Maksim Kabakou - Fotolia
Sometimes I get into discussions pertaining to the usage of the latest technologies to thwart data breaches. In many cases, the debate quickly steers into suppliers, capabilities and features. I try my best to get my point across: cyber security starts with processes at the hygiene level, and once these are implemented to a satisfactory level, more advanced processes can be added.
It seems dangerous to me that cyber security processes are so undervalued in the portfolio of security programmes. Instead, companies put various technologies in place, in some cases implementing these without a care for how they will be managed, monitored and integrated into the rest of processes.
By this rather lengthy introduction, I want to say unified threat management (UTM), or any other technology for that matter, is no good without well-executed processes. As I alluded to in my previous Computer Weekly Security Think Tank contribution, start with the critical controls implemented as processes – supported by trained people, good configuration and managed technologies. It is only then that we stand a realistic chance to protect against data breaches.
I would like to follow with a piece of advice to any security, IT and business executives: start small but focus on implementing Center for Internet Security (CIS) process controls 1 to 6. Many data breaches would be avoided if companies followed this advice.
Yet, I recognise it is not as simple as 1 to 6. Controls 1 and 2 mandate a well-executed asset management process resulting in an accurate configuration management database (CMDB) and change management processes. That is no small feat. In fact, I have yet to see an organisation where asset management works as a mature process.
Vladimir Jirasek, Jirasek Security
Controls 3 and 5 call for patch, vulnerability and hardening management. These are even harder processes to master. Appearances are misleading in vulnerability management – successful data breaches used older, yet less critical vulnerabilities.
Control 4 is almost a non-starter for many organisations that take the simple route of giving every user admin privileges on their laptops and PCs. It is not helped by the default setup in Windows and MacOS, and we know what happens to defaults – they stick.
Finally, Control 6 requires active looking for incidents in logs. In heterogeneous networks, the logs sources are plenty and varied, making effective monitoring non-trivial.
Do you need 1 or 6 different technologies? My diplomatic answer is: it depends. However, please do not start with this question in the first place. Lead with processes, desired outcomes, people, resources, and add technologies towards the end of that decision.