back to the basics

Having been in the information security space for a long time, I am so constantly disappointed by how far off the rails our industry has gone. Large organizations are consistently being breached by less-than-sophisticated means. I’m talking to you Equifax, Deloitte, et al.

Part of the problem is a lack of appetite in the C-suites to invest in proper security programs. Part of the problem is believing investment in any security product equals security. And part of the problem is our industry selling junk that does little to secure environments.

How many times is the marketing department going to sell Artificial intelligence driven advanced threat detection or Big data analytics with machine learning cloud-based zero day prevention? And no marketing campaign would be complete without as many buzzwords as possible, and of course ample pictures of “hackers”:

</sarcasm>

Don’t get me wrong; I have worked (and currently work) with some awesome people in the industry, and there is a lot of great work being done. But frankly, much of what is being sold is garbage. Pentesters who can ninja their way around metasploit, but can’t configure a VLAN are unfortunately more common than the blue teamer who can architect, configure, and operate a full stack. Being on the blue team (defender) isn’t as sexy as the “1337 h4x0R” who throws exploits at an unpatched box or socially engineers the receptionist, but I’d contend that blue team is harder, and frankly it’s where we should be focusing more of our attention as an industry.

Ok, I’m going to end my rant and suggest some basic measures that nearly any org can take to make themselves more secure than the rest. In fact, based on my experience, I’d contend that if your org does these simple things with laser focus and commitment, you will be more secure that 90% of your peers. Most orgs are not doing these basic things. Trust me, I’ve seen it time and time and time again - and in some of the largest organizations.

1. IAM - Regain control of your user access management and enable 2-factor authentication everywhere you can. Yes, everywhere.
2. Patching - Do this every month at a minimum; every couple weeks and you’ll be rockin’ it.
3. Endpoint - Deploy a good endpoint solution to all of your endpoints, and monitor it regularly (or have it monitored for you). Cylance, CarbonBlack, CrowdStrike, whatever. Pick one and implement it on all of your endpoints.
4. BDR - Implement a good backup and disaster recovery process, and test it periodically.
5. NetSec - Implement restrictive network ACLs on your edges.
6. Encryption - Encrypt all the things.

These are some basic data breach prevention measures that most organizations fail to execute with focus. Do that, and you’ll be ahead of the game. However, don’t mistake these recommendations for an ideal end-state for your security posture; they’re not. These are the basics.

I am currently experimenting with building and testing a different approach to information defense - a more comprehensive and active set of defense methods. Stay tuned to my blog for developments with this.