Why Security Should Look Inward, Not Out
Data breaches make the headlines all the time, but targeted outside cyberattacks are actually very rare, and your efforts may be better served on other defense mechanisms.
Join the DZone community and get the full member experience.Join For Free
It’s easy to get distracted by splashy headlines about breaches at corporations with household names. And of course state-sponsored, targeted cyberattacks are sexier than your average phishing scam. But just because a particular threat is newsworthy doesn’t mean it’s the right thing to spend your organization’s valuable resources protecting against.
The reasons for this may not be completely obvious, so let’s take a moment to understand why looking outward at newsworthy security attacks can actually hurt your company’s security posture. Then we’ll explain why an inward-facing approach is more effective.
The Reality of Newsworthy Security Breaches
What happens in your organization when a big security breach is announced?
Does it get bandied about on Slack or emailed to the whole company from the CEO with a message of warning? Do teams rush to purchase tools to protect against similar threats? If so, it may be time to pump the brakes.
The truth is, most of the zero-day attacks you hear about in the news have a very low likelihood of affecting your organization. The chances of a more routine threat like phishing, malware, or exploitation of a common vulnerability hitting your organization are far higher.
So today, I’d like to encourage you to take an inward-facing approach to security, rather than an outward one. One that enables you to understand what vulnerabilities and threats are most pertinent to your organization and how to continuously stay focused and on top of them. Following this approach, you’ll be able to stay on track, dedicating your team’s time and resources to the right priorities.
Your goal should always be to identify and prioritize risks across your environment and then tackle them in a methodical fashion — rather than going whichever way the winds of the news headlines are blowing. Here’s how to do that.
Determine Organizational Security Goals
A good first step is to have an honest conversation with your team: What does security mean to your organization?
For some companies, it might mean upholding certain security standards if you’re in a regulated industry, or if customers require it. For others, it’s protecting against common strains of malware. And for some, it’s conducting static analysis of every piece of code to support continuous release cycles.
To begin defining your organization’s unique security goals, you’ll want to pose the following questions:
- What industry are you in?
- What industry are your customers in?
- What compliance regulations are you (or your customers) beholden to?
- What types of attacks or threats have you seen in the past?
- What types of attacks or threats do others in your industry and of your size see frequently?
- What types of sensitive data do you possess
Write these answers down in a worksheet, such as the one provided in our Cloud Security Playbook. Once you have a clear sense for what’s most important and applicable to your business, you can identify your top priorities, the ones you’ll uphold day in and day out (no matter what’s going on in the news). We recommend starting with no more than three to make implementing and managing them attainable.
This way, the next time a big attack hits the headlines, you can verify whether your team should patch a newly publicized vulnerability or buy a brand-new tool to respond to similar threats, or if you’re better off staying on the current track.
Audit Your Environment
Once you’ve defined what’s important to your organization from a security perspective, it’s time to prioritize what to focus on. In most cases, the best place to start is to look at what is going on inside your own environment. You can think of it like installing locks on doors and windows before you worry about the unlikely threat of an aerial attack. Often, we find that major vulnerabilities result from simple lapses — like an out-of-date security certificate or unpatched software.
If you’re working in the cloud, odds are you’re using AWS. So a good place to start with security is to make sure that your services are properly configured and to assure that your organization and customers are meeting and upholding best practices.
These five most popular AWS services are a good place to start. Here’s an example of security best practices for each:
- CloudTrail - Is it enabled in all regions?
- EC2 - Is EBS encryption enabled?
- IAM - Are access keys disabled for root?
- RDS - Are backups enabled?
- S3 - Does the Access Control List provide permissions to everyone?
Going over all these best practices might, at first, sound overwhelming. However, leveraging an app such as Threat Stack’s Audit feature will enable you to scan your entire infrastructure and automatically compare your security settings against AWS best practices and CIS benchmarks. This will help you ensure that the proper security settings are in place and enabled, while also giving you a baseline from which to measure future activity. You should also, of course, make sure you have multiple, redundant backups, and verify that they’re encrypted..
Once you have defined your goals and audited your current environment, you can set a baseline of what is “normal” for your organization. With this baseline, you can monitor for anomalous activity across your entire cloud environment. You should be alerted whenever something suspicious does happen, especially when high-severity events like unauthorized logins or key file changes occur.
To achieve this, set up alert severity levels that match the importance of various threats to your organization. That way, when a high-severity event occurs that you need to defend against most, you’ll know to take immediate action.
This way, you can continuously and proactively uphold your security goals by looking inwards at what’s going on across your environment and prioritizing what needs to be done.
Once you have defined your security goals, audited your environment, and set up continuous monitoring, you should be confident that your team, tools, and processes are solidly focused on what they should be focused on to proactively give you the most impactful and valuable results. At this point, there’s little risk that headlines and other distractions will cause you to waste precious time, money, and resources.
Published at DZone with permission of Tim Armstrong, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.