolio. This article explains step three: Design Your Portfolio. Subsequent articles will cover steps four and five (Choose the Right Products, Rebalance as Needed). This graphic shows all the steps:
Step Three: Design Your Portfolio
Companies can use the NIST framework to gain a better understanding of what capabilities they need to have. But they face two key questions when crafting their portfolio:
- What are my needs in each of these categories?
- How do I select the right products to deliver what I need?
As I wrote in my first piece about the first two steps of building a solid security portfolio, there is no universal solution for security spending. Each company has different assets and therefore different security needs. Therefore, their security portfolio (and their spending) should reflect this uniqueness by placing resources where they’re most needed to secure the crown jewels of the organization. That unique set of needs will be represented by a different level of investment in each of the five functions and by different product choices to achieve specific goals. In this article, I want to outline how companies can determine where they need to invest the most and where they can be just good enough, again drawing on my interviews with experts from leading cybersecurity firms.
Prioritize your prime assets
I’ve written that enterprise cybersecurity should be predicated on first protecting the crown jewels – the assets, that if damaged or destroyed, could bring down the business. Your investment strategy should therefore seek solutions that can provide the greatest amount of security for these assets. This is where you want to put the bulk of your spending, with your remaining resources then distributed as best as possible over your other assets. Companies without crown jewels, though, will have a completely different balance to their security portfolio spend.
“There’s no one size fits all in terms of portfolio,” said Ashley Stephenson of Corero, a company specializing on preventing Distributed Denial of Service attacks. “If you have some very valuable intellectual property to protect, you probably would be very interested in breach and encryption and those kinds of security mechanisms. If, however, you have an online service that delivers your value or generates your revenue, you’ll need to focus much more on DDoS protection to make sure your service is available because if your service is not available, your online revenues stop and your online brand is damaged. Your portfolio spending needs to match your underlying business asset.”
Paul Hooper of Gigamon, a company that captures and analyzes data from many sources to provide organizations with greater visibility and transparency into their businesses, agreed with this assessment. “If you are a born in the web company, if you’re a heavy user of software as a service, you have very little application and data residing in-house, all of it is SaaS-based, a firewall is important,” he said. “But you need to ask yourself: What are you actually protecting inside the company? Compare and contrast that to where you are completely in-house developed. You don’t use any cloud functionality. Everything resides inside your data center. Your protection would have to be substantially better because the attack vector is straight at your data center.”
Companies must recognize two key realities here: 1) threats will occur. There’s no way to be 100% secure; and 2) all businesses have a finite set of resources to devote to cybersecurity. Therefore, there will be some categories where you must be satisfied with being just good enough, and this is okay so long as you are protecting what is most important.
Companies need to be careful to avoid getting caught up in the latest security craze or product and buying simply based on trends. If a product doesn’t fit your needs, it’s not going to keep you safe. Therefore, don’t overspend on what you don’t need.
Protection is important…
For most of recent history, cybersecurity has been focused mainly on protection, protection, and protection. So firewalls and other tools that limit access to those outside who are trying to get in.
This makes sense. As Stephenson told me, prevention must be a key part of your investment. “In terms of spending, there’s a lot of benefit in prevention versus a cure,” he said. “You need a balance, but with things like DDoS, typically prevention is better than cure. Cleaning up after the effect is much more expensive than preventing the outage in the first place. For example, if you’re going to be DDoS-ed and go out for a day, it’s been proven with business use cases that could cost operators millions and millions of dollars. Reputation damage, lost business, etcetera. It’s better to spend a fraction of that on prevention rather than an order of magnitude greater amount on cleanup after the fact. A similar kind of logic would apply in terms of data loss prevention or breach prevention. The loss of your customer list and their credit information is going to be very costly to clean up so investing in tools to prevent that happening is important.”
Amit Yoran of Tenable, a company specializing in cloud-based vulnerability management software, echoed the idea that prevention, including many simple aspects of proper security hygiene, are key to quality cybersecurity, “I can tell you with 25 years in the industry and experience in every aspect of security, that an ounce of prevention is worth a pound of remediation and response. Look at ransomware, for example — one of the hottest new cyber threats around — almost all ransomware attacks are based on four well-known, well-publicized vulnerabilities and exploits. You address those four things, and suddenly today’s ransomware is no longer a problem. The basic blocking and tackling of security isn’t sexy, but it’s where most organizations fail.”
