We’re officially in the busiest season of delivery as all hiring is complete, budgets released, and work continues on improvement before the holiday season. So, how can organisations keep their focus on what’s important and what can they do to stay aware of the course corrections they might need to take? The answer is cyber risk prioritisation – this means putting risk reduction back to the top of security-related decision making.

Read on as we explore what the process of cyber risk prioritisation should look like and why it matters, with a focus on security controls, managing the unknowns, telemetry and zero trust.

#1 Managing Controls

Security vendors are moving at such a rate that new features and updates are coming thick and fast, so it’s crucial you’re checking your controls regularly. It’s imperative that after you apply patches, you go back, look at the estate to find out which machines haven’t taken the patch or are appearing to be offline and not connected to management.

However, the most significant gap is where those controls are missing or not working as required. These are your blindspots, that is where you are vulnerable, and that is where you should be prioritising because it is your weakest point.

#2 Unknowns

Another priority is getting familiar with your network footprint. You’ve got to know what is on your network and what normal looks like – so that when you use tools to monitor the network, you’ve got a baseline to marry against.

It’s about collecting data that can be modelled and categorised; by device type, traffic type, the typical numbers of devices in your network, and then looking at it consistently and keeping track of what’s changing. It’s a good way of keeping a barometer on what’s happening inside your environment.

You must also consider ways to passively monitor your networks and identify any IP based devices. Tools like Nessus can give you open-source methods to scan and create lists, but turning this into actionable intelligence can be cumbersome. Thankfully there are platforms available that provide the capability at the right price point, which passively monitor networks using SPAN ports or SNMP walk to communicate with switch fabric.

EPP/EDR tools are also starting to introduce peer to peer capability to check network neighbours. Aggregating these results and classifying them into device types is quicker and easier than it’s ever been, with some systems even obtaining a view on vulnerability. These methods help to illuminate the unknowns in your network.

Figure 1: Cyber Risk Prioritisation Illustration

3# Telemetry

There is a wealth of telemetry data that can be obtained via endpoints, network devices, signals and firewalls, including not only traffic information about what’s on your perimeter but URLs that people are accessing and the threat feeds being matched against those URLs.

Microsoft’s Sysmon is invaluable; it’s free, lightweight and can be easily updated. There are many pre-written configurations from Swift on Security or Sysmon Modular that you can quickly adopt; these rulesets even have MITRE T numbers associated with them. Combining Sysmon with a log shipper like Elastic Winlogbeat or NXLog and then aggregating this data in an on-premise index like Elasticsearch can be free to operate.

In the case of ‘always on VPN connections’, consider turning it on for your endpoints; the burden of this logging is not massive. But, the real activity is prioritising the collection of endpoint data, as it helps you understand where problems begin and challenge how effective your controls are.

#4 Zero Trust

The concept of zero trust is not new, it’s been around for years. Many of the technologies we use today have capabilities of zero trust, we’ve just been poor adopters of these features.

Simple tasks such as authenticating everybody to everything, and adding MFA to these authentication workflows, can be seen as zero trust. In fact, any layering of checks at the point of access is zero trust; for instance, anything in your environment that works by proxy will likely have zero trust capabilities. For example, with your Secure Web Gateway, you can validate the destination, use the policy engine to control the activities and use coaching to change the user’s mindset.

If you use UEBA to illuminate anomalous user behaviour, why not use it as an active defence? Most have policy engines that can challenge anomalous behaviour, you can use it to alert, notify and block. While Microsoft’s Conditional Access feature allows you to build policy to confirm the source IP, asset type, browser type, time of day and geolocation. Basically, zero trust is about never trusting, always verifying.

If you would like further information on cyber risk prioritisation or to speak to one of our experts, please get in touch.