Most companies struggle when trying to identify a way to begin their cyber security efforts. Do we start with a tool? Or do we increase security expertise across the team? Finding the right way to begin our journey towards security can be intimidating at first, but once broken down into smaller steps, we begin to see that it’s far more approachable than we thought.
The first step is to understand where your attack surface sits and reduce it if possible. It may sound surprising, but many organizations do not have a full picture of their own attack surface. It gets even more challenging when asking if that attack surface is documented and updated. First, we perform an audit of your external systems, and we can appropriately scope efforts like scans and tests later down the road. This effort should include technology staff, and all systems should be reviewed to ensure there is coverage. Think about it like a building, or even a home. Before we can spend time securing something, we first must understand the attack vector (direction or route an attacker takes). In a building, it would make sense to secure the entrance, exits, and windows. In many cases, it may be cost-effective to reduce the attack surface by allocating additional resources to systems that may be underutilized. Kuma can help you do that; however, step one is identifying all the attack surfaces as they currently stand.
In a real-world scenario, you may have outside actors sending constant attacks to your network. The bad guys take no days off. It is possible that an attacker understands your own network better than you do. We cannot let that happen, so must constantly be vigilant to keep up with the threats that make their way to your gates (or inboxes).
The second step would be to audit what remains of your environment and perform a risk assessment. With a risk assessment, we can get an idea of exactly where risk sits in your organization and allocate resources to the areas that need additional controls. A risk-based approach provides a tremendous amount of agility when it comes to implementation, allowing your teams to focus on securing our infrastructure with maximum impact. Thinking back to our building example, these would be things like door swipes and camera systems. These are passive and active systems that are used to control and monitor access.
The third step would be to harden and test against any identified issues. This is the fun part! Time to roll up our sleeves and get really close and personal with our environment. Now that we know where your risk sits, let us control that risk. Everyone knows there is no silver bullet to hardening your environment. There must be a layered approach that takes into consideration that a control (or multiple controls) may fail. When we go to test your systems, a combination of black and grey box testing is used to help paint a clear picture during report time. We can get the perspective of an outside attacker or an insider, with a combination of authenticated and unauthenticated scans.
Going back to our analogy, this would be like going out and finding professionals to try and break into your building. We are trying to get a real-world idea of the controls we put into place. At the end of this process, we will have a detailed report on the successes and failures of our implementations. I’ve met some organizations that seem to be a bit scared of these reports, perhaps out of fear of documenting negative information. This is understandable, but is absolutely the wrong approach. Remember: outside attackers are counting on this point, and trying to gain a better understanding of your network than you do!
Lastly, initiate periodic reviews and a feedback loop. Ensure the process has a mechanism for continuous improvement. The technology landscape is changing constantly, and you can keep your network secure through these shifts by prioritizing a review annually (at the minimum). Key stakeholders from impacted pillars should be invited to participate and have an opportunity to provide insight and feedback. We can see the importance of this step when we reflect on some institutions that have been slower to adopt and adjust their security approach when we hear about them experiencing catastrophic breaches in the news. A consistent feedback loop combined with a healthy forum of stakeholders will make powerful progress toward a mature, agile security program. Reach out today to learn how Kuma can support you in building a strong security foundation and protecting your business.