If we were hoping for news related to breaches to slow down now that we were out of 2012, it looks like we’re already out of luck, even though we aren’t out of January. Seeing Symantec and Zappos in the news already this year can make those responsible for protecting their organizations feel like there’s no way forward. I happen to be more optimistic than that, but I’m not Pollyanna; this business is like eating an elephant, you can only do so many bites at a time; and you better be prepared to stay awhile.
Something we hear a lot at Tripwire is “Where do I begin?” My personal philosophy is to begin at the heart and work your way out from there. Do you know what the single most important thing to your company is? That set of items that if they were stolen could ruin the company? Do you know where that sensitive data is? Can you recover that data if something happens? If yes, you are already on the right track. Once you know the answers to those questions, you can do a lot with that data. You can make sure that the super important things don’t migrate into less secure areas or devices. You can build good layered protection and backup strategies around the sensitive stuff, using rather a lot of tools that have come a long way in the last decade (including inventory tools, DLP, network tools, etc.).
Obviously, security doesn’t stop with securing that sensitive data; but if you start there, you can expand outward. Ideally, you can do it in a way that doesn’t mean meaningless and unenforceable policies that confuse your end users. The worst situation you could have is to try and make detailed security policies that you have no way of knowing how you’re doing. A great example of this for many organizations is their mobile device policy. I doubt there are a lot of companies that want you putting sensitive data on a mobile device. However, as soon as you have prevalent BYOD policies, and you let employees put corporate email on the device, it can be really hard to know if something that you wouldn’t want to lose is already in the wild.
I like to think of this next stage as preventative maintenance. Just like all the health recommendations say: eat right, and go to your eye and GP doctors on a regular basis; and always have a will. Eat Right: Make sure your perimeter defenses look for things that shouldn’t be on your network. General Practitioner visits? Make sure all the security tools you have are on, up to date, and getting reviewed for if they’re still set up right for your moving environment. Eye Doctor? For mobile devices, if there’s reasonable technology you can always provide encryption, and have good hygiene around laptop and computer business policies. Always have a will is about what your organization will do when the unthinkable happens. Have a holistic, realistic and detailed plan for breach response. While everyone wants to think they’re prepared, the true test is always what happens after an event; and it’s a lot easier to follow a well thought out script than to try and make up the right response on the fly.
Just like eating an elephant, there will always be some things you can’t digest. However, this security thing is a process, not a destination, so keep an eye on how far you’ve come. For all the security items you put in place – that means finding a way to distill down what you’re learning and share it across the organization, so other people can buy in, and help create an environment of continuous measured improvement. If there’s a tribe of you eating an elephant, it goes a LOT faster. Here’s to successful dining with friends!