Reframing your approach to IT security decisions in 2022
By Sean Gill, vCIO
The IT Security landscape has shifted over the past couple of years. In an article from MIT Technology Review, it is reported that in 2021, more zero-day vulnerabilities were released than in the past 10 years. This number nearly doubled the number in 2020. In addition to zero-day vulnerabilities, malicious actors are constantly trying to gain access to user email, compromise passwords, and cause havoc with ransomware. While these threats have been rising in recent years, many companies still think that IT security breaches are a problem that only hits those unlucky few. Unfortunately, the unlucky “few” are becoming the unlucky “many”. We would like to help you avoid becoming one of them.
Modernizing how we think about security
With businesses across industries more at risk, business owners and decision-makers are now finding themselves more involved in the nuances of IT security decisions in ways that they didn’t used to be. If this is true for your business, you’ll know that one of the frustrating challenges for many business owners and decision-makers is figuring out how to keep up with security and associated IT jargon, especially when your core focus is, appropriately, on running the business and servicing your clients.
As the nature of threats and risks to businesses continues to change, how we think about security should as well. In this article, we will give you a simple framework that aims to help you conceptualize IT security and serve as an outline for making decisions.
IT Security Framework: Prevention, Detection, Response
There are three key pillars to a thorough IT security framework: Prevention, Detection, and Response. Keeping these in mind when assessing IT security strategy can help ensure that in the budgeting and planning process, your organization doesn’t overload on one area and neglect another.
Traditionally, this category is where IT security spending primarily occurred. These solutions were the first (and often primary) line of security against threats. It is still an important focus, but no longer to the exclusion of the others.
Think of your business like a house. This would be like ensuring your locks work and installing a strong gate. These tools are there to prevent a break-in.
Technologies and practices that fall under this pillar of “Prevention” include:
- Firewalls – Perimeter security that blocks access to internal networks
- Antivirus – Software that recognizes and stops malware and viruses before they take hold and spread
- Password Policies– The practices of changing passwords frequently to prevent lost or stolen passwords from being used to access corporate resources
All these are examples of Prevention security and are still valid and necessary today. But now, in addition to these, it’s important to consider additional ways of preventing malicious actors from getting in and gaining a foothold.
Multi-Factor Authentication (MFA) and leveraging Artificial Intelligence (via Endpoint Detection and Response or EDR) are among the new technologies to improve the stack.
Multi-Factor Authentication is a technology that is sprouting up everywhere, and for good reason. As the name suggests, MFA requires a user to authenticate themselves more than once when trying to access system resources. In contrast to simply providing a password (which could be compromised) and gaining access, MFA asks a user for more verification in the form of something they know, something they have, and, in some cases, something they are.
This usually takes the form of some combination of a traditional username and password (something known) and a digital token or code sent to a user’s mobile phone (something they have), and additionally, with most mobile phones incorporating some form of biometrics such as a fingerprint reader or facial recognition, (something they are).
If your business requires users to utilize MFA for access to network resources, hackers can be thwarted from accessing systems even if they come to possess a user’s password. Even if the compromised password is used, the true user would be prompted to authenticate with MFA on their phone or through other methods. If this occurs when the user themself wasn’t trying to log in, it is an indication that someone else is trying to connect. MFA allows them to stop the attempt before it goes any further. This tool has given businesses of all sizes an additional layer of prevention capabilities in today’s landscape.
Likewise, the use of Artificial Intelligence via Endpoint Detection and Response (EDR) has revolutionized traditional antivirus software. Traditionally, antivirus solutions were binary and merely reported on whether malware was or was not present – usually based on a set of definitions or some light heuristics. EDR moves beyond that. Instead of simply preventing known malware and viruses, in an EDR system, the antivirus feeds into and informs a more sophisticated detection and response platform. The use of Endpoint Detection and Response is gaining popularity. In fact, we are beginning to see Insurance companies require an EDR solution in order to purchase a Cybersecurity policy.
While everyone hopes that the Prevention stack in place for their company is sufficient to keep out all the bad guys, in recent years, this has proven to not always be the case. Even with a good prevention stack, bad actors are still finding creative new ways in. Because of this, the Detection Pillar of the security framework may arguably be the next most important (hence why Cybersecurity Insurance Providers are hedging their bets and requiring a technology with these capabilities, like EDR).
