Get a 360° Overview of Your IT Estate with Context, Visibility and Control

October 2019
The cyber threat landscape is constantly evolving, making it a round-the-clock challenge to secure your organisation. But it’s made even more so by a tendency to be distracted by threat over focusing on business risk. At Secrutiny we help our clients be more secure by focusing first on business risk, prioritising this over the industry noise of “threats”. Business risk is unique to every organisation, and can only be pragmatically assessed through understanding context, visibility and control.

 

Why Context, Visibility and Control?

Many tools are externally focused identifying and preventing threats both known and new – but these tools won’t help you combat an inside threat, such as a malicious insider in your domain, whitelisted on your applications. It is only with all three of the security pillars that you can be sure of a strong defence. To address both your external and internal security, you need context, visibility and control.

 

Context

Threats make for powerful headlines and help to generate revenue for technology vendors but out of context they are meaningless. Security alerts without context can quickly lead to problems such as false positives, as well as missed Indicators of Compromise (IOC) and Attack (IOA). Context also provides a vital insight often missing from automated security tools.

For example, if Julie in HR suddenly creates a policy on the CFO’s laptop, many controls would accept this – she is an employee, after all. But a defined policy of what is permissible and what is not provides the context for stopping this activity immediately.

A more pragmatic approach is to look at cyber security in the context of business risk, whereby devices, teams, departments and processes can be realistically assessed to establish not only their likelihood of being exploited, but crucially what the impact to the business will be.

We recommend asking the following context-setting questions:

• Which areas of your business are most at risk of exploitation?

• Which areas of your business are most at risk of exploitation?

• What’s making them so susceptible to risk?

• What impact could these risks could have on the ability of your business to operate?

• What steps do you need to take based on what you know?

• What you can prove?

Answering these questions gives you the context to act on actual risk, not gut reaction, you also gain visibility because you know where and how risks will materialise. And once you’ve got visibility – you can improve control.

Visibility

Visibility addresses the need to have sight across the whole IT ecosystem.  But why is this important? Imagine a virus with an embedded threat embedded inside another threat. Your anti-virus catches it and reports that it is blocked – but the infected machine is now communicating widely across the network, looking for other vulnerable machines or attempting to create an admin profile. Your anti-virus alone has no visibility of this, but your network can tell you and so can your Active Directories. Put the three pieces of information together, and you have a clear forensic path of a high-fidelity threat – one you can immediately resolve.

‘Essential’ to ‘Good Repeatable’ security is consistent visibility, and to that end we mandate that our clients build and maintain a System of Record (SoR) – essentially an aggregation of logs from the IT estate, servers, endpoints, and security controls deployed across the business.

The SoR, therefore, forms a datastore that then forwards the relevant data points for onward processing by the SIEM and SOC, can be interrogated to establish hygiene and security posture; identify indicators of compromise and hosts of interest; and ultimately be used to forensically investigate, and respond, in the event of a breach.

Secrutiny’s Building Blocks of Visibility

At Secrutiny we understand the delicate balance of business risk versus limited resources, time and budget, versus the mantra that “It’s not if we are breached, it’s when”. Many organisations don’t address security until after they are breached – but 63% of small businesses and 61% of mid-enterprise organisations were breached in 2018. 

Answering the questions below, using your System of Record (SOR), will allow you to determine a security programme that is rational, proportionate and based on actual risk, not gut-reaction. Without these essential building blocks in place, any investment in security solutions has the potential to be wasted.

 

1. Data Movement

How will we know if and when unusual activity occurs? Do we have a benchmark for what constitutes ‘normal’ data movement? What processes and policies do we have in place?

2. User Privilege

How regularly are these monitored? What happens when a person leaves the organisation or changes role?

3. Network Communications

Can we appropriately monitor and control all of our traffic?

4. Software Configurations

Do we have consistency? Are we patching on time, every time? Can we prove that patches and updates have been deployed successfully?

5. Build

What is the current conformity of our estate? Is every device on the most current operating system? How frequently are we auditing this?
Control

In conjunction with the technical controls and measures, we understand that maximising any benefit must come with appropriate People, Policy and Process controls.

It’s not enough to say, “I have all these technologies which can handle the issues” – especially if they are separate, disparate systems that don’t talk or integrate with each other, and therefore don’t give context and visibility. Investment in time and resources into areas such as developing and maintaining appropriate policies and controls, and building a culture of strong cyber hygiene, will assist organisations in catching a breach before it causes permanent damage.

Simon Crumplin, Founder of Secrutiny, added: “Policies and processes are an essential element of any organisation and will give you 10 times more than just buying technology.”

The strategy should be two fold:

Understand Your IT Ecosystem

Cyber risk assessments will help you achieve the required understanding while also helping to establish the baseline of “normal” within your organisation.  From this point, any anomalies are easily and quickly identified as high-fidelity threats.

This activity should be an on-going exercise that:

  • Brings anomalous business practices into governance, which gives you control.
  • Defines what is ’normal’ and what is ‘noise’.
  • Contextualises risk so you can appropriately inform the business.
  • Defines whether a threat is relevant or not.
  • Removes complacency

Understand Your Organisational Ecosystem

Understanding the organisational ecosystem helps drive a plan of action to improve business process that aligns with the technical changes that will be made; improving effectiveness and ensuring maximum return on investment. This is best achieved undertaking a People, Policy and Process gap analysis to understand the current state of operational controls and their relationship to the cyber improvements programme.
The above is essentially the initial steps of the cybersecurity and risk mitigation journey. From this point, the journey continues to reduce risk with evidence and demonstrate maturity against the target

Don’t Feel Like You’ve Got a 360° View of Your IT Estate? See How Secrutiny Can Help?

 

 

Context

Threats make for powerful headlines but out of context they’re meaningless. The context of changes within your IT estate helps highlights possible infections or breaches.

Visibility

Without clear visibility across your estate, you can’t identify the root of the problem and therefore, the problem persists.
Secrutiny’s Cyber Risk Remediation Program contextualises risk so you can appropriately inform the business; while driving risk reduction and improvements in security hygiene.

We achieve this by conducting a technical Cyber Risk Audit (CRA) which enables the capture of metadata across devices, servers, network, and security controls to form the basis of the SoR and allow questions to be asked of the data. This, in turn, establishes a baseline of the current security posture, while highlighting areas for remediation.

The output drives policy and posture improvement within the Cyber Risk Remediation program to ultimately reduce risk and improve your ongoing visibility and control capability, with a roadmap of investment against evidenced risk and visibility gaps.

Control

Gaps in your controls can lead to an enormous opportunity for exploitation. Control stops threats as they are identified.

 Controls are not just technology “layers of the onion” that demand significant investment.  Control can also be achieved through strong IT operational health; with the tools you already have in place.

Secrutiny work with organisations to review their controls and ensure the risk levels are appropriate and understood. 

We help organisations aggregate suitable data so that responding to a breach takes hours, not weeks or months.

We help our clients ensure a SIEM/SOC Service – be it theirs, another third party’s, or Secrutiny’s own capability – is properly informed, reducing not only false positives, but, vitally, false negatives.

Ready to Get Context, Visbility and Control?

Lets Get Started

Check Out Our Other Recent Posts >

London Breakfast Briefing – Achieving Prioritised Cyber Risk Management
London Breakfast Briefing – Achieving Prioritised Cyber Risk Management

Secrutiny is hosting an intimate breakfast briefing for cyber security leaders in London on Thursday, 28th November. Join us to discover how, with a bit of extension and instrumentation, the ecosystem of controls that you already have can form the basis of an evidential, prioritised cyber risk management programme. Learn more and register…