Shining a Light on Visibility for Enhanced Security Posture

Originally published by Alert Logic here.

Written by Tom Gorup, Vice President of Security and Support Operations, Alert Logic by HelpSystems.

Security posture is a largely obscure phrase. It’s used in the industry but if you ask 10 different people what security posture means, you’ll get 10 different answers. Given businesses expansive, ever-changing environments, understanding the makeup of your security posture is critical to the success of your security program.

In my blog, Lessons from the Battlefield to Help Improve Your Security Posture, I shared how experience has taught me there are three pillars to security posture: visibility, exposures, and threats. Visibility is the foundation of your security posture. Simply put, you can’t protect what you can’t see.

Illuminating Your Environment

In the military, the term “illum” refers to the moon’s illumination. It’s described by a percentage, e.g., “0% illum” or “100% illum.” The varying percentage of illumination comes with its positives and negatives. If there’s too much illum, we lose the advantage of our night vision goggles (NVGs). On the other hand, if there’s not enough illumination, our NVGs are useless. NVGs work by amplifying ambient light — when there’s 0% illum, they’re useless. This is not unlike our security technology. If we have no visibility into an environment, our ability to protect it is severely impacted. Once again, you can’t protect what you can’t see.

Visibility starts with gaining a solid understanding of the resources and assets that currently reside within your environment and ends with a continuous detection of change. During the initial discovery process, it’s not unusual — in fact, it’s almost the norm — to uncover numerous assets the business was not aware they had. We also know that assets are constantly coming online and going offline. Without the right people in an organization being aware, they will go unprotected and be at risk. Visibility isn’t a point-in-time process, it must be continuous.

A deep dive into uncovering assets is similar to putting on night vision goggles in a very dark valley; you often are presented with some scary facts about your surroundings. This includes how and where you’re exposed or being attacked. Turning a blind eye to visibility gaps within the environment will result in detrimental outcomes.

Some questions you should address during initial discovery include:

• In what areas are we accepting or unwilling to accept risk?
• How far into our end user’s world are we willing to go — down to the mobile device or is the laptop good enough?
• Can we cover our SaaS applications?
• What are our limitations to preventing or detecting threats in these environments?
• What tools will deliver what type of protection, and how is it delivered?
• Will we manage it ourselves or find a managed solution — like a managed detection and response (MDR) provider — to help us manage our security?

Tug of War Between Security & Privacy

Securing a digital environment comes with its own unique set of complexities. In short, security posture cannot be successfully managed in a vacuum; it’s truly a team sport that must be managed throughout the business. As an example, during your discovery process, one challenge you may run up against is privacy versus security. Just as in our personal lives, businesses also must strike an agreed-upon balance between privacy and security. There are many factors in determining that healthy balance of reasonable privacy and the security of the business.

Let’s get technical for a second. For example, if your business is using Diffie-Hellman for encryption (also known as asymmetric encryption or public-key cryptography), your security team’s ability to inspect that traffic is significantly impacted. Options exist to allow inspection but all of them require downgrading the encryption level to allow for inspection. As the business is making its way through discovery and planning, it must be aware of what it means to use this type of technology to ensure there is an informed decision on privacy levels versus security.

Visibility Challenges

In addition to encryption as a roadblock to visibility, other challenges include:

• Agent installation: Agents are not installed or misconfigured.
• Resource utilization: Not enough people or technology resources (overutilized firewalls, appliances, etc.) to create and maintain security posture.
• Network configuration: Poorly configured network devices that inhibit the ability to identify threats, which hinder investigations into an attack’s origin and destination.
• Asset discovery: New resources constantly are spun up and down.
• Architecture: Internal architecture does not take monitoring into consideration.

Even after your team answers every question, weighs out its options, and feels there is clear visibility of all of your assets, your work isn’t done. Visibility is an ongoing process for your security posture. You must be committed to visibility for newly deployed assets, prioritizing architecture decisions to ensure increased visibility and reduced exposures, and always working to ensure your security technology is properly deployed throughout your environment.

Increasingly organizations have come to depend on managed detection and response (MDR) providers that can constantly run discovery scanning to identify newly deployed assets, assess security controls and provide clear steps to remediate any visibility gaps.

An MDR provider works as an integral part of your security team to provide visibility to the most pressing threats which could impact an organization and the ability to respond quickly and effectively.

About the Author

Tom Gorup is Vice President of Security and Support Operations at Alert Logic by HelpSystems and leads Alert Logic's global Security Operations Centers. Prior to joining Alert Logic, Tom served as co-founder and Director of Security Operations for Rook Security where he oversaw its Managed Detection and Response services and developed proprietary security operations management technologies for organizations ranging from fast-growing startups to Fortune 100 companies. Tom has been quoted in numerous industry journals and media outlets including The New York Times, Forbes, CNBC, Bloomberg, and Dark Reading. He has also been a featured speaker at (ISC)².