It has become a common strategy of bad actors, to “linger” in a compromised system for weeks or months before implementing further harm – exfiltration of data, ransomware, or account takeovers. A traditional antivirus solution, once no longer reporting a system as malicious, wouldn‘t detect that a system may still be compromised. If the bad actor left traces, this would not be easy to find or hunt down without a detection tool, like EDR.
EDR keeps track of everything that has happened-from how a bad actor got in, to which systems or files were accessed, to newly spawned processes. This log of events is referred to as the “kill chain.” The kill chain provides an in-depth understanding of exactly which processes ran or files were touched. This ability to detect and understand all activities, in turn, allows for more certainty when remediating any exploit. From this information, it’s possible to determine if a threat has or has not been fully cleansed and shows exactly what systems should be reviewed for compromise.
Let’s go back to the analogy of your business as a home. Advanced detection tools like EDR are like installing an alarm system with security cameras. You can detect suspicious activity early, be alerted to it, and if there is a break-in, have clear records of what occurred.
Having the appropriate response to any given event is essential – this applies to all areas of life, including our IT Security Framework. This pillar includes the tools and resources you would employ should a breach occur. This can be small (a plan for cleaning out all traces of a malicious actor) to large (hiring a forensics team, communicating to clients, and filing an insurance claim).
An effective Response Pillar includes creating playbooks for how to respond in different scenarios. Does your Security team or IT Steering Committee need to meet? Are there any reporting requirements for clients? Does a Cybersecurity insurance claim need to be opened? Do Business Continuity or Disaster Recovery plans need to be implemented? These reactions can, and should, be thought about before they are needed. Table-top exercises with the Executive Team can be a great way to brainstorm about various scenarios and how the organization should act if they were to arise.
To continue the home security analogy, our locks and gate (Antivirus and MFA) attempted to Prevent the break-in. But when that didn’t deter the invader, our alarm Detected that something was wrong, and the security camera (EDR) recorded everything that occurred. After reviewing the footage (EDR data) and assessing what happened (was anything taken, was anyone hurt, is the intruder still there?), we can take appropriate action.
Was the alarm triggered by suspicious activity (antivirus quarantined a malicious file) and no actual break-in occurred? Or was the incident serious (a Zero-Day exploit that allowed bad actors inside the network) and do we need to call for help?
We can see how all the previous pillars of the security framework support our abilities in the response pillar. Particularly the detection tools like EDR data, without which, it becomes very difficult to analyze risk. This could lead to the organization taking actions disproportionate to what is needed – either by overreacting and spending unnecessary time and resources or by underreacting and opening themselves up to more risk.
We all know that protecting our companies’ infrastructure is critical to the success of the business. With the security landscape shifting, the foundational requirements for securing your business have as well. If your business is part of an industry with inherently high security compliance demands (like legal or medical businesses), it’s likely you’ve already been implementing some of these additional tools. On the other hand, if you’re part of an industry with less stringent security compliance regulations, your business may have historically viewed advanced security tools as “nice to have” but not necessary. Unfortunately, the reality of the world today makes that mindset a luxury that businesses across industries can no longer afford.
The best place to start is by evaluating your current solutions with these three pillars in mind. With a better understanding of this framework, how does your security stack up? Has your organization implemented modern prevention tools such as MFA? Do you have an EDR solution in place to bolster your prevention and detection abilities? Have you mapped out a response plan? If not, the first step is discussing your security with your IT expert!
ABOUT THE AUTHOR
Sean has been shaping the IT strategies of businesses across a wide range of industries and sizes for over 10 years. As a vCIO at CIO Solutions, he works with business leaders every day to create a clear IT vision, mature technology solutions, and ultimately, enhance business productivity and security through technology.
He and the rest of the Strategic Client Services team at CIO Solutions are constantly evaluating important trends in the industry and advising clients on best practices and long-term IT strategies for success.
Are you a current client of CIO Solutions? Contact your vCIO or Client Success Manager to continue the conversation around your IT security!
Not a client yet, but curious about maturing your IT solutions? Let’s talk!