Among organizations today, there’s not enough focus on where digital security matters, that is, setting up the challenge/risk. Let’s come right out and say it: if you haven’t been hacked yet, you soon will be.
This is not a surprise to you. You know this. We know this. Other companies know this. And yet, we saw WannaCry spread to hundreds of thousands of organizations via unpatched Microsoft vulnerabilities, Verizon and Dow Jones suffer data leaks due to misconfigured servers, and Equifax weather a breach at the hands of an unpatched vulnerability.
Many companies aren’t just standing idly by, however. They are now spending more and more trying to combat the ever-present threat of cybercrime. Worldwide, cybersecurity spending is increasing year on year and is expected to reach $170 billion by 2020.
So what’s going wrong?
No matter how big a fish you are, how big your budget is, or how much you spend on bolstering your defenses, if you’re not spending it in the right place, you are leaving yourself vulnerable to attack. Where should you be spending your budget? The basics would be a good place to start
Why is this so? Craig Lawson said it perfectly at Gartner Security & Risk Management Summit 2016:
New technology is interesting, but not at the expense of the basics. Look at what simple, fast and relatively easy things you should revisit. The data shows this actually will put a big dent in the problem.
At the end of the day, close to all commodity attacks can be prevented just by fixing the basics. And yet, too many organizations are letting foundational controls get away from them.
Too many companies think that by focusing on the latest, most advanced technologies, they can keep ahead of new cyber threats.
Of course, advanced technologies can be important as well and should be evaluated in the future, but foundational controls are where you need to start first to assure integrity and reduce the biggest portion of risk. Once these foundational controls are in place, you can add additional control capabilities – as your organization matures and your budgets allow/increase.
Companies should specifically look to foundational controls because they assure the integrity of their systems. Integrity is one pillar of the information security’s Confidentiality-Integrity-Availability (CIA) Triad.
Of the three pillars, integrity is the least understood and most nebulous because the original focus of integrity was limited to data. What many people don’t realize is it’s the greatest threat to businesses and governments today because an integrity compromise can mean far more than data loss or corruption – it can result in catastrophic system failure (think critical infrastructure).
The cybersecurity industry remains overwhelmingly focused on confidentiality. Its mantra is “encrypt everything.” The security paradigm remains focused on perimeter defense, and network security seeks to protect those endpoints with firewalls, certificates, passwords, and the like, creating a secure perimeter to keep the whole system safe.
This is noble and essential to good security. But without integrity, or assessing whether the software and critical data within your networks and systems are compromised with malicious or unauthorized code or bugs, the keys that protect encrypted data are themselves vulnerable to malicious alteration. To address threats, security experts should assume compromise – that hackers and malware already have breached their defenses or soon will – and instead classify and mitigate threats.
Towards that end, an integrity solution acts less like locks and more like an alarm. It monitors all parts of a network from the access points at the perimeter to the sensitive data within it and provides an alert if something changes unexpectedly.
Tripwire offers an integrated suite of foundational controls that deliver integrity assurance. Our solutions for vulnerability management, asset management, configuration management and change monitoring address the integrity management needs of IT Security. They also help IT in many other ways:
- Know what assets you have and which ones to fix first
- Know the environment is in a known and trusted state—detect changes in real-time
- Detect and correct integrity drift
- Automate compliance on a continuous basis and reduce related costs
- Reduce MTTR by quickly identifying root causes of incidents
The simple fact is, when implemented properly, integrity management can prevent the majority of breaches from happening. The result you get from investing in foundational controls for integrity is FAR fewer incidents.
It’s time to stop looking for the silver bullet and focus on pragmatic actions. That process begins with assuring integrity via foundational controls.
As I noted in my previous article, companies should use foundational controls to assure integrity of their software and critical data – doing so can help prevent many data breaches and security incidents from occurring in the first place.
That’s not all that integrity driven by foundational controls can accomplish. Here are two more benefits organizations can enjoy when they give integrity the attention it deserves:
INTEGRITY CONNECTS SECURITY AND OPERATIONS
Security and operations personnel have different priorities. The former care about confidentiality, or the need to protect critical information in valued systems. Meanwhile, the latter cares about availability and uptime, all in an effort to keep those systems running.
Fortunately for companies, integrity connects operations and security together. It does so via foundational controls, security measures which both address vulnerabilities and changes that commonly cause downtime as well as reduce the attack surface that can lead to system compromise.
As a result, integrity can help both groups ensure that critical systems operate continuously in a known and trusted state.
INTEGRITY CAN HELP COMPANIES ADDRESS SECURITY AND COMPLIANCE
Enterprises commonly use frameworks to address their security and compliance needs with NIST, CIS, PCI, NERC, GDPR, and other standards. What they don’t know is that many of those frameworks focus on foundational controls that drive integrity.
For example, the first six of the Center for Internet Security’s (CIS) critical security controls (CSCs) can help an organization prevent incidents and reduce risk; five of those six measures align with integrity management as I’ve described it.
By implementing these tools first, an organization can prevent a majority of breaches, achieve compliance, and pass its regulatory audits.
Going the Distance
Many organizations do have at least some foundational controls in place but don’t go far enough with their implementation. These enterprises frequently embrace a strategy that focuses only on the critical assets like your PCI or PII servers. It ensures the integrity of these assets because of auditors’ greater degree of focus on them, but it doesn’t address the cumulative risk of leaving other assets uncovered.
Extending integrity management to more of the assets you manage enables you to reduce your overall attack surface and address more of the cumulative security and operational risk you have. With that said, those companies that have embraced suitable cloud-computing architecture need to ensure they’ve deployed the same level of security, compliance, and operational controls in the cloud as is required for their on-premises systems.
Why? The cloud is not secured by default. Cloud providers’ focus is security of the cloud. However, customers are responsible for security in the cloud.
FOUNDATIONAL CONTROLS SHOULD BE YOUR FIRST BUDGET CONSIDERATION
We know you have a hard choice to make when it comes to spending your security budget. Going back to basics might seem like a step in the wrong direction. But spending more and more money on the latest technology to solve security problems will often only lead to a false sense of security, a more complicated IT environment, and bigger problems in the long run.
When it comes to budget decisions, foundational controls for integrity assurance should be your first investment for effective security and operations. Tripwire recognizes this fact, which is why its integrity solutions are focused on three aspects of the organization:
- Security controls that leverage industry standard frameworks like NIST and CIS;
- IT operations controls that help organizations maintain their infrastructure and configurations for continuous operations; and
- Compliance coverage that offers one of the most extensive policy libraries in the industry.