Not a day goes by without a cyber security incident reported in our news feed.
Organisations are increasingly concerned about cyber security, and rightly so, as pressure mounts on business leaders to act and protect their organisations.
Do nothing, and you are flying blind, unaware of what is happening in your organisation’s network . . . just like the fog covering most of the buildings in the photo above.
But where do you start? It can feel overwhelming. Business leaders don’t know whether to begin by installing a firewall, executing a backup plan or investing in an endpoint protection solution.
In this blogpost, we will answer the question “where do you start?” and highlight the pathway organisations should follow to improve their cyber security posture.
Cyber security is more important than ever!
There are many reasons cyber security is increasingly critical, including:
- Businesses fast-tracked their Digital Transformation initiatives to provide better services, improve customer experience or meet market demands. As a result security considerations are often left behind with minimum settings due to time and budget challenges.
- Working from home has increased cyber security threats significantly. The work environment became distributed with less secure connections making it easier for cyber criminals to enter into corporate networks.
- Cloud Migration of data, workloads, IT resources and applications from on-premises data centre infrastructure has introduced challenges around balancing the shared responsibility of maintaining security controls between the cloud provider and the user.
- Data is now more valuable than oil because of the insight and knowledge it can provide, making it appealing to steal for ransom or to sell on the dark web.
These reasons, among others, have increased the requirement for security teams to manage digital risk.
Today, according to a Marsh & McLennan survey of 1,500 executives, two-thirds of survey respondents ranked cyber security as a top-five risk management priority.
What is a Cyber Security Risk Assessment?
Once you acknowledge that cyber security is important and the threat is out there, the next step is to identify what possible threats may harm your business. The process to do so is called Cyber Security Risk Assessment.
A cyber security risk assessment is the process of identifying, analysing and evaluating the risks of cyber attack. The cyber security risk assessment will assist organisations in prioritising what controls to deploy to prevent the identified risks; and what mitigation steps to invoke when the risk occurs to limit or stop potential consequences.
Different industry standards provide guidance on conducting cyber security risk assessments, such as The Australian Government Information Security Manual (ISM), ISO27001 Information Security Management Systems and the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. There are also effective risk analysis methods, such as the Bowtie method. In this blogpost, and for simplicity, we will provide high-level steps to perform risk assessment:
- Identify critical assets. This can be done by listing all IT resources and tools, then evaluating the possibility a cyber attack would impact the:
- Confidentiality of the data
- Integrity of the data
- Availability of the service and/or the data if that asset is compromised.
If the answer is yes to any of these questions, then the asset is critical.
- Identify the possible threats for every critical asset. A threat is a malicious act that seeks to steal data or disrupt digital service.
- Identify vulnerabilities. A vulnerability is a weakness cyber criminals can exploit to gain unauthorized access to a computer system. These can be identified by conducting a security architecture review, vulnerability scanning and penetration testing.
- Determine the likelihood that a threat actor can use a vulnerability to harm your business. Thi is an important step that helps you prioritise the risks to your information security.
- Develop and implement cybersecurity controls, which are a set of processes and tools to protect your organisation from threats and vulnerabilities.
- Develop mitigation steps, which are policies and processes to limit the extent of the damage if security attacks pass the security controls and occur.
- Evaluate the effectiveness of security controls and mitigation strategies to confirm they are working as they should, and can be used when required.
Depending on the cyber security risk assessment outcome, your organisation can decide to use simple mitigation strategies like Essential Eight and the top 20 Critical Security Controls (CIS 20) or implement a full information security management system (ISMS).
For example, suppose you are running a small business that doesn’t have customers’ personal data. In that case, you may be concerned with broad cyber security attacks and implement basic mitigation strategies like Essential Eight. However, suppose you are running a small business, and you are providing services to a critical infrastructure provider. In that case, your business might be targeted by cyber attackers to gain access to the client’s network and hence you need to implement higher security standards. These are examples only; please perform a risk assessment for your business to identify what controls and mitigations are required.
The list of threats and vulnerabilities an organisation is exposed to keeps evolving as technology and business emerge. Addressing all of them requires a lot of time and money and is a never-ending job. Hence, organisations need to use the risk assessment to prioritise what security controls and mitigation strategies to put in place and complement them with cyber security detection capability.
What is Cyber Security Detection?
Irrespective of how significant your investment in cyber security controls and mitigation strategies is, you cannot put your hand on your heart and say you are 100% ready for cyber attacks. This is because technology is emerging, your business is evolving and attackers’ techniques are ever-changing. So do not spend all your cyber security budget on controls and mitigation strategies. You need to invest in Cyber Security detection capability.
Cyber Security detection is the practice of analysing the entirety of your environment to identify any malicious activity that could be an indicator of compromise. In other words, identify the occurrence of a cyber security event. Think about the photo above with the fog covering the city. The detection capability will provide you with visibility through the fog to all the buildings and streets.
Detection capability is a critical function of a robust cyber security program. The faster you can detect a cyber security event, the faster you can mitigate its effect. That’s why all Cyber Security frameworks contain a set of controls relating to events logging, monitoring and auditing. Here are some example controls from the Australian ISM:
- An event logging policy is developed and implemented.
- A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs.
- An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events.
- For any system requiring authentication, logon, failed logon and logoff events are logged.
- Events are logged for operating systems such as access to important data and processes, changes to accounts, failed attempts to access data and system resources among others.
- Events are logged for web applications such as attempted access that is denied and search queries initiated by users.
- Events are logged for databases such as any query containing comments, changes to the database structure and modifications to data.
- For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded.
- An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements.
- Events are correlated across event logs to prioritise audits and focus investigations.
Having all these events in one place enables organisations to have complete visibility of their environment and verify that their protection controls work by examining security events. It can also be used to reduce false positives by correlating events from multiple sources and increasing the confidence in your security program.
Organisations can use cyber security detection capabilities to enrich their logs with threat intelligence data and discover advanced threats targeting their specific industry. It enables organisations as well to perform a rapid investigation in case of an incident.
Organisations with a dedicated security team can use the detection capability to perform threat hunting. Threat hunting is the practice of proactively searching for cyber threats that are lurking undetected in a network. Cyber threat hunting digs deep to find malicious actors in your environment that have slipped past your security controls.
Last but not least, with aggregated event logs organisations can utilise machine learning and advanced analytics to identify indicators of suspicious behaviours such as detecting observations or events that do not conform to the expected pattern of a given group of users. This capability helps counteract unknown vulnerabilities, internal threats and targeted attacks which cannot be detected by the standard detections nor controlled by existing controls.
Organisations have the right to be concerned about their cyber security posture and must take steps to manage the risk. However, this does not have to result in a complex process that costs tons of money. Improving cyber security posture is a journey. Start with a risk assessment and prioritise what to protect. Implementation needs to be balanced between security controls, mitigation strategies and detection capabilities to provide a cybersecurity assurance.
Skillfield is here to help. Skillfield is a cyber security consultancy company specialised in uplifting organisation’s cyber security detection and response capabilities by deploying Centralised Security Event Logging and Auditing, Security Orchestration, Automation, and Response (SOAR) and Endpoint protection solutions. Contact us today to assess the effectiveness of your security controls and identify what to monitor.
Author: Mouaz Alnouri