I was browsing cybersecurity news recently, and a headline caught my eye. ZDNet.com published a story under the title, “The more cybersecurity tools an enterprise deploys, the less effective their defense is”, with a subtitle, “New research highlights how throwing money indiscriminately at security doesn’t guarantee results.” Since I’ve always taught the same and emphasized holistic cybersecurity solutions in the cybersecurity best practices workshops and courses I lead, I knew I had to read it.
- The average enterprise uses 45 different cybersecurity tools on their network.
- At the same time, an enterprise’s ability to contain an active threat has dropped by 13%.
- Of the 3,400 enterprises surveyed, 74% said when it comes to incident response plans, they have “…no plan, ad-hoc plans, or inconsistency…”
Clearly, the results can be interpreted in many ways. For example, did the ability to contain drop due to an increase in the maturity of the threats? Or maybe we have more complex environments? Regardless, there is real value in the report, and the information contained is worth considering. In my mind, the most important point is the overall message. Tools alone are not perfect cybersecurity solutions. Tools alone will not solve your cybersecurity challenges. Let’s talk about why.
What do Successful Cybersecurity Solutions Require?
First, I have nothing against tools. Hardware, software, cloud-based – if I could spend the rest of my days setting up and configuring new network, project management, and productivity tools, I’d be happy. (Don’t ask me to do the maintenance phase – I enjoy the setup!)
We have so many great tools to choose from in the cybersecurity space right now, and I encourage you, if you have the budget, to carefully vet and choose those that will be most effective in your environment. However, I’ve worked with too many enterprises who believe that buying a tool (or many tools) is all it takes to build successful cybersecurity solutions. It’s not enough – you also need to invest in people, planning, and practice.
Let’s assume that you are looking for endpoint security. You’ve found the perfect tool; the vendor has helped you install it, and you are ready to go. You’re all set, right? Wrong. When the tool alerts on a potential threat, who is going to receive those alerts? Who is going to actually respond to the alerts? What is the schedule that person needs to be available? Is this in addition to other duties or is the new system their only duty? (Don’t answer that last one. I think I already know.) These are all factors you need to consider when designing successful cybersecurity solutions.
The most important part of any monitoring tool is the actual monitoring. If you don’t have people in place to watch those alerts, you may as well have no system at all. (Remember the Target breach?) We worked with a client several years ago, who had a malware outbreak on their network infecting 100s of computers. In the process of investigating and containing it, we discovered that they had an Intrusion Prevention System (IPS) on their network that no one knew about. The IPS had been happily alerting on every piece of malware that came in, but the email address the alerts were going to was no longer active because that person had been laid off. In the end, we found 17 types of malware on their network that they could have prevented had they had people in place to monitor the alerts.
People don’t just monitor the system. They also need to “tweak” it. The first few months, in particular, are critical as you learn to recognize what is a false positive, and what is meaningful alerting.
Planning and Policies
If a threat turns into an incident, do you have a plan for responding to it? Incident Response (IR) Plans don’t need to be complex. They need to be practical, understandable, and easy to find and follow in the event of an emergency.
At LMG Security, we often help organizations develop their IR plans, frequently as part of larger, holistic cybersecurity solutions. We step in to help organizations who are creating their first plan, and work with clients who already have plans to incorporate best practices. Your IR plan should be a living document that is revisited quarterly to ensure it is up to date with systems, contacts, and step-by-step action plans.
In my 25+ years in technology, the thing that I struggled with the most was documentation. I always had a plan for response, but it was in my brain. It wasn’t written down anywhere, and it wasn’t available to other members of the team. I find the same is true with our clients. If I ask them to tell me the order of priority for restoring critical systems on their network, or what type of data is stored on a specific server, they can tell me. When I ask them to show me where that is documented so that others know that, they cringe.
Documentation, policies, and planning are those things that always seem like they can wait while you handle day-to-day emergencies, until they can’t wait, and then it’s too late. In an industry where job tenure can be short, documented IR plans are a key part of strong cybersecurity solutions. Make time (or we can help you) to create an IR plan, policies around security, and document your infrastructure. Don’t forget to include non-IT personnel in your plan – C-level executives, legal counsel, communications, all have a role to play. You’ll need the plan someday, and you’ll be so glad you took the time. (Read more about cybersecurity BCDR planning.)
Once you have an IR plan, even if it’s only one page long, practice! You don’t want the first run through of your new plan to be in the middle of an active incident. Take time to try it. At LMG Security, we love to run tabletop exercises, a round table discussion where we create a scenario and walk you through your response based on your current plan. We’ll even throw in curve balls to give your team a chance to practice reacting to the unexpected.
The tabletop is an excellent place to discuss and update the plan to ensure it meets your needs. Often, something that made perfect sense on paper does not work in execution. You’ll also find situations or people that you didn’t consider when creating the document. Practice it, update it, and practice it again.
To sum it all up, all the tools in the world will not buy you sound cybersecurity if you don’t have the people, planning and policies, and practice that are integral in strong cybersecurity solutions.
Contact us if you need help with cybersecurity planning, testing, training, or policy development. We can help!