verb (used with object), optimized, optimizing.
1. to make as effective, perfect, or useful as possible.
2. to make the best of.
Breaches continue, attacks are on the rise, and people responsible for security wake up in a cold sweat a few times a year worried they’re the next victims.
While ‘fixing’ security in totality is a topic that will likely remain at the center of debate for many years to come, it doesn’t necessarily mean that steps can’t be taken to optimize and improve security. Here are seven tips to optimize security.
1. Start with why
Unless you’re running a security business, chances are security is just a function to support the business. Therefore, it is crucial to understand what the business is, what actually makes the money, and therefore what needs to be protected.
Professionals understand what security is, how security is done, but do they really understand why?
A CIO at a drinks company was once asked what his job was, his response was, “My job is to help the company sell more beer.”
Think about what your security function is doing and whether it’s helping your company sell more beer. A useful resource in this regard is a TED talk by Simon Sinek.
Complexity is probably the single biggest contributor to security breaches. Given enough time, spreadsheets evolve into Frankenstein-esque systems running the core of a trading floor. Mergers and acquisitions bring together disparate systems, and security initiatives purchase layer upon layer of security products in the hope it will solve the problem.
Simplifying systems is not an easy task – and neither is it one that the security team can do in isolation from the organization.
But simplifying the security estate is a good starting point. Simply having more tools isn’t the answer, and more data is useless without the ability to make sense of it.
3. Manage alerts
As attacks increase, from both external and internal sources, prevention is not enough, therefore threat detection controls need to be put in place. But even in medium-sized enterprises, the number of alerts being generated across multiple systems can quickly become overwhelming.
The first step in managing alerts usually comes in the form of a Security Information and Event Management (SIEM) or similar correlation tool that can pull all the alerts into one platform. Then with the help of correlation rules, combined with knowledge of the environment such as assets and existing vulnerabilities, provide relevant information.
Threat intelligence can also play a big part in managing alerts, by ensuring you are kept abreast with the latest threats that are relevant to your organization.
Honeytokens can also help reduce noise in the environment. When implemented correctly, alerts generated by honeytokens are of high quality and can pinpoint malicious activity.
Good system architecture can also help in managing and reducing alerts. For example, designing simple communication flows between components can help identify where traffic is behaving in a non-standard way – such as lateral movement by hackers within your system.
4. Leverage the community
Having limited resources doesn’t necessarily mean resigning yourself to making do. There is a plethora of resources available that can help you.
For example, not having a training budget doesn’t mean your staff can’t get trained. YouTube videos and blogs exist that can be accessed for free (or nearly free) on a variety of topics. Alternatively, attending conferences and events can help increase your teams’ knowledge.
Many publicly available standards and best practice documents also exist – saving you the time and effort needed to create them yourself.
Finally, a wide array of open source tools are available that can be tailored to meet your organization’s specific needs.
5. Start marketing
User education and gaining stakeholder support are common challenges that many security departments face. One of the reasons for this is that security departments often try to either sell security, or scare people into compliance.
However, marketing is another way. By marketing security, the intended message can be delivered to the intended audience in a far more impactful way that creates behavioral change over time. Changing behaviors is the key to improving the efficiency of security within an organization. The better buy-in users and stakeholders have, the less likely they will oppose security initiatives, fall victim to scams, or undertake behavior that undermines security.
A useful resource in this regard is an RSA talk delivered by Thom Langford
6. Reduce the impact
When it comes to security, optimizing day to day operations is only part of the battle. The real challenges occur when an incident occurs.
Seatbelts, airbags and crumple zones in vehicles don’t stop an accident, but can reduce the impact and increase the chances of passenger survival.
Similarly, security teams can put in place controls and measures to reduce the impact of a breach. For example, architecting systems in a segmented manner can minimize the amount of data a would-be attacker can abuse.
Anonymizing sensitive data where it is not critical, like for reporting purposes or marketing materials, is a good practice.
Similarly, critical components should be designed with tolerance in place, so that it can be rebuilt frequently. For example, a web server can have access to considerable data over a long period of time may require modification.
Up-front planning can help make it easier to recover following a compromise. Laying out a communication plan with employees, partners, shareholders, and customers prior to an event can help mistakes from occurring in the heat of an incident.
Once all security systems, technologies, and processes have been put in place – it is vital to they are tested in order to gain assurance they are working as designed. Penetration testing, or red-team exercises, are common practice amongst large enterprises.
In addition to these, smaller tests can be undertaken to check the effectiveness of controls, often in-house and very affordable. Copying large amounts of data onto removable media, connecting from non-corporate devices, or incorrectly guessing login details can be easy ways to test if security is operating as intended.
OWASP has a testing project that has some solid principles that can be applied.