Little by little, and almost without realizing it, we have been filling up with technological tools in order to protect our assets, also technological. And above all to keep our privacy and our sensitive data safe and away from cyber-criminals who might take advantage of them or misuse them.
The issue goes even beyond the false sense of security that you might think that by installing an anti-malware or antivirus on my device you are already fully protected. «You are already vaccinated» is said with a face of relief, when it neither works like the real vaccines, nor do they assure us the total protection towards some disease (This refers about an spanish expresssion, I don’t know if in english are the same).
It also doesn’t give much more protection to have two different antimalware installed (sometimes even more) than having just one.
It has definitely been proven that buying detection/protection technology is not synonymous with increased security and, on the contrary, by doing so and believing that we are, it exposes us more.
This is the subject of the article IT Governance (which you can access by clicking here)based on a study by VMWare and Forbes which, although carried out in the UK, I’m afraid is repeated without major variations in each of our environments.
And the thing is, we’ve concentrated on tactics and forgotten about strategy. When the former without the latter, it doesn’t get us very far and it’s not very profitable.
I will briefly explain this last statement.
In general terms, an strategy is the way in which some general objective will be achieved, taking care of all the aspects that will be involved and generating general guidelines and metrics to review in the medium and long term.
Tactics, on the other hand, focus on specific aspects that must be resolved in the course of executing a strategy. They do not so much take into account the long-term environment of the problem, but rather the specific problem itself.
So, focusing only on tactics is like being lost in a forest with no more landmarks than the trees nearby, no map and no idea where you’re going. Sooner or later we’ll end up going around in circles.
Returning to the subject of this article, we see that in practice we are reacting to the incidents that are presented to us or to those that we see more and more frequently in our environment. And we become compulsive buyers of solutions for this or that threat, for this or that vulnerability. The report notes that 74% of respondents plan to invest in new detection technologies even though a significant number of them already have 26 or more such tools!
No wonder the dark side is in the lead and rising. Even more so if we add to this the already known gap between the demand for information security professionals and their supply, which leads us to hire «converted» individuals from the dark side to be in charge of the strategies, when by their nature they are eminently tactical. Topic I have addressed in: Could be Messi a top goalkeeper?
How to get out of this problem then?
Obviously cover the space that we are skipping and that can no longer be ignored. The Strategy.
This consists, first of all, of looking up at the equipment and the network, and seeing with a little more vision the technological and non-technological ecosystem in which the information we want to protect is immersed.
We can outline and simplify this ecosystem in three main areas:
- Internal. These are all those agents who only have contact with another internal or borderline agent.
- Limit. Those agents who have contact with internal and external agents.
- External. Those agents that can only interact with limit agents, whether they do so effectively or not.
We can think that the general objective for our strategy is to avoid that an External agent uses some limit agent, to violate some internal or limit agent.
The current problem is that, unlike some decades ago, the «limit» is already practically everything. We just have to think about every element we use for our daily life and how each one of these devices already has contact with agents outside the business network and inside the business. BYOD has greatly boosted what we used to call the edge and is no longer so. It is, in my view, the center of where we should focus our strategy.
As I said above, the first thing to focus our strategy is to clearly define what we must protect, and these objectives, not because they are general, must be less precise. It is simply the equivalent of the mission that a company would have. If you think about a company’s cyber security, you only have to define the company’s Mission and Vision with respect to the business in which you apply it, and you already have a guideline as to where you should direct your security efforts.
And this is very important because perfect security does not exist, and therefore we need clear and prioritized horizons on which to base the tactics that we will be using and which are of a varying nature according to the circumstances of the environment that arise. But it’s not just about waiting for an attack to react (it’s too late when this happens and it only leaves us the option of activating the emergency and recovery plans, if they exist), not just about performing vulnerability assessments every 5 minutes and then mitigating some of them because business continuity doesn’t allow us to mitigate all of them, nor about filling up with tools like walls, crocodile pits or archers pointing out from the top of the castle if they are all in the wrong place.
If we know what we must protect, we must focus on these assets and analyze behaviors.
YES, behaviors. We have to know what is the normal state of things in the three layers mentioned above, so if we detect any abnormality we can use all our traditional security toys to increase or decrease our protection accordingly.
For example, we usually all have malicious emails that our antispam tool detects and controls according to some levels that we leave fixed. But, do we know where those emails come from?
If we can know this, a general increase in malicious mail would make us make security decisions one way, and if this increase comes from the same site, suspicious and with a reputation for attacks, it would make us vary and make other types of security decisions. In other words, our protection tactics would vary depending on the characteristics of the change over a baseline that we call «normal».
Although today we have advanced tools that are based precisely on this principle of behavioral analysis for both the internal network, point and edge devices or analysis of the big data that is presented in the environment of our object of protection, generally based on Artificial Intelligence and of which I have been able to evaluate a couple with very good results, it is not necessary to have them to begin with. First, they are usually quite expensive, and second, if we don’t know what to analyze, these tools will be underused.
I recommend a work of analysis in terms of basic levels to start and helped by reports (that most traditional tools already bring) accompanied by our good excel of always, to generate our own indicators of «normality» to start and make comparisons over time to learn which are the acceptable variations and which are not. Start with whatever you have at hand, whatever you know how to use better or are more critical of, but start now!
This will only consume you man-hours, but overall it is a smaller investment than a state-of-the-art tool that is underutilized. Little by little along the way the right tools will naturally emerge for you, and the investment will justify itself, moreover with the assurance that it will be fully exploited.
If we think holistically all the time, when circumstances change the adaptation will be faster.
…. And we will be able to get out of the forest!