In this discussion, we delve into the strategies and considerations for small and medium-sized businesses (SMBs) looking to implement continuous security validation programs. With evolving cyber threats targeting organizations of all sizes, adopting proactive security measures is crucial for safeguarding digital assets.
Here is the verbatim discussion:
Exercise so in the you and and just running that for a couple hours um a day for a month or or you know whatever period and kind of like a good example that I have come up over the years is um getting a kind of like an elementary school or or grade school um uh grade school get getting a bunch of children ready for um a fire drill so if you remember when you you were younger and going through that um you the fire goes off and then everybody kind of freaks out and they don't know what to do and then you know basically as you go through these rehearsals you identify okay well when the alarm goes off we get single file we go outside and then we do we make sure everyone's safe and out of the building we we make sure uh everything's right and then once the the firemen come they then it's safe to get back in and um that you got to kind of treat it like that and uh you know effectively it is a fire in your organization and um doing these fire drills and doing these practices doing tabletop exercises and identifying okay what is the route that we're going to go and taking that and putting it on the wall putting it in the break room you know in the event that there is a rware attack you unplug your computer uh report it to security immediately and then having the actual templates for how you're going to communicate that internally and externally and having each of those different phases and then the continuous aspect of this is making it uh better over time so it it basically and uh when I was a functional manager one of the the key things I was telling my employees is improve every day you know if you you can have a just those micro little actions you know over a period of time you you'll actually start moving up the the security um maturity levels and and going from a one to a two a two to a three so on and so forth uh by looking at those different weak points and where attx surface management comes in is it helps you identify those weak points and then it helps you uh really prioritizing it in in in having an actual like turning it into an action plan so you you have your current state and then collectively you and your your stakeholders that you have in your company uh you have a desired State and then in the middle is is kind of that crawl walk run and that project plan that gets you there um and that that's what works the best and I've worked with you hundreds maybe thousands of organizations over the years that uh and and this is the very simple approach that works really well um you can't just throw a bunch of Technology at it it has to be a mix of people process and Technology there has to be governance around it you have to have you know modernized technology to to help especially on the automation side to make it continuous and then actually having people have the skill set and then being able to level up those organizations uh excuse me those resources to to to be effective in their in their job and their role yeah yeah that's great Point um crawl walk run and that's probably the only way to run yeah you GNA get there yeah so so let me bring up this more in the context of the small and mediumsized businesses so for them who doesn't have access to all these latest and greatest ASM and card tools Etc and may not have that number of people to run those so what do you think how should SMB approach when it comes to continuous security validation because today the attackers are targeting the SMB more or less in the same manner as anybody else because on the internet for a ransomware guy is the same IP so they just Target every single IP address across the globe right so how how do you think SMB should approach uh building a continuous security validation program yeah and my advice is same process but um think smarter not harder so um and really what it comes down to is uh it comes right back to the attack surface but it's it's really being strict around you and have being open and saying do we really need this so um good good aspect to it is um you know you talked about uh the attack surface uh getting into you know areas where uh now we have you know iot and npoints and more things that are you know interconnected with the cloud and and more exposed it's no longer just a a network perimeter uh especially in these these smaller organizations they have all these end points and um and all these different aspects and and having a their environment be hardened and then um implementing uh Network segmentation and and breaking off those components so like a good example going back to the the the house analogy you know if someone breaks into my house and I lock each individual door within my house which is the equivalent of having segmentation it actually you know it it kind of hardens the the the internal aspect once they actually break in so the the overall uh impact that that exists is is greatly reduced and and that's really the fundamentals around the attack surface management component so if if it and I kind of the advice of given organizations is like if it doesn't need to be in your environment then don't have it be in your environment so if you don't need organizations to access uh to basically not have any kind of like URL filtering or having any kind of like block websites like you shouldn't be able to go to whatever website that you want um if you're working in a corporate environment and a corporate machine and that's a very common mistake that organizations have they don't have any policies around what people can access and can access and in some work environments it's not appropriate and doesn't make sense from a security perspective to have social access to social media or being able to uh have or uh users typical regular users have administrative access so they can download whatever programs that they want and I you I I can think of over a hundred examples where that that was common place and and organizations have come to me and ask me you know is it a best practice to not have the end user have access to administrative rights and it's like well yeah absolutely and that's an easy fix it doesn't cost anything to do that um you know it's not a Bonafide business need to have them have it and it greatly reduces your secury risk and once you start adding in things like multiactor Authentication um stricter password rules um and then password resets having the the segmentation aspect where you're locking each individual door uh and then basically constantly checking and going in and doing the these um these monitoring aspects and having these uh different exercises with red teams and having more of the in depth on