The perfect IT security solution is one that makes an enterprise completely secure and “unhackable,” where no unauthorized parties can get onto the network, access confidential data, deny service to legitimate users, or otherwise carry out any malicious or unwanted activities.
Anyone who reads the security news these days knows that perfect security is impossible. The challenge, then, for corporate IT security teams is to develop an optimal security posture, one that uses the current state of security technology to minimize the chances that a damaging security breach can occur – and to minimize the damage if a breach does occur. The precise makeup of an optimal IT security posture will vary from company to company, but here are some general guidelines.
Jump to:
- Patch Management
- Identity and Access Management
- Multi-Factor Authentication
- Network Access Control
- Compliance
- Social Engineering
- Endpoint and Anti-Malware
- Mobile
- IoT
- Cloud
- DDoS
- Firewalls
- SIEM
- Testing
- Incident Response
- Cyber Insurance
The first step in building the best possible security solution is to understand exactly what IT infrastructure you have to defend, a process that begins with a security risk assessment. “The smartest thing is to do a comprehensive asset inventory and network definition exercise so you know every device and technology you have and where your network extends to,” said Chase Cunningham, a security and risk expert at Forrester Research.
Patch Management
Cunningham said that the best starting point is a vulnerability and patch management system. “If you can’t patch, then you can’t defend and you can forget anything else,” he said. “If you suck at patch management, you suck at security.”
Of course, it takes much more than a vulnerability and patch management system to secure networks, devices and applications – it requires more advanced technology to secure against threats like zero-day attacks using previously unknown vulnerabilities.
Identify and Access Management
The next step then is to defend the network perimeter, beginning with identity and access management systems (IAMs), which are intended to restrict network access to authorized users and to restrict those users to the resources that they are authorized to use. And for critical admin accounts, there’s privileged access management.
Multi-Factor Authentication
IAMs are best used in conjunction with multi-factor authentication systems, which use a one-time password (generated by a portable hardware device or smartphone software, or sent to a cell phone by SMS), a biometric measurement such as a fingerprint or voice print, or some other second factor in addition to a standard password.
Network Access Control
These can be reinforced using a network access control system, which restricts network access to authorized endpoints with prescribed security configurations (such as running an up-to-date antivirus product).
Compliance
The next step, according to Cunningham, is to identify your organization’s valuable or confidential data, or data that needs to be secured for regulatory compliance reasons, and take steps to defend it. “It is very simple: find your data, value it, and keep it safe,” he said. Governance, risk and compliance (GRC) solutions have long been an enterprise IT staple for navigating the maze of compliance regulations.
Social Engineering
Although it is tempting to start with technical solutions, it is important to remember that a high proportion of data breaches are the result of social engineering or phishing attacks. Verizon’s data breach investigation team reported recently that 90% of data breaches have a social engineering or phishing component to them. These allow hackers to bypass security systems by tricking employees into giving them passwords or other information that they need to breach the IT infrastructure.
That means that staff training to raise awareness in phishing and social engineering dangers and to reduce the risk of falling victim to such attacks is vital. These can be complemented by anti-phishing training tools, which are designed to keep employees’ awareness of the risks of phishing emails high. They work by sending out fake phishing emails to employees from time to time to see whether they can be enticed into clicking on malicious links. Employees that do so can then be given more training to help them avoid real phishing emails in the future.
Endpoint and Anti-Malware
But the basic technical solutions include a comprehensive, centrally managed endpoint security system that includes anti-malware software (and ideally specific measures to stop ransomware). These often also bundle other specific data protection solutions such as encryption and data loss prevention.
Data loss protection is often underestimated, but it can be very effective at countering insider threats. For example, a good data loss prevention system should be able to prevent an employee who is leaving the company from downloading confidential data, customer lists and other valuable data onto a USB stick and taking it with them to their next employer.
Mobile security
A relatively new area of concern for IT security professionals (thanks to the rise of Bring Your Own Device, or BYOD) is the use of employee-owned devices on the network, and some form of BYOD security system is vital.
Ideally, this would take the form of a comprehensive enterprise mobility management (EMM) system that can manage both corporate and employee-owned mobile devices (including laptops, tablets and smartphones). EMMs go beyond mobile device management (MDM) solutions by controlling access to corporate networks and applications, ensuring that devices are locked with strong passwords when not in use, encrypting any corporate data stored on them, and carrying out remote data wipes in case the devices are lost or stolen, among other control and visibility features.
Internet of Things (IoT) security
One more area that is worth mentioning because it is becoming increasingly important is IoT security. IoT endpoints (or “things”) are generally used as data collection points. This data is then sent over a network to an IoT platform ingestion point where the data is collected, processed and used in real time or stored.
IoT security systems carry out a range of functions, such as detecting when IoT devices are tampered with and encrypting collected data both in motion and at rest on a dedicated IoT platform.