Protection begins with good perimeter security. So for many businesses with significant crown jewels, this is an area to prioritize investment. “Your perimeter security, unless you really don’t have anything to protect, should be above average,” said Israel Barak of Cybereason, a company that provides endpoint protection and advanced threat detection. “You should have something that is not just you didn’t leave your keys in the car, not just you locked your jewelry in the safe, but something that’s a little bit extra so that if somebody looks around, they go, ‘I don’t want to be here. There’s an easier problem for me to solve.’ It shouldn’t be the only deterrent, but it should be a deterrent to the low-class, low-skill people. You need this deterrent because small breaches can become big problems.”
So much of security is contextual. For perimeter defenses, and many aspects of cybersecurity as a whole, if you are significantly better than your competitors and most other companies, you will avoid a lot of threats simply by being more difficult to penetrate. This is part of the reason quality protection is so worthwhile.
…but it’s not the only thing
Yet, despite this importance, many companies overspend on protection to the neglect and detriment of all other security. “Traditionally security people have been sort of tasked to say, ‘My job is to protect. My job is to prevent. I want to make sure that I build up the fences, I build up the locks,’” said Haiyan Song of Splunk, which offers an analytics-driven SEIM and advanced log analytics. “Even just three or four years ago, when you look at the investment, in prevention the investment was probably 4x of detection because that’s how people’s mindset is. I think in the last few years I definitely see a shift which I was very happy to see. You need balanced spending across all categories.”
If you spend the majority of your resources on prevention, you will be vulnerable in other areas: unable to respond when an attack occurs or incapable of detecting threats lurking in your network. And there are ways to do strenuous prevention without spending a lot of money. Much of the hygiene that’s needed comes from using common sense and good hygiene. For instance, being able to isolate or quarantine parts of your network is a great way to limit the effectiveness of an attack.
“Know your network,” said Barak. “You need to architect it in a segmented way that has your assets in places that are not pooled with your other things. That gives you the infrastructure to put the right controls in the right places. Otherwise, nothing is going to help you. You need to build your security the way folks used to build fortresses in old times. You start from the low level. As you go deeper inside, instead of higher and higher, you get to more segmented areas in the higher assets, more important assets.”
When it comes to detection, investments in products that help to find problems as quickly and as early as possible should be the priority. Why? Well, when an attack does occur (and as I continue to emphasize, it will), time is your enemy. The longer you wait to respond, the greater the threat to your business. Your reputation or brand could be damaged, along with your infrastructure. You must be able to respond with urgency.
“If you detect a threat in ten hours versus in ten minutes, the cost of the breach can be so much higher,” said Song. “If it takes you ten weeks to clean them up versus ten hours to clean them up and the risk that you’re going to endure during that time is so much higher. You need tools to help you automate your response and detection. Remediation is really about preparing. But you need a network of products that help you isolate, remediate, and speed up your ability to scope and make determinations when a threat arises.”
Create a nervous system for your cybersecurity
To achieve this level of responsiveness, companies should strategize by adopting products, policies, and procedures that create a nervous system for your security. What do I mean by this? Well, as I mentioned in my previous piece, a good analogy for security is the anatomy of the human body. But the one thing I realized that was missing from that analogy was the idea of a central nervous system. Without this, the body breaks done and our health is comprised. Similarly, if you don’t have a central command center for your security, you’re putting your company at increased risk for infection. It’s like trying to land a plane at night without lights and anyone in the air control tower.
“You need a security nervous system,” said Hooper. “The central nervous system is key to everything that happens inside the body. When it’s working well, the body is unbelievably healthy. When it’s working bad, regardless of how well the other components of the body are working, the body isn’t working. The same is true for your security. If you have a security operations center and if in that security operations center you have a perspective about how you want to do your business, then you can evaluate a behavioral analytic in terms of does it support your perspective or does it not.”
As I mentioned, isolation is key when it comes to response and recovery. Being able to control your system from a central point of command to isolate threats accelerates your ability to minimize the damage of attacks.
“When a threat occurs, you’re isolating as much as you can and the principle is to make things hard for the attacker. You want to contain them with your architecture, contain them by design,” said Barak. And this control center can help guide your product investments.
“You can’t really understand what you’re buying and why unless you have already a security operation center perspective,” added Barak. “Otherwise, you don’t know what’s going on. A lot of organizations neglect the concept of having a security operations center. A security operations center is the brain and the nerve system.”