In my past life as CISO, I’ve worked for small companies, state governments, and large enterprises, and one thing that has been true at all of them is that there is an infinite number of security initiatives in each organization you could implement, yet the resources to accomplish those tasks are finite. To be an effective CISO, I had to learn to appropriate the resources under my control toward the solutions that confront the greatest risk to the most valuable parts of the business. I also had to learn how to extend my own resource pool by persuading every individual at the company that they had a role to play in protecting the organization. In short, I learned to aggressively prioritize resources, quantify risk, and influence others.
In this blog, I’ll share the methods I’ve used to prioritize where and how I spend my resources. There really are just four priorities to achieve the largest security improvements:
- Identify what is under your control.
- Formulate a security strategy.
- Implement good cybersecurity hygiene.
- Disrupt the cyber kill chain.
Identify the business you are charged with protecting
Before you can begin to allocate your resources, you first need to identify what is under your control. What are the capital and operating budgets available for security, and who are the people responsible for security? You may manage security professionals both inside and outside the company, and you need to know who they are and their strengths and weaknesses. When it comes time to assign people and budgets to your priorities, this knowledge will prove crucial.
You must also know the business. Get clear about which products, services, and lines of business are the biggest drivers of the organization’s success. Once you understand what drives the business and the resources you control, you will need to formulate a strategy.
Formulate a security strategy
Understanding the most critical business drivers will help you formulate a security strategy, which I’ve written about in more detail in a previous post. When you have your security strategy, you’re ready to establish a strong cybersecurity hygiene.
Implement good cybersecurity hygiene
One example of how I’ve prioritized security initiatives as a CISO comes from my time at the State of Colorado. When I first stepped into the CISO role in Colorado state government, I needed to modernize their security approach and address vulnerabilities across the enterprise with a very limited budget. I wanted to show results quickly, so I chose to focus on the small things that could be implemented easily and would drive the greatest reduction in risk.
This approach—often referred to as cybersecurity hygiene—concentrates on hardening systems by leveraging secure configurations, putting in place processes and tools to ensure data, devices, and the network are protected against vulnerabilities, and maintaining the patch levels of critical systems
Before you move on to more complex initiatives, be sure you’ve walked through each of the following steps:
Inventory your network: The first step is to identify every inch of your network, because you can’t protect what you can’t see. You must know what type of equipment is on your network and whether it is part of internal networks, hosted on the internet, or part of a cloud platform. Once you know what you have, you need to maintain a continuously updated inventory of the hardware and software that’s authorized to be on your network.
Scan and patch: When you’ve identified all the devices and applications on your network, you should scan them from a central point on a regular basis and patch and deactivate them—remotely—as necessary. For larger organizations, the scale of this operation is the challenge, especially with limited maintenance windows, a proliferation of web apps and devices, and architectural complexities. Flexible and scalable security scanning services are therefore becoming increasingly necessary.
Continuously look for vulnerabilities: The frequency and complexity of attacks continue to increase, so it is no longer an option to scan your network on a semi-regular basis. You should try to constantly monitor for threats, and quickly address them within your network.
To help you with this process, you can read more details on cybersecurity hygiene. You should also leverage the cloud as it helps you to quickly modernize and sunset legacy and vulnerable systems, provides more automation, and allows you to inherit and extend your security team by gaining from the expertise of the cloud security provider.
Once your systems are hardened and you have a process and tools to continuously monitor your network, you should next focus on interrupting the most common methods hackers use to enter your network, what we refer to as the cyber kill chain.
Understand and disrupt the cyber kill chain
The kill chain is a workflow that cybercriminals deploy to infiltrate a company. Attackers of all sizes have had great success with this approach, so it is worth understanding and then implementing solutions to circumvent it.
External recon: Most hackers begin their attack by gathering intelligence on your company. They collect data on employees, executives, technologies, and supply chain to increase the odds of a successful attack.
Solution: Enable Multi-Factor Authentication to require that users sign in with two forms of verification, reducing the likelihood that they’ll be compromised.
Compromised machine: At this stage, the attacker targets a carefully selected employee with a phishing campaign. This campaign is designed to trick the user into executing an attachment or visiting a site that will install a backdoor on the employee’s computer, giving them the ability to control the computer.
Solution: Implement Office 365 Advanced Threat Protection to protect against malicious files.
Internal recon: Once an attacker has compromised a machine, they’ll begin to gather intelligence that is newly available, such as credentials stored locally on the machine. They’ll also map internal networks and systems. This new information will allow them to plan their next move.
Solution: Use Windows 10’s security features designed to both stop the initial infection and, if infected, prevent further lateral movement.
Domain dominance: The attacker will try to elevate their access within the network to gain access to a privileged account and your company data.
Solution: Use Microsoft Advanced Threat Analytics to provide a robust set of capabilities to detect this stage of an attack.
Data consolidation and exfiltration: If an attacker gains access to your data, the final step would be to package it up and move it out of the organization without detection, in a process called “data consolidation and exfiltration.” Paying close attention to the first phases of an attack will hopefully prevent an attacker from getting this far.
Focus on what matters most to the business
Even the largest enterprise is faced with tough choices when allocating security resources. If you are smart about how you appropriate them, you can make choices that have the greatest chance of protecting your organization. It starts with understanding your current state, both your resources and the most critical business drivers, formulating a solid strategy, implementing good cybersecurity maintenance, and finally, disrupting the cybersecurity kill chain.
In the coming weeks, I will share lessons I’ve learned to evaluate risks quantitatively. And following this, I will talk about how I’ve learned to influence others to take their role in protecting the organization very seriously.
To read more blogs from the series, visit the CISO series page.