With the hectic travel schedule of first quarter wrapping up I had some spare time to think about advocating a fresh approach to security for the spring. I know it’s not the beginning of the year, but if your schedule is anything like mine, this may be the first time you’ve had a minute to spare since the calendar moved to 2012. With everything in the threat landscape changing so frequently, it’s important to reassess your current status and plan for the coming year, whenever we can come up for air. So, I came up with the following nine tips to help you get a fresh start this spring:
1. Ask, “What new threats and risks do I have this year that I didn’t last year?” Maybe they’re coming from the cloud. Mobile devices (and BYOD in general). Social networks. Have you opened up offices in other countries (especially high-risk countries)? You definitely have to consider new types and strains of malware, too. All of these risks require significant change that may require you to update your three-year strategy if you want to continue to be nimble and agile.
2. Follow the money. Are you spending on effective security? I know some CSOs who are still pumping 80 percent of their security spend into antiquated technologies. Clean house on legacy applications like IDS and AV by moving to lower cost solutions that provide the same level of protection. Use the savings to invest in highly effective real-time content security that is context aware. And make sure that your personal resources are also allocated correctly; systems that require high maintenance can sometimes be replaced with new technologies that require less management.
3. Assess your risk and determine what the bad guys are going after. Over the last year, the bad guys have changed their methods. Many are shifting their targets from PII to going after IP, board conversations, customer lists, etc. Make sure you protect the right stuff.
4. Compare your internal awareness campaign with the latest issues and highest risk. For most organizations, targeted spear-phishing is a real issue and high risk which you need to do something about. You may think spear-phishing is old news but this is far from the truth. Spear-phishing techniques are increasingly being used as the initial wave in more sophisticated malware attacks designed to steal confidential data. The recent RSA breach, for example, has been widely attributed to spear phishing as the original infection point. Are your company's employees aware of the danger, how to spot it, and how to avoid it? Have you tested them to see how many people click on that link? You need to be confident they can stop attacks and most security guys I meet don't feel confident about it today. The only strategy I am confident in is a two-fold approach using awareness combined with sandboxing technology. I recommended using Phishme for awareness while also showing you the risk of someone clicking, then combining that with the only email SaaS solution that stops spear phishing using a unique combo of Websense intelligence and sandboxing of any URL we have never seen before or think is shady in anyway.
5. Clean your Active Directory accounts. Are they up to date? Do they reflect current employees and appropriate access? Make sure you aren’t leaving doors open to cybercriminals by not cleaning these regularly.
6. Time to review the logs! How much data do you have from all the security logs, IDS, firewall, DLP, web gateways, WAFs, etc.? Spend some time analyzing that data to better understand how the bad guys are trying to get to you and where you might be vulnerable.
7. While you’re at it, make sure that you are being efficient with those logs, and that your staff is reviewing and monitoring them on an ongoing basis. Consider breaking logs into priority-based tiers. Separate mission-critical apps and the systems/processes that handle your riskiest attack surfaces as your top tier (and make sure they receive the most attention). If you are already managing logs by prioritized levels, consider re-leveling log destinations based on the updated landscape. Some things may have become more critical or vulnerable and others, less so. You’ve also got to make sure that you have the right logs; since your last buying cycle, lots of new systems may have come online.
8. Review your incident response plan. This is especially important around a data leakage/theft event. Schedule and execute a simulation. This should include the legal team, PR, the CFO, and all of IT. Create a response team with defined responsibilities and processes; otherwise once it happens (and it will) all fingers will be pointed at you.
9. Outline your accomplishments. Doing so will serve as your internal marketing program, and will get your team recognition. In the past, I’ve spoken and written about ways you can do this—feel free to apply them.
Anything else you are doing to get ready for the rest of the year? Feel free to post a comment sharing your next priorities.