Organizations realize that effective security requires continuous effort. While many security practices in past decades focused on achieving compliance with best practices, laws and regulations, modern security programs focus on developing and maintaining an effective set of controls. Compliance initiatives remain important, and IT leaders understand that project-based security initiatives are useful to implement new controls and upgrade existing ones. But they also must dedicate continuous attention to the monitoring and maintenance of security programs.
This security philosophy recognizes that there is no silver bullet for eradicating all threats. Organizations cannot simply purchase a security appliance, install it on their network and assume that it will keep them safe. Instead, security leaders must build and maintain a defense posture that increases their visibility into enterprise security and facilitates a rapid response when a potential breach is detected. Organizations that take the time to develop strong breach-response policies and processes will limit the ability of attackers to successfully breach their defenses, and ultimately gain access to the organization’s most prized information assets. Developing these capabilities helps keep an organization safe and allows IT leaders to have complete confidence that they are doing everything possible to fulfill their enterprise security responsibilities.
Organizations preparing to respond when a breach occurs should cover two main categories of breach preparation. The first category entails creating a strong level of situational awareness, ensuring that the organization has the information it needs to identify and respond to potential security breaches. The second category of preparation includes activities designed to reduce the attack surface, making it less likely that an attacker can successfully penetrate the organization’s defenses.
Situational awareness is one of the most difficult challenges facing enterprise security teams. Security tools, infrastructure components, servers and applications all generate massive amounts of data on a daily basis, and IT teams face a major challenge in combing through this information to discover the proverbial needle in the haystack that may indicate a potential security breach. The challenge is even greater as organizations attempt to conduct this monitoring on a near real-time basis, which enables them to proactively respond to a potential breach rather than discovering it only after it occurs.
Fortunately, the technology available for those seeking to gain visibility into the security state of their IT infrastructure has improved significantly in recent years. Manufacturers such as FireEye, Splunk and Lancope produce security tools that automate monitoring tasks and alert security teams to anomalous activity that may indicate a breach. Of course, these tools are only useful when supported by a team of experts that can monitor their output, assess alerts and initiate containment activities when they believe a breach is under way.
Organizations seeking to increase their situational awareness shouldn’t overlook some of the traditional security tools that they’ve had in place for years. Content filtering and anti-malware solutions, in particular, are effective sources of information about potential breaches. Combined, social engineering and malware were responsible for more data breaches than any other cause in the 2016 Verizon Data Breach Investigations Report. Content filters and malware solutions can provide early warnings of these compromises, notifying security officials when an end user clicks on a suspected phishing link or an endpoint reports unusual system activity. Intervening at the first sign of malicious activity can contain the spread of a breach and prevent damage to the organization.
Organizations should also do everything in their power to lock the doors and close the windows to their IT infrastructures, leaving attackers unable to gain a foothold from which to wage an attack. Technologists have several tools at their disposal that allow them to secure networks against attack.
Vulnerability testing tools provide security analysts with an attacker’s view of their IT infrastructure. These tools scan servers and network devices for potential vulnerabilities and provide reports of insecure configuration settings, missing security patches and other deficiencies that, left uncorrected, might provide attackers with an entry point onto the network. Combined with strong patch management capabilities, vulnerability scanning can significantly strengthen an organization’s security posture.
Network segmentation is an established method for safeguarding critical information assets. Organizations may use firewalls, virtual local area networks and other network controls to separate their most sensitive systems from other network resources. When a breach occurs, segmentation protects the enterprise by denying attackers access to the organization’s most sensitive information, even after they successfully penetrate the network perimeter.
Finally, organizations may reduce their attack surface by auditing the level of access provided to users and administrators. Enforcing the principle of “least privilege” restricts users’ access to the minimum set of permissions necessary to perform their jobs. This is an especially effective control in the event that a user’s account becomes compromised, limiting the damage that an attacker with stolen credentials can cause an organization.
Read the free white paper, "Breach Containment: Minimize the Impact of an Attack," to learn more about how your organization should respond during and after an attack.