As the old security adage goes, “A well-managed network/system is a secure network/system, and this notion of network and system management is a cybersecurity foundation. Pick any framework (i.e., NIST Cybersecurity framework), international standard (i.e., ISO 27000), best practice (i.e., CIS 20 Critical Controls) or professional certification (i.e. CISSP), and much of the guidelines presented will be about security hygiene and posture management.
Another time-honored colloquialism also comes to mind here: “An ounce of prevention is worth a pound of cure.” From a cybersecurity perspective, all frameworks, standards, and best practices suggest that security strategies start with some fundamentals like a complete inventory of all assets on the network, hardened configurations, least privilege accounts, system/data classification, rapid vulnerability discovery/remediation, and continuous monitoring. Get these right and you make it harder for cyber-adversaries to exploit your assets.
Cybersecurity hygiene and posture management are the equivalent of automotive maintenance recommendations like changing your oil and rotating your tires. Do these things to reduce the risk of more costly problems down the line.
Yup, every security professional knows about the importance of the basics but security hygiene and posture management isn’t quite as straightforward as sound automotive maintenance because:
- Cyber-risk management continually increases. In a recent ESG survey, 84% of business, IT, and security managers said that cyber-risk is greater than it was two years ago due to a growing dependence on technology, an increasing attack surface, and a progressively dangerous threat landscape. So, there are more assets to maintain, many of which are business-critical. Meanwhile, bad guys are knocking at the door.
- Software vulnerabilities alone are vast and unrelenting. Alarmingly, 70% of IT and security professionals claim that the volume of software vulnerabilities can be overwhelming. This is because it takes lots of time and money to scan for vulnerabilities, understand which vulnerabilities are likely to be exploited, prioritize patches, work with IT operations on patch management, etc. Oh, and we are talking about thousands of software vulnerabilities across the enterprise at all times so there is never any let up.
- Understand security hygiene and posture is a manual slog. Nearly half (46%) of cybersecurity decision makers say that continually monitoring security hygiene and posture across the enterprise is their biggest cyber-risk management challenge. Why? Think of the parable of the blind men and the elephant where each blind man touches the elephant in one place and uses this experience to form an opinion of what the elephant looks like. Each man comes away with a myopic view and the only way to get a more comprehensive picture is through the sharing of all individual data points. Unfortunately, the tools used for security hygiene and posture management are like the blind men as they look at things like assets, configurations, user privileges, software vulnerabilities, or security controls effectiveness discretely. CISOs need a team of analysts and phat spreadsheets to get a complete picture of the security hygiene and posture management elephant. This too take resources and is prone to errors.
- The SolarWinds hack introduces even more complexity. Before the SolarWinds hack, 47% of cybersecurity decision makers said that monitoring risks associated with IT vendors is their biggest cyber-risk management challenge. Based on many anecdotal conversations, this percentage must be a lot higher today. Because of SolarWinds, CISOs are reassessing their IT vendor and third-party risks and plan on more stringent requirements moving forward. This means more oversight that spans from purchasing, through testing, deployment, and ongoing operations.
Think about the quandary here. CISOs know that cybersecurity depends upon a foundation of strong security hygiene and posture management but increasing scale and complexity make the basics all but impossible. So, what do they do? Based on several recent interviews, leading CISOs:
- Take over attack surface management. Rather than rely on CMDBs and other types of asset management systems, security teams are adopting their own tools for attack surface discovery and management. Some tools focus on internal assets while others take an outside-in view looking for risks associated with servers, files, and user credentials on the public Internet. Furthermore, many attack surface management tools go beyond discovery – they find vulnerabilities and even suggest or automate remediation. Increasing interest in attack surface management prompted Palo Alto Networks to acquire Expanse and integrate it into Cortex for security operations.
- Focus on the crown jewels. Organizations with thousands of assets realize they cannot get to everything, so they tend to concentrate on business-critical assets. While this may be obvious, it is not easy, as it starts with the discovery and classification of assets. Security teams cannot do this alone, however. Rather, they need guidance from business owners who better understand which assets underpin critical business processes. Proactive CISOs are reaching out to line-of-business managers and performing continual assessments to create some type of asset taxonomy. Once this is completed, they prioritize security hygiene and posture management in business-critical assets by locking down access controls, segmenting networks, deploying security controls, and continuously monitoring for any changes.
- Invest in cloud security. Cloud computing introduced a pace and complexity hand grenade to security hygiene and posture management with new tools, agile development, and temporal workloads. ESG research indicates that organizations are addressing cloud computing security with massive new security investments in areas like cloud security posture management (CSPM). In other words, organizations are bridging this gap by spending cloud security budgets like drunken sailors.
- Increase testing. Regardless of security hygiene and posture management efforts, security professionals are never sure if they are protected or not. To alleviate these concerns, many organizations are increasing the frequency and scope of penetration testing and red teaming. This has led to the rise of continuous automated penetration and attack testing (CAPAT) tools from AttackIQ, CyCognito, Cymulate, Randori, SafeBreach, XM Cyber, and others. FireEye was so enthused that it purchased Verodin and made it part of its security operations strategy.
If I were a younger man, I would approach some top tier VC, raise money, and start a company focused on developing a cloud-native security hygiene and posture management system that could consolidate and analyze data, automate processes, and deliver a real-time CISO dashboard. Others like Kenna Security, ServiceNow, and Tenable Networks have similar ideas.
Meanwhile, there is no magic bullet here so CISOs need to be a bit more diligent, proactive, and creative to have any chance of keeping up with security hygiene and posture management.