MAGNIFY CYBER SECURITY BLOG

7 Steps to Forensic Level Focus

June 2020

There is still a preference among media outlets and vendors to use the language of fear, uncertainty and doubt (FUD) to generate revenue and headlines. At Secrutiny, we believe that this is counterproductive, causing you to experience ‘threat-fatigue’ and distracting you from the areas where you can eliminate risk by highlighting topical hype rather than encouraging best practice processes.

A more rational approach is to look at cyber security in the context of business risk. But how can you spot whether a cyber threat is a business risk that needs attention? With forensic level focus… To help you achive this, we’ve mapped out the seven key focus areas for quantifying and managing risk.

1. Basic Hygiene

The biggest barrier to effective cyber security is not the number of malicious actors, it is failure by organisations to carry out basic hygiene practices in key risk areas.

– Data Movement
– User Privilege
– Network Communications
– Software Configurations
– Build

Without these essential building blocks in place, any investment made in security solutions has the potential to be wasted. In fact, one hundred per cent of breaches we have responded to showed major hygiene, policy, posture and visibility deficiencies.

2. Cyber Risk Audit

The next logical step is to undertake periodic technical Cyber Risk Audits to identify operational risk, misuse, infection or compromise and define what is ‘normal’, what is ‘noise’ and what is ‘anomalous’ to contextualise those risks.

3. System of Record

The System of Record (SOR) is an aggregate of data from associated systems stored in native records format – a ‘bucket’ of data that describes your IT ecosystem and hygiene posture at any given point in time. It allows you to retain reliable data quality for production and governance requirements and supports technical controls and compliance analytics, as well as incident investigations.

One way to think of a SOR is as a continuously rolling CCTV system where each day’s recording is backed up and stored for a period of time.

4. Visibility

There can be a difference between what’s reported to have happened and what’s actually happened.

For example, your Anti-Virus may believe it has successfully cleaned a virus from your endpoint, but with wider visibility you can see that the endpoint is now trying to communicate across the network. Perhaps an embedded virus was missed, and a worm is trying to move laterally across your estate.

Visibility is achieved by using the outputs of Cyber Risk Audits (CRA) to establish the baseline of what’s normal which then enables you to rapidly identify any anomalies.

5. Tools

Tools should be viewed as aides that add automation to processes you have determined are relevant to your operational approach.

From our experience in auditing >750,000 endpoints and servers, we have discovered that processes and policy will always offer 10x security posture over generic product purchases.

6. Breach Awareness

According to a report by global management consulting and professional services firm, Accenture, IT teams are only discovering 64% of the attacks they face. 

To detect a breach, IT should look for change as it is an indicator that someone or something has control.  Where an environment has good hygiene, consistency over the software and technology in use, and a System of Record (SOR) in place, change can be detected.

To detect a breach, IT should look for change as it is an indicator that someone or something has control.  Where an environment has good hygiene, consistency over the software and technology in use, and a System of Record (SOR) in place, change can be detected.

7. Simulation

How do you know if the framework you’ve put in place is working at any given point in time?

Rather than wait for a breach, it is vital to undertake regular simulation exercises that test the effectiveness of your security control systems and alerting framework. From here you can identify when policy or configuration changes are needed.

Imagine a simulation process whereby whilst the CEO is reading about WannaCry II on a news site on his way to the office, you already know whether you are susceptible or protected because your simulation tools have already tested your production environment.

Do You Have Forensic Level Focus?

You might already be doing some or all of these steps. Find out with our RAG assessment which considers the seven core elements discussed in this blog so that you can make an initial assessment of your organisation’s attitude and progress towards pragmatic, appropriate, cyber risk management.

This is just one of the tools offered in our educational whitepaper entitled, Time for a Cyber Risk Perspective. Led by Simon Crumplin, Founder of Secrutiny, it aims to change the cyber security conversation from one distracted by threat, to one that’s focused on business risk. Download it here.

Image Source: slidesgo