Get a 360° Overview of Your IT Estate with Context, Visibility and Control
Why Context, Visibility and Control?
Threats make for powerful headlines and help to generate revenue for technology vendors but out of context they are meaningless. Security alerts without context can quickly lead to problems such as false positives, as well as missed Indicators of Compromise (IOC) and Attack (IOA). Context also provides a vital insight often missing from automated security tools.
For example, if Julie in HR suddenly creates a policy on the CFO’s laptop, many controls would accept this – she is an employee, after all. But a defined policy of what is permissible and what is not provides the context for stopping this activity immediately.
A more pragmatic approach is to look at cyber security in the context of business risk, whereby devices, teams, departments and processes can be realistically assessed to establish not only their likelihood of being exploited, but crucially what the impact to the business will be.
We recommend asking the following context-setting questions:
• Which areas of your business are most at risk of exploitation?
• Which areas of your business are most at risk of exploitation?
• What’s making them so susceptible to risk?
• What impact could these risks could have on the ability of your business to operate?
• What steps do you need to take based on what you know?
• What you can prove?
Answering these questions gives you the context to act on actual risk, not gut reaction, you also gain visibility because you know where and how risks will materialise. And once you’ve got visibility – you can improve control.
Visibility addresses the need to have sight across the whole IT ecosystem. But why is this important? Imagine a virus with an embedded threat embedded inside another threat. Your anti-virus catches it and reports that it is blocked – but the infected machine is now communicating widely across the network, looking for other vulnerable machines or attempting to create an admin profile. Your anti-virus alone has no visibility of this, but your network can tell you and so can your Active Directories. Put the three pieces of information together, and you have a clear forensic path of a high-fidelity threat – one you can immediately resolve.
‘Essential’ to ‘Good Repeatable’ security is consistent visibility, and to that end we mandate that our clients build and maintain a System of Record (SoR) – essentially an aggregation of logs from the IT estate, servers, endpoints, and security controls deployed across the business.
The SoR, therefore, forms a datastore that then forwards the relevant data points for onward processing by the SIEM and SOC, can be interrogated to establish hygiene and security posture; identify indicators of compromise and hosts of interest; and ultimately be used to forensically investigate, and respond, in the event of a breach.
Secrutiny’s Building Blocks of Visibility
At Secrutiny we understand the delicate balance of business risk versus limited resources, time and budget, versus the mantra that “It’s not if we are breached, it’s when”. Many organisations don’t address security until after they are breached – but 63% of small businesses and 61% of mid-enterprise organisations were breached in 2018.
Answering the questions below, using your System of Record (SOR), will allow you to determine a security programme that is rational, proportionate and based on actual risk, not gut-reaction. Without these essential building blocks in place, any investment in security solutions has the potential to be wasted.
1. Data Movement
2. User Privilege
3. Network Communications
4. Software Configurations
In conjunction with the technical controls and measures, we understand that maximising any benefit must come with appropriate People, Policy and Process controls.
It’s not enough to say, “I have all these technologies which can handle the issues” – especially if they are separate, disparate systems that don’t talk or integrate with each other, and therefore don’t give context and visibility. Investment in time and resources into areas such as developing and maintaining appropriate policies and controls, and building a culture of strong cyber hygiene, will assist organisations in catching a breach before it causes permanent damage.
Simon Crumplin, Founder of Secrutiny, added: “Policies and processes are an essential element of any organisation and will give you 10 times more than just buying technology.”
The strategy should be two fold:
Understand Your IT Ecosystem
This activity should be an on-going exercise that:
- Brings anomalous business practices into governance, which gives you control.
- Defines what is ’normal’ and what is ‘noise’.
- Contextualises risk so you can appropriately inform the business.
- Defines whether a threat is relevant or not.
- Removes complacency
Understand Your Organisational Ecosystem
Don’t Feel Like You’ve Got a 360° View of Your IT Estate? See How Secrutiny Can Help?
We achieve this by conducting a technical Cyber Risk Audit (CRA) which enables the capture of metadata across devices, servers, network, and security controls to form the basis of the SoR and allow questions to be asked of the data. This, in turn, establishes a baseline of the current security posture, while highlighting areas for remediation.
The output drives policy and posture improvement within the Cyber Risk Remediation program to ultimately reduce risk and improve your ongoing visibility and control capability, with a roadmap of investment against evidenced risk and visibility gaps.
Controls are not just technology “layers of the onion” that demand significant investment. Control can also be achieved through strong IT operational health; with the tools you already have in place.
We help organisations aggregate suitable data so that responding to a breach takes hours, not weeks or months.
We help our clients ensure a SIEM/SOC Service – be it theirs, another third party’s, or Secrutiny’s own capability – is properly informed, reducing not only false positives, but, vitally, false negatives.
Lets Get Started…
Check Out Our Other Recent Posts >
With much of the UK working from home due to COVID-19, malicious actors are taking advantage of the pandemic to find opportunities for distributing their malware to unsuspecting users. This blog will give a high-level overview of campaigns and IOCs discovered by Anomali.
Stay cyber secure with increased remote working by listening to our special edition of Secrutiny’s Emerging Trends Podcast.
Secrutiny is all about helping organisations effectively determine their risk appetite and define cyber risk remediation priority based-on evidence. Through research and exploration, Secrutiny has identified the MITRE ATT&CK Framework as a tool to help cyber security professionals mature, secure and assure their organisations.