specific use cases so like this month we're going to go in and and just validate that um know we can respond to a fishing attack or ransomware attack or um someone taking advantage of um a vulnerability in our our server architecture and then um and there's a lot of Open Source software out there too there's pros and cons to that but there are a lot of tools out there and a lot of organizations are actually moving towards um a product like growth type approach where they actually have a premium level version of their product um so those are definitely things that they should absolutely take advantage of where there there's tons of tools out there that they can get exposure to and and uh get access to that they can uh have exposure to especially if they're tight on budgets the other thing too is to prioritize um Consolidated Solutions so with the Advent of uh endpoint protection platforms and uh extended detection response or xdr and a lot of the MDR um managed detection response and manage services out there uh you you can I would certainly prioritize kind of a an allinone type approach where you can get um it's not necessarily the best to breed in in all the different categories but you can identify certain areas that are the most important to you and and being able to implement that and and and kind of it you get the the biggest return on your investment and then over time then you can start weaving in best of breed Solutions uh as you get more budget you get more mature and you kind of move up that that uh security maturity levels yeah so Brad you made a few great points which I believe is very very helpful for these small and mediumsized businesses one point you mentioned was that you can start crawling with open source tools right of course open source tools has its pros and cons but if you have somebody who got some bandwidth that's a great way to start right so that's that's a great start for sure and there are a lot of such open source tools out there and another second very interesting strategy which you mentioned broad level strategy is uh finding those Solutions which has got multiple things together rather than go going for a single specialized thing look for Swiss Army knives kind of stuff right so which has multiple things together so those are some really really great points and uh let's let's move to the next part which is you have seen all of these organization which has matured over period of time and you have seen across various breadth of the industry so what what had been some of the key things which you noticed as the common success factors as well as common mistakes so some of the common success factors and failure factors when it comes to implementing continuous security validation yeah um very good point and I'll I'll kind of preface this by saying um the answer is unique to every single organization so it heavily depends on the the nature of the business the culture um unfortunately budgets and having that strategic alignment between uh the overall organ organization's financial goals and their their security goals and um you know as part of that you ultimately uh you want to have um you want to prevent attacks from happening uh in the first place and there are metrics and and key metrics that you can identify uh where you're you're able to reduce uh those attempts in the first first place um so the equivalent of this would be like let's just say 2 o'clock in the morning um you you hear someone knocking on your door you know between the hours of 2 and 3 a.m. and you know although they're not getting in that's the equivalent of reconnaissance and they're they're basically trying to probe and identify areas that you're in and those might be you something as simple as firewall Deni logs um that might be of interest and then um and then so on and so forth so anything you can do to identify the those areas and and and eliminate them or reduce them is a key metric that you want to have um the other thing is like in the event that you actually have an incident you want to reduce uh or that you have a breach or someone someone's in your organization then number one thing is to detect them as soon as possible um and you know overall reducing What's called the dwell time uh and the amount of time that that that attacker in your in your house effectively um and you you want to basically investigate it as quickly as possible you want to eradicate it as quickly as possible and you want to address what the the core uh entry point was in the first place and then basically pops it up fix it so it doesn't happen again um and you know that's that those are key fundamentals that are there um the and that's where the biggest challenge is is like organizations just don't have um they don't have the visibility that they that they require to get to those those points those are certainly very key um the other kind of key point that organizations will will get into is um you know a lot of a lot of the the monitoring and in um doing these different assessments is you ultimately they're trying to find a needle and hay stack is is a common analogy that's used and uh unfortunately what uh organizations will do especially early on is they'll add more and more hay uh to with the idea that they will have better visibility unfortunately there that that actually makes things more difficult because it's more difficult to actually find the needle um so as as a key metric and focus and priority area it would it it's definitely a best practice to to eliminate the noise and eliminate all that excess hay that excess hay uh so you can find these needles faster and quicker and eventually get to the point where you're actually able to categorize the individual needles so you can actually identify a needle within a stack of needles that's relevant to the specific use case that you have um because what will happen with advanced persistent threats is they'll actually come uh they'll come back time and time again and um unfortunately one of the the key things that ends up happening is uh especially with Ransom wear attack is organizations will um they'll actually recover and Implement a backup uh or basically get to a steady state but they won't they won't address the the main entry point that that the attackers used to get in so all they do is they they come right back in and that's why uh paying for a ransomware doesn't really work because you're not a lot of times organizations don't address the the the core entry point and um once kind of that the word gets out then it's open season so you might have multiple different criminal organizations looking to get into your environment um so and there's metrics that you can build around all of those things like reducing false positives uh reducing false negatives and then um and and overall uh measuring.
.
Speakers:
Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.
Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to the cloud.
Comments