Most information security professionals know that to support their programs they need governance, a plan of action, and operational activities. Most organizations have the three elements in place and are working towards improved program maturity. However, some institutions fall short in the operations area even when they have governance and a plan in place. In this vlog, Joanna Grama and Matt Morton, team members of Vantage’s Information Security Practice, recommend that these institutions consider the Critical Path. This project management concept, similar to agile software development, helps you prioritize key projects and get them to the finish line. Grama and Morton also recommend focusing on four key technology controls to reduce risk: multi-factor authentication (MFA), phishing, patching systems and applications, and a security architecture. Watch the video or read the transcript below to learn more.
Joanna: Hi everyone, welcome back!
Matt: Yes, welcome! I am Matt Morton. I am here today with my colleague Joanna Grama, and we are both part of Vantage’s information security practice.
Joanna: In our last video blog we talked about NIST Special Publication 800-171 and how that impacts higher education security programs. In this episode we are going to talk about what you can do to respond to threats and to prioritize your organization’s information security activities.
Matt: You know, Joanna, this is a great time of year for thinking about responding to those threats, since the 2021 Verizon Data Breach Investigations Report was recently released. It is always a must read document for me each year to stay abreast of the types of incidents and breaches that are most impacting the industry you are most interested in.
Joanna: No kidding—I am always interested in the education industry breakdown. For instance, social engineering, system intrusions, and random errors were the top threats and attack patterns in the education services industry this past year. As always, the VDBIR gets me thinking about the threats that the education industry faces and how to think about making sure that your own environment can defend against those threats.
Matt: That’s right, Joanna, defending against those threats is really important. There are two key steps that we recommend institutions think about with their own environments. The first is to assess your gaps. Determine your current compliance and security posture against the framework or standard of your choice and identify any of those issues that could affect the confidentiality, integrity, and availability of your most important asset or data. The second step is to create a plan of action to actually address those gaps. Develop that plan and create a multi-year risk-based strategy to improve your campus information security and privacy posture and thus reduce your institutional risk in the process.
Joanna: To support your information security program you need governance, a plan of action, and operational activities. You have to work on all three legs of the stool at the same time, or you don’t have a solid program. Most organizations have the three elements in place and are working towards improved program maturity. That said, we sometimes see institutions that fall short in the operations area even when they have governance and a plan in place.
Matt: You know that that’s not always easy, is it? And the key thing here is that good security operations are so difficult to support — that third leg — you have to make sure that you’ve got the items you need for your program. We like to talk about something called the Critical Path. The Critical Path is a project management concept that’s focused on identifying the key tasks that have to be completed to get to that finish line on a project.
So often in security implementation projects we see many things getting in the way on the way to completion. We have thought about how we apply good project management practices around this to get you to where you need to be to complete what you are doing, especially when it comes to dealing with operational technologies like reviewing SIEM data or looking at antivirus data. All those kinds of things that are important and part of the product suite that you have but don’t necessarily get done as quickly as you would like. This example, just briefly here, shows you that you have multiple tasks to get to the completion of the project. If you were to do all these tasks you would have around at least 15 days of effort. But if you just follow the critical path, meaning the things that are only necessary for that particular project to get completed and get into operation, then you would only have nine days to get things completed.
Joanna: When you talk about Critical Path in this way, it makes me think a lot about agile development methodologies. You know, in agile methodologies, which are most often used for software development, the focus is on iterative development. The development team uses a pretty disciplined project management process to bring all these cross functional groups together and they brainstorm requirements and then they brainstorm solutions development. From there, the agile process requires frequent inspection and adaptation, which makes sure that developers are able to concentrate on the core functionality required in the software and nothing else. When it’s done well, agile methodologies are intended to deliver high quality, rapid results.
Matt: You’re right Joanna, that’s exactly the model that we would like to see security implementation projects, especially when developing your security operations. The Critical Path leverages those agile concepts. We like to add seven more things to help you through that iteration. This approach is focused on focus and follow through. Essentially when you have a particular item that you are working through you want to have focus, you want to identify your assets and logs, you want to scan for vulnerabilities, you want to review logs and reports that come from your tool, secure those assets, remove things. This is the part that we always forget. Anything that is not needed, accounts or systems not being used — get rid of them to reduce risk. And finally, the key thing is to communicate. Communicate what you have done and communicate how you’ve done it so that people understand that effort has been expended.
Perfection is always the enemy of progress in these processes and using this process on your own key security solutions will help reduce your risk significantly. Based on our observations, there are also some key technologies that seem to have the most impact on reducing our client’s risk.
Joanna: So keeping that in mind, let’s talk about those technologies. For instance, I think multi-factor authentication is super important. Not only does it provide a layer of security for access to your systems, but also I read a recent article that some cybersecurity insurers are looking to require their insureds have MFA as a condition of the insurance. We know that many institutions right now are using some form of MFA for various audiences. Taking a focused and then iterative approach to deployment allows you to deploy MFA to your most important constituencies in shorter time increments. This can be helpful in defending against one of the most prominent threat vectors institutions are dealing with, which is account compromise and social engineering.
Matt: You’re absolutely right, and I couldn’t agree with you more. And another interesting thing is that almost every compromise you have read about in the last few years always starts with one attack vector, and that is typically phishing. You need to have a focus on the network and segmentation, but the email system should be considered part of the network from a security perspective. If you are ignoring or diminishing the phishing attack vector, you could be in for a rude awakening.
Many breaches that have become public highlight this fact. I think SolarWinds is the latest example of a very impactful incident that started with a phishing attack. We put phishing as number two here since multi-factor will help protect your email accounts directly in the event of a phishing attack. There are also other things you can do. You can deploy phishing protection software, you can protect your borders using DMARC, always identify senders and recipients using DKIM, coupled with DMARC, and training is an area of focus. It can really bring those iterative improvements that you need as an organization to be more secure.
Joanna: I want to add one. It’s not really a technology all on its own, but patching your systems and applications continues to be an important security activity that many organizations might be lax about. Patching systems is an important defense in depth activity to limit damage to a system if some other control or access control fails. Because the cycle of scanning, patching, and testing can be a really large lift, working through this in an iterative fashion, focusing on the most critical or most used systems, or the system most vulnerable to the top threats, will help you get risk to an acceptable level at your organization or institution.
Matt: You know patching is not fun, right, but it’s extremely necessary. It’s probably one of the most critical processes you can have. Finally, one of the most complex aspects of the operational security of an institution is procurement. I see too many organizations with lots of procurement going on, but not a lot of thought or strategy around how the institution is constructing the security technology stack. So architecture is the fourth technology or process that you would put into place to ensure that your operational security is at its top. Developing a security architecture will help in creating the correct amount of separation and ensures that you are getting the most value out of your investments — that you are not creating overlap or confusing people with alerts. Alert fatigue is an issue, and making sure that you have designed what you are after is a key thing that needs to improve.
Joanna: That’s a really great point. So, we talked a lot about technical controls today, but I think that one thing to think about for the future is the administrative ones, like policies, standards, and procedures. For each of the technical controls that we discussed, there should be some sort of corresponding documentation about that control.
Matt: Good point! So, stay tuned for our next blog.
Vantage information security services help you ensure your strategy is comprehensive and supported by a programmatic focus that uses assessment and analysis results to evolve your information security posture and reduce organizational risk. From strategic CISO advisory services to practical assistance completing the HECVAT, the Vantage team is here to help.