The issue with most organisations is that they are waiting for that ‘Edgar (Hoover)’ moment. ‘
We’ve never had anything happen for the last 5 years, so why should we be worried…”
What you spend on your security is based upon that balance of risk and reward and all of that ‘return on investment’ stuff. But there comes a time when that fundamental human trait of common sense needs to be applied.
Has the threat changed, what is happening in the rest of the world, or even your industry? Situational awareness anyone? Is there such a thing as being 100 percent secure? No… the trick is to introduce sufficient challenge to would-be attackers in order to put them off or deter them. If the principles we apply to our security investment relate to risk and reward, our attacking friends have a slightly different if not too dissimilar agenda with an additional attribute of effort (required to pwn).
Many organisations invest in monitoring controls, paying through the nose for Security Operations Centres (SOCs) which are supposed to monitor the network and alert on suspicious activity and assist in containing suspected attacks. Sadly, organisations don’t spend enough time to understand and work out what constitutes suspicious or abnormal behaviour. What is actually put in place is a ‘vanilla’ service that does not take account of unique business activity.
Nothing to report here.
A vicious circle ensues, of reporting a clean bill of health up the chain that all is well. All the while becoming oblivious to the pwnage ensuing in the background. This presents a false sense of security and allows organisations to become complacent until…. Boom! the headlines point to a serious breach.
Know your business!
This might sound simplistic, but sometimes the most fundamental aspects of security are the most neglected. Having a SOC is great, if well briefed and with the right level of integration into organisational incident management regimes. But part of this integration involves an analysis, with the right people, business users, of what constitutes established, understood and good behaviour. Any deviations from this (good behaviour) form the basis of what needs to be monitored and more importantly alerted.
The nub of the matter is that if you have an online presence, and your business matters, you need to have some form of logging, monitoring and alerting in place. This may or may not involve a SOC, but organisations (not SOC providers) need to take the initiative and decide what is important enough to be included.
If an attempt has never been made to gain unauthorised access to your environment, you are one of three things…
..s*it happens, and if someone has sufficient capability and motivation, they will get in; organisations need to start thinking about how they can reduce the impact of a breach and manage the spread of the brown stuff…