For starting out on the right foot in 2019, here are our top 5 cybersecurity New Year’s picks of things you can do right now to make a difference in your security posture:
- Ensure continuous visibility and monitoring of your cloud services, networks, systems, applications, databases, and user sessions.
Whether by your own SOC or by an MSSP, you need to be on top of all cyber activity within your enterprise, both for capturing events and for detecting anomalous activity. Draw out a block diagram of your cyber assets and mark it up with what tools you employ to both observe and analyze each type of activity. Identify coverage gaps and plan to address.
- Review your identity and entitlement management system coverages across cloud, on-prem, and mobile deployments, especially privileged account management.
Place special emphasis on entitlement grants and account activity monitoring and analysis. How are you implementing and managing least privilege, segregation of duties, zero trust, and risk-based authentication models? How are you riding herd on privileged account usage or mis-usage? What would your time-to-detect latency be for privileged account takeover or insider account subversion? How are your privilege grants segmented so that a single account compromise could not result in total enterprise pwnage?
- Perform network penetration tests, review / refine / test your network segmentation, ensure network oversight extends to the cloud and all virtual networks, and continuously monitor for traffic or data flow anomalies.
Enterprise networks are extensive, complex, and continually in flux—a ripe target-rich attack surface for cyber miscreants. The best network security architectures can readily become unglued or open an attack avenue with each network alteration or configuration change.
Be continually re-assessing your network protections and re-validating your network segmentation, both on-prem and in the cloud. It only takes one inadvertent configuration mistake to land your enterprise in the latest breach headline report. Attackers are probing your networks for weak points second by second, don’t cut them a break.
- Assume continuous compromise, by targeted attackers (criminal or state-sponsored) that deploy multiple means of persistence and re-entry, or by malicious insiders—never stop hunting.
If you aren’t seeing attack activity across your enterprise, you are unobservant; if you are seeing attack activity but trust you have not been compromised, you are naïve. Between paranoia and complacency, err on the former side—undetected attacker dwell times can stretch into months and years. Attackers could have and will have placed multiple re-entry hooks into compromised endpoints and network devices—scour everything. If your enterprise has been targeted by state-sponsored attack teams or by experienced cyber syndicates, compromise can be inevitable.
Don’t assume your enterprise is not in the crosshairs of a skilled attack organization—always be hunting.
- Adopt a Zero Trust security model, inventory and retire untrustworthy systems, devices, services, applications, or entitlement grants, and question and re-examine all security model assumptions and legacy risk assessments.
Adopt the Zero Trust security model – “Never trust, always verify.” Perimeter protections serve a purpose but are not sufficient, they will be subverted. Whether by external attackers who breach your perimeter, or by malicious insiders within your perimeter, there are no trusted cyber zones, everything is probabilistic. Authentication and authorization decisions must always be risk-based—if a privilege or access grant exceeds prudent risk tolerance levels, deny the request or strengthen the authentication. Retire any assets that do not measure up, that cannot support Zero Trust.
Finally, even with full Zero Trust in place, always be analyzing authorized activity for anomaly indications and be ready to dynamically suspend or revoke access.
And if you’d like to learn more about Ziften endpoint security, check us out at: https://ziften.com.