We all know that the growing threat landscape puts greater stress on already overworked security teams. After attending the recent Global CISO Event in New York City, it’s clear that building and maintaining a proactive security strategy is still as important as ever — even if that’s hard to accomplish.
Many teams may look to reduce risk and prevent security incidents with an incident response and detection program or solution, but the reactive nature of incident response cannot be considered a replacement for good security control practices. Instead, here are four tips for preventing — rather than reacting to — security incidents.
1. Understand what you are protecting
A successful and proactive security program starts with a clear understanding of what you’re protecting, based on solid testing and auditing. This way, if an incident occurs, your team won’t be making decisions based on assumptions. They will have a clear understanding of their environment and what matters most from the start, so they can accurately understand the severity of incidents and easily prioritize response actions. This includes how data flows in your production systems — internally and externally — to clients.
The importance of testing your assumptions can be seen through network maps, for example. Network maps can be incredibly useful tools during an incident and for incident detection planning — if they are accurate. Most network maps tend to represent what people think the network is like, instead of how it actually works. Through discovery and audit, most organizations would likely uncover that the way things are connected in their network actually differs from their original understanding.
2. Understand your third-party ecosystem
It’s estimated that 59% of organizations have experienced breaches caused by third parties. So, having a complete understanding of every partner, supplier, and contractor — along with everything they have access to — is imperative.
Once you know who has access to your network and what data and services they provide, you can ensure that there are clear guidelines and expectations on what happens in the case of an event. What are your third parties responsible for? What are you responsible for communicating or managing? Is there a Service Level Agreement (SLA) for them to notify you of an event? What events could disrupt your business based on this third party’s importance and tiering to your organization?
3. Understand your people and processes
All of this can only be accomplished with a team of security professionals to investigate, interpret, and respond to security incidents. However, their success depends on the team’s alignment around roles and responsibilities. So, when an incident occurs, everyone already knows their roles and can immediately do their part to remediate any risk without hesitation. Testing this alignment and communication on a regular basis can also reduce time to resolution.
Additionally, after an event, it’s important to understand everything about what happened as completely as possible. This requires your team to be able to connect all the dots — and therefore, all of the data sources — with confidence that you have access to all the information you need.
With dozens of security tools and other data sources in use across your organization, it’s not reasonable to expect that your security team would be able to log in to every solution while also trying to resolve a security incident. So, before anything ever happens, it’s important to build a single pane of glass to bring all the data together, supported by consistent, well-tested, and measurable process flows.
4. Test, test, and test again
Unfortunately, preventing a security incident isn’t as simple as waving a magic wand. This is an iterative, ongoing process to ensure that your organization has a single pane of glass view into everything — people, processes, and technology.
Just meeting minimum requirements isn’t enough. Testing your security controls and making continuous improvements and enhancements ensures that you’re staying up to date and are well prepared for anything that could come up in the future.
This is all easier said than done, of course. Tackling cybercrime and successfully navigating through the chaos to stop a breach in its tracks isn’t simple. That’s why security professionals across geographies and industries should consider sharing their learnings and best practices. This is especially true post-breach, so that everyone can benefit and more efficiently work toward their common goals.
Adapted from original post which appeared on Recorded Future’s Blog.
Gavin Reid is the Chief Information Security Officer at Recorded Future.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.