The cybersecurity industry has seen a lot of recent trends. For example, the proliferation of multifactor authentication (MFA) to fight against credential harvesting is a common thread. Threat actors have been creating legitimate-looking phishing campaigns, which have been a big driver for this trend. Although some of the tools for MFA can be complex, proper authentication/authorization is an absolute fundamental that every enterprise should embrace.
Where should we start with fundamentals?
People, Process & Technology
Let’s have a little more strategic look at this, though. To provide a holistic approach to security, a higher-level perspective is necessary. Your Process must be sound. Yes, that means policy-level guidance. Yes, that means that standards need to be in place. Finally, it means that procedures to provide more detailed guidance must be available for employees.
Again, perspective is essential. Nobody wants to work on the process first. Indeed, I was guilty of having a negative view of process early in my career. Let’s take the first example and reveal how the process might assist. An enterprise policy statement might provide simple guidance that access to all company resources requires management approval (as a policy).
How does an enterprise define who needs access to specific resources? Glad you asked. Standards can be used to and determine data classification and controls for accessing and protecting the various categories of data. An access control standard would also be appropriate to complement the data categories. So far, we have policy-level guidance, data classification, and access control standards which guide the controls necessary to control access to company resources.
Where does the requirement for MFA live? That is a good question; my thoughts are likely in the standards area. However, requiring MFA could be a policy, standard, or process/procedure level requirement. The next reasonable question is: where do the requirements for implementing an MFA belong? In an authentic consultant manner, I would say: It depends. Take that with the lighthearted intention I meant it with. Implementing MFA may be a process/procedure used by IT. Why did I say, “maybe?”
The reality is that there may be automation that handles this. It is possible that HR defines each employee’s role, and based on that, an HR system provides that through API to the systems used to provide authentication/authorization. Doesn’t that sound pleasantly streamlined?
More likely, things are not that automated. If they are, then kudos to your enterprise. There are likely multiple processes and procedures required before even setting this up, but I think most of the folks reading this will understand where I’m trying to go with this.
HR will have processes and procedures around defining roles and requesting implementation. IT will have processes and procedures focused on implementing the solution. The information security team will have processes and procedures for monitoring authentication/authorization mechanisms. This is just to state that Process is as important as the tool or technology chosen to meet the need. None of these documents state which tool or Technology to use. That is the point. If you have policy guidance and standards that define the need and processes to guide implementing MFA, then the Technology should be interchangeable. So, the first fundamental which should be a foundation is sound process.
I spoke about various teams here (IT and HR). That is another fundamental: People. People need to understand the requirements. People need to understand their role, and people need to be part of the solution.
Finally, the last high-level fundamental is Technology. But I said Technology could be interchanged. Yes, in many cases it can but it is one of the three primary fundamentals required to manage and secure an enterprise. Are their differences in the technical solutions used for MFA? Certainly, there are and what Technology is used very much depends on your environment and the resources that will be accessed using MFA.
OK, Cybersecurity 101 so far: People, Process & Technology. The title uses fundamentals in battling complex cybersecurity threats. Right you are! The introduction shows that People, Process and Technology are critical to managing and securing your environment (Technology and facilities). Now let’s look at another group of 3 fundamentals: Prepare, Respond & Recover.
3 more fundamentals: Prepare, Respond & Recover
Prepare – How do you prepare for cyber threats? Based on the intro, it would be evident that having the correct people, process and technologies in place would be good preparation. Gold star for you if you were already thinking that. Let’s take a closer look.
Ransomware as an example
How do you prepare for Ransomware? Let me answer that question with several other questions: Do you have an incident response plan (Process [Policy])? Do you have a playbook (Process [procedure]) that provides your IT or Security group guidance for identifying, containing, eradicating, responding, and recovering from a ransomware attack?
Do you have an endpoint detection and response (EDR) solution (Technology) that can help prevent or minimize the spread of malware? Do you have a standard for collecting inventory and vulnerability information on your network resources or a tool like a vulnerability scanning platform to collect that information? Does the standard guide the prioritization of remediation of those vulnerabilities?
Do you have a security information and event management (SIEM) solution that ingests this type of information and assists with identifying possible indicators of compromise? Do you have the People necessary to remediate the problems? So many questions. Preparing for complex attacks can be hard.
But aren’t we still talking about fundamentals? Yes, Preparing includes understanding the environment which means the inventory of assets and vulnerabilities. Preparing includes good cyber hygiene and remediation of problems when they are found. Training is an essential aspect of preparation. Support people need the correct knowledge and skills. End users must understand the importance of reporting anomalies and to whom to report them.
Respond - What happens when you have prepared, and Ransomware still impacts you? It is time to respond. Proper response requires an even more detailed understanding of the issue. It requires research using tools like a SIEM and containing the problem by isolating with EDR tools or network controls. The response includes communicating to leadership that a problem exists. Response may require that you inform employees on proper guidance for sharing information. Response can also mean that you reach out to a partner or third-party expert to assist with investigating the problem.
Depending on the severity of the issue, response may include your leadership notifying customers that there is an issue. How well we prepare can greatly impact how well we respond. Ransomware is often complex and frequently an attack by a sophisticated threat actor. Even if an organization doesn’t have the qualified People part of the three fundamentals, they can still successfully respond to these attacks by having the right Technology in place and processes that include engaging partners with the right skills.
Recover – What does recovery look like? First, let me ask: Do you have any disaster recovery (DR) or business continuity plan (BCP)? Have you tested it? Ransomware is a type of cyber incident and certainly a type of disaster. Does that mean you can use disaster recovery procedures to recover from a ransomware attack?
The procedures may be different, but your DR processes can be leveraged to recover from a ransomware attack. Of course, the exact processes may be a little different. Still, fundamentals like recovering systems from backup and using alternative processes for system outages may be necessary during a ransomware attack. Just like with any type of disaster, recovery should be the highest priority. How do you know if you can successfully recover from any type of disaster?
Closing / recommendations
It would be easy to write a book on this stuff, and I’m sure others have done exactly that. I have talked about fundamentals like People, Process and Technology as well as Preparing, Responding and Recovering. The question you may have is: what is the short list of things we need to ensure we have or are doing?
- Have a plan! (Prepare) – Have a formal DR Plan. Have a formal Incident Response Plan. Have supporting processes like playbooks that provide specific guidance to maintain calm rather than letting chaos rule.
- Test the plan! (Prepare) – Practice like you are under attack. Perform a tabletop exercise. Engage a partner to conduct a Red Team exercise. You want to test the Processes, People, and Technology to make sure they are all sound.
- Build or buy! Have processes, technologies, and people needed to respond! (Respond) – If you don’t have the expertise in-house, find a trusted firm that can step in and assist. Implement tools (SIEM, EDR & scanning) or outsource if necessary.
- Recover – Just having backups isn’t good enough anymore. Data needs to be backed up to prevent altering (immutable). Make sure that all of the identified problem areas have been remediated. The last thing an organization wants is to restore operations only to find that the problem is still resident. Use a scanning tool to verify that common vulnerabilities are fixed.
These are all basic fundamentals. Every organization needs to evaluate their environment to see where the gaps are. Using a framework like NIST, CIS or other industry standards to assess your environment is a great place to start. These assessments can reveal gaps in People, Process or Technology. Once you have the gaps identified, create a plan to address those areas.