Cloud security
Enterprises are increasingly making use of cloud services outside the corporate network, which need some way of ensuring that they can be used securely and that data stored in the cloud is safe. One way to reduce the risk introduced by cloud services is to use a cloud access security broker (CASB), which can set policy, monitor behavior, and manage risk across the entire set of enterprise cloud services being consumed.
Examples of cloud security policies enforced by a CASB include authentication, single sign on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, and malware detection and prevention.
A CASB vendor also gives enterprises visibility into authorized and non-authorized cloud usage. It can intercept and monitor data traffic between the corporate network and cloud platform, assist with compliance issues, offer data security policy enforcement, and prevent unauthorized devices, users, and apps from accessing cloud services.
Distributed Denial of Service (DDoS) attacks
About 80% of organizations faced DDoS attacks in 2016, according to Neustar, and successful attacks cost the victim an average of $2 million. 45% of attacks are now more than 10 Gbps and 15% are now more than 50Gbps, so it is now impossible for most organizations to cope with these attacks using their own network resources.
For that reason, it is important to have a DDoS mitigation plan and service in place with a clear process for contacting the service to start mitigation in case of an attack.
DDoS mitigation services are usually run from the cloud, and mitigation generally involves diverting all traffic (including malicious traffic) to the service, where it is scrubbed. Legitimate traffic can then be forwarded to the intended destination servers.
Firewalls
Network firewalls are a critical security technology and the biggest IT security market, and next-generation firewalls (NGFWs) go beyond blocking ports or protocols to perform stateful packet inspection right down to the application layer, allowing the device to block packets that are not matched to known active connections, to block unwanted application traffic (rather than traffic on specific ports) and to close network ports all the time unless they are actually in use, which provides some protection against port scanning.
Increasingly NGFWs include intrusion prevention and detection functionality, although these may also be purchased as standalone products.
In many cases, intrusion prevention and endpoint protection systems rely on the availability of threat intelligence feeds that provide information about emerging threats, such as signature activity that can indicate a particular threat is present.
Unified threat management (UTM) appliances can be an easier way for small and mid-sized companies to get firewall protections.
Application firewalls are also often necessary if your company operates internet-facing applications. An application firewall monitors incoming traffic to block certain types of content, including attempts to carry out SQL injection attacks using deliberately malformed queries.
SIEM
One final big ticket item that is becoming increasingly important is a security information and event management (SIEM) system, which can monitor logs from network hardware and software to spot security threats, detect and prevent breaches, and provide forensic analysis after a breach. A SIEM can also generate reports for compliance purposes. A SIEM is the technology that can tie all your security efforts together.
SIEM systems are also increasingly offering SOAR and UEBA technologies.
Testing
You should think like a hacker, and test your security posture. Once an overall security solution is in place, the best way to find out how effective it is at preventing a breach is to subject it to penetration testing. Also called vulnerability assessment and testing or “pen testing” for short, this involves a simulated attack on your organization’s network to assess security and determine its vulnerabilities.
These “white hat” attacks carried out by security professionals are designed to identify network security issues and other vulnerabilities, identify policy compliance failures, and improve employee awareness of proper security practices.
A newer approach is breach and attack simulation technologies, which can provide the equivalent of continuous penetration testing.
Preparing for a Breach
There is always a risk of a security breach, and organizations should prepare for one to ensure that damage can be limited by planning an incident response process.
This should include preparation, identification, containment, eradication, recovery and learning from the incident, according to SANS Institute recommendations.
Cyber Insurance
One final measure that can be taken as part of a risk management process is the purchase of cyber insurance to mitigate the financial costs of a breach. These costs should not be underestimated: the average cost of a data breach in the U.S. is $221 per record, or $7 million per breach, according to the Ponemon Institute’s Cost of Data Breach Study.
Organizations have many IT security solutions to choose from. An assessment of your most critical vulnerabilities is a very good place to start to determine which of your assets are the most valuable, and then begin to protect them. We offer comprehensive security product overviews in our security products section.
A Final Word
Unfortunately, there’s no such thing as total or complete security. “It is simply not possible to beat these hackers,” said James Lewis, a cybersecurity expert at the Washington, D.C.-based Center for Strategic and International Studies (CSIS).
There will always be a malicious actor such as a nation state with more resources to devote to hacking than an enterprise can devote to defending itself. “Government-backed hackers simply won’t give up. They will keep trying until they succeed,” Lewis said.
And that means that IT security ultimately boils down to security risk management: using the available IT security budget to build not a total or complete security system, but an optimal one that defends your most critical assets. Some security technologies even count on bad guys getting in, like deception technology, which tries to distract hackers by leading them to worthless assets. And some companies turn some of their security defenses over to managed security service providers to help minimize cost. The average security budget is 5.6% of the total IT budget in most organizations, according to Gartner. Your responsibility as a security professional is to use the budget to minimize risk in the best way possible.
Organizations have many IT security solutions to choose from. An assessment of your most critical vulnerabilities is a very good place to start to determine which of your assets are the most valuable, and then begin to protect them. We offer comprehensive security product overviews in our security products section.
See anything we missed or wish to share your own views and experience? Let us know in the comment form below.