Defense in depth

Building a solid cybersecurity environment

During a recent conversation, a potential client was lamenting about how much technology has changed, making cybersecurity a challenge. While I understood her vantage point, I assured her that the sound recommendations we (and others in our industry) make today are eerily similar to the recommendations we were making for the past 15 years.

It should come as no surprise to learn that, like most things, a strong foundation is timeless. It’s true that today there is a much broader awareness of cybersecurity issues, but does that mean that we’re doing a better job securing our systems? Unfortunately, it doesn’t seem that way. In fact, even with as much awareness as there is, there’s still a significant gap between organizations’ preparation and their ability to respond appropriately.

A sound foundation

Building a solid foundation is about establishing a control environment that both prevents incidents and allows you to detect them when they happen. It’s about adding layers of controls in the right places and not relying upon one or two “super” controls that you falsely believe will protect the organization. Too many organizations put in the latest and greatest “solution” only to learn that the latest security incident they experienced completely bypassed that solution. Left to wonder where to go from there, they set out looking for the next “holy grail.” Unfortunately, there’s no shortage of companies offering the penultimate solution that the organization will need.

Timeless recommendations

Rather than wasting resources on the latest and greatest technology, focus your efforts on designing an environment full of controls at all different levels within the environment. You may be surprised to learn that many of the best controls are very cost-effective, requiring little more than know-how and some configuration changes.

To get started, you need an inventory of the assets and an understanding of what needs protected — is it the data itself, is it to prevent the use of the asset by an unauthorized individual, etc. Each asset needs to be evaluated to determine how sensitive it is and how much effort should be spent to secure it.

Once those decisions are made, it is best to establish controls as close to that asset as you can. In this way, if a control higher up in the environment fails, you still have some protection around this asset.

I like to think of it as a lattice of controls throughout the organization, with each control offering a new and challenging obstacle that prevents or at least slows down an attacker from moving up, down and across the organization’s environment. It’s this defense-in-depth approach that offers the most effective protection.

Organizations such as the Information Systems Audit and Control Association and the Center for Internet Security offer best practice guides that assist organizations in developing effective control environments. Look to these timeless recommendations and skip the latest fads designed to move product.

Damon Hacker is president and CEO of Vestige Digital Investigations, a leading digital forensic company and IT security firm, engaged in helping organizations prevent and respond to cybersecurity issues.