rvlsoft - Fotolia

Security needs to shift to resilience, says consultant

Resilience means accepting that defences will be broken and preparing to reduce the impact on the business, says security expert Martin Stemplinger

Information security needs to shift focus from protection to resilience, according to Martin Stemplinger, senior security consultant at BT Germany.

“Resilience means accepting that defences will be broken and preparing to reduce the impact on the business,” he told the (ISC)2Security Congress, Europe, the Middle-East and Africa 2015 in Munich.

But, he said resilience is not about technology. Instead it is a continuous process that requires information security professionals to understand the real business risks and adapt the security architecture accordingly, to do things differently.

“The first step is defining the risks by identifying the organisation’s crown jewels and what would be the most devastating kinds of attack on them,” said Stemplinger.

“Start there and then expand both in scope and depth, reviewing regularly to align with business continuity.”

At the very least, he said, this approach is helpful in explaining to managers and auditors what systems have been prioritised and why.

To improve resilience, Stemplinger said the focus has to be on reducing the impact of a breach, which at the most basic level requires proper segmentation of networks.

“Segmentation is fairly common in datacentres, but that is not the case when it comes to office networks, despite being essential to contain attacks,” he said.

Another key principle is to adopt a “zero trust” approach, which means that no device on the network should be trusted and everything should be logged and monitored.

Equally as important as building a response capability, Stemplinger said information security professionals should seek to anticipate attacks by improving their situational awareness.

“Ensure you know which attacks are effective against your environment, conduct regular vulnerability assessments, improve patch management to fix known vulnerabilities faster and continually check system configurations against security policies,” he said.

Automate to maximise analysis

Stemplinger said threat intelligence feeds are useful to help information security professionals keep their knowledge current and give insight into what threats are on the horizon.

“This allows you do adapt your defences, which is why it is also useful to exchange threat information with your peers,” he said.

However, Stemplinger said that, to save time and improve efficiency, as much of this as possible should be automated by using things such as automatic feeds to security information and event management (SIEM) systems.

“Once you have done all that, you need to be able to spot attacks by collecting and processing as much security information as you can,” he said.

Stemplinger recommended organisations analyse their security data to define a baseline of “normal” and build capabilities to do this automatically and highlight any anomalies.

“Automate as much as possible, so that analysts only need to spend time looking at things that need human analysis,” he said.

Resilience also requires a proactive approach, and for this Stemplinger recommended that information security professionals run regular “experiments” to spot malicious activity.

“Start with a question. Ask yourself what log entries would you need to see to identify a likely attack on your organisation, then automate the collection and analysis of that data,” he said.

At the same time, information security professionals should work to strengthen their ability to contain attacks by assessing how fast they would see an attack, what they would do in the event of an attack, how they would isolate an attack, and how quickly they could clean affected systems.

The next important element of a resilience strategy, he said, is to define an incident response process that includes all relevant parties, both inside and outside the organisation such as suppliers.

“Define responses at a business level so that it is clear to everyone who is responsible for shutting down particular systems and under what circumstances they should do so,” he said.

Finally, Stemplinger said continuous improvement is mandatory when it comes to increasing the resilience of an organisation.

“Test your incident response processes continually and conduct 'lessons-learned' sessions after each test or security incident. Build the results into your security architecture,” he said.

Stemplinger said that, while protection remains a fundamental part of information security, organisations need to move beyond that to build their capacity to detect attacks and respond.

“By increasing an organisation’s ability to detect and repond not only increases security, but also makes the business more agile and executives less anxious,” he said.

Read more about resilience

Read more on IT risk management