Let’s begin with a short story. Imagine that we have two large organizations in the public sector. These entities are very similar. Both are on the receiving end of cyber threats. Both adhere to multiple compliance standards. And both need to ensure that their IT systems are functioning and working as planned.
But they’re not entirely the same. Take Organization A, for example. This company has recently suffered a data breach, and its IT team is trying to figure out what happened and to plug holes. The organization is also working towards GPG 13 compliance while also trying to be PCI compliant; it needs to schedule a review of PCI policies towards that end.
Finally, the organization is struggling with the availability of its business-critical systems. Its teams keep trying to establish the root cause of this availability issue. However, doing so is proving to be time-consuming because the business processes involved suffer from a lack of accountability.
It’s an entirely different story for Organization B. This company has always been compliant, and it’s not worried about drift. When its business systems fail, it’s much easier for Organization B to figure out what happened and to quickly restore service.
All of this begs the question: how is it possible that Organization B is vastly different from Organization A? The answer is that the former is using foundational controls and the latter isn’t.
What Are Foundational Controls?
Foundational controls are basic measures that should ideally form the basis of any organization’s IT security posture. As such, they should constitute the foundation on which an organization bases the rest of its IT security strategy.
Let’s look at an example. In 2008, the SANS Institute developed a specific set of foundational controls before transferring them to the Center for Internet Security (CIS) in 2015. Today, these 20 security measures represent the starting point for organizations regardless of their size or type. Any organization can reduce their risk of a digital attack by 85% via implementing the first five CIS controls. If they implement all 20 controls, they could reduce their risk by as much as 94%.
Waking Up to the Benefits
Organizations clearly have a lot to gain in implementing security measures such as the CIS foundational controls. But if these defensive actions are so basic, why haven’t all organizations implemented them yet?
My belief is that organizations are undergoing a change in mindset. For a while, security was not a necessity for many organizations. That changed in a short amount of time when hacks, data breaches and malware attacks became more of the norm. Unfortunately, organizations focused much of their investment on preventative tools to stem the tide of attacks.
Only now are organizations beginning to evaluate the impact of their decisions. In the process, they’re realizing that they spent a lot of time and money solely on fighting fires. They now see that they failed to implement the security basics.
It’s Not Too Late
Fortunately, it’s never too late for organizations to implement foundational controls. Solution vendors such as Tripwire have tools that leverage these security measures to defend their customers. Typically, these controls fall into one of four categories: discovery, secure configurations, vulnerability management and log management.
This foundational control is all about what’s knowing on the network. Internet-connected devices are increasingly dynamic in nature. Virtual devices are constantly spinning up and down, for instance, and IP addresses are changing quickly. This makes it difficult to monitor and detect endpoints as they appear and disappear from the network.
That’s a problem. If they can’t monitor their endpoints, organizations can’t ensure whether all of their devices are compliant. They also won’t able to identify what shouldn’t be on the network and pinpoint how unneeded devices/unpatched software might be expanding their attack surface.
The vast majority of devices are insecure by default. Acknowledging this fact, organizations can leverage secure configurations to harden their devices and baseline their assets. Doing so will help them to detect changes and understand why those alterations might be good or bad. In the process, they’ll be able to distinguish a data breach from business as usual.
They can also determine when the bad change occurred. The issue here is that it takes time and resources to figure out what happened and to return affected systems to normal. Attackers can prey upon organizations in that span of time.
All unpatched devices and software are effectively an open door to an organization’s sensitive data. Of course, organizations need to direct their attention to patching these vulnerabilities. But the problem is that there are oftentimes too many vulnerabilities to patch and too few people to patch those security weaknesses.
Organizations, therefore, need a vulnerability management plan to help them to fix the biggest vulnerabilities first. One of the ways they can do that is by prioritizing each security flaw based upon the potential impact of a successful attack. Additionally, organizations also need to be aware of the types of vulnerabilities that attackers are attempting to exploit. Threat intelligence into the latest attack campaigns can shed some light on these malicious efforts.
Last but not least, organizations need logging in order to detect and investigate an incident. The problem is that logging is oftentimes turned off or manipulated, meaning that organizations don’t have the necessary information about an incident. Even when logging is enabled, vital information into a security incident could elude an organization, as logging solutions tend to create lots of information and alerts that take time for someone to analyze.
Fortunately, correlation and aggregation can alleviate some of the costs involved with logging. These processes can help give to organizations the necessary data that they need to figure out what happened. They can then leverage that same data to strengthen their security posture.
Building up the Basics
The motivation behind implementing foundational controls is simple: by doing the easy things well, the harder things become easier. In other words, by investing in foundational controls and making sure they’re enacted properly, organizations can reduce the difficulty involved with managing other aspects of their digital security. For information on how Tripwire’s solutions leverage foundational controls to keep customers safe, click here.