Reframing Your Approach to IT Security Decisions
By Sean Gill, vCIO
The IT security landscape has continued to shift rapidly over the past couple of years. Threat actors leverage creative social engineering techniques, phishing and spoofing threats are continuously rising, zero-day vulnerabilities are exploited, and ransomware is at large. Businesses are more reliant on technology than ever before, and the industry continues to move toward SaaS (software as a service) solutions like Microsoft 365, shifting company data online and increasing the importance of adapting security best practices.
With rising threats and more at risk reputationally, financially, and operationally, it’s important that businesses adapt the way they think about security to meet these changing times. Taking an attitude of “if it ain’t broke, don’t fix it” or choosing to delay making changes “until it becomes a problem” can be devastating to a business.
Unfortunately, many companies still think that IT security breaches are a problem that only hits those unlucky few. But the reality is, the frequency and variety of threats turns the unlucky “few” into the unlucky “many”. Everyone knows a business that has experienced a compromise. We want to help you avoid becoming one of them.
Modernizing how we think about security
Business owners and decision-makers now find themselves more involved in the nuances of IT security decisions in ways that they didn’t used to be. If this is true for your business, you’ll know that one of the frustrating challenges is figuring out how to keep up with security and associated IT jargon, especially when your core focus is, appropriately, on running the business and servicing your clients.
As the nature of threats and risks to businesses continues to change, how you think about security should as well. In this article, we will give you a simple framework that aims to help you conceptualize IT security and serve as an outline for making decisions.
IT Security Framework: Prevention, Detection, Response
There are three key pillars to a thorough IT security framework: Prevention, Detection, and Response. Keeping these in mind when assessing IT security strategy can help ensure that in the budgeting and planning process, your organization doesn’t overload on one area and neglect another.
Prevention Pillar
Historically, this category is where IT security spending primarily occurred. These solutions were the first (and often primary) line of security against threats. It is still an important focus, but no longer to the exclusion of the others.
Think of your business like a house. This would be like ensuring your locks work and installing a strong gate. These tools are there to prevent a break-in.
Technologies and practices that fall under this pillar of “Prevention” include:
- Firewalls – Perimeter security that blocks access to internal networks
- Antivirus – Software that recognizes and stops malware and viruses before they take hold and spread
- Password Policies– The practices of changing passwords frequently to prevent lost or stolen passwords from being used to access corporate resources
All these are examples of Prevention security and are still valid and necessary today. But now, in addition to these, it’s important to consider additional ways of preventing malicious actors from getting in and gaining a foothold. Multi-factor authentication (MFA) and leveraging Artificial Intelligence (via Endpoint Detection and Response or EDR) are among the new technologies to improve the stack.
Multi-factor authentication is an essential component in your security foundation, and for good reason. As the name suggests, MFA requires a user to authenticate themselves more than once when trying to access company resources like your Microsoft 365 ecosystem. In contrast to simply providing a password (which could be compromised) to login, MFA also requires that the user supply more verification in the form of something they know, something they have, and, in some cases, something they are.
This includes some combination of a traditional username and password (something known) and a digital token or code sent to a user’s mobile phone (something they have), and additionally, with most mobile phones incorporating some form of biometrics such as a fingerprint reader or facial recognition, (something they are).
If your business requires users to utilize MFA for access, hackers will be prevented from accessing systems even if they come to possess a user’s password. This tool has given businesses of all sizes an additional layer of prevention capabilities in today’s landscape and has shifted from being nice to have, to a security standard across the industry.
Likewise, the use of Artificial Intelligence via Endpoint Detection and Response (EDR) has revolutionized traditional antivirus software. Traditionally, antivirus solutions were binary and merely reported on whether malware was or was not present – usually based on a set of definitions or some light heuristics. EDR moves beyond that. Instead of simply preventing known malware and viruses, in an EDR system, the antivirus feeds into and informs a more sophisticated detection and response platform. The use of Endpoint Detection and Response is continuing to become a requirement. In fact, most insurance companies require an EDR solution to purchase a cybersecurity insurance policy.
Detection Pillar
While everyone hopes that their Prevention stack is sufficient to keep out all the bad guys, the way the threat landscape has evolved, this is now just not the case. Even with a good prevention stack, bad actors still find creative new ways in and will spend time in your environment observing patterns and trends, waiting for their time to make a move – exfiltration of data, ransomware, or account takeovers. This is known as “dwell time”. Because of this, the Detection Pillar of the security framework may arguably be the next most important.
A traditional antivirus solution won’t detect if a system is still compromised after the initial compromise. If the bad actor is leaving traces of activity, without a detection tool like EDR, this trail will not be easy to find.
EDR keeps track of everything that has happened-from how a bad actor got in, to which systems or files were accessed, to newly spawned processes. This log of events is referred to as the “kill chain.” The kill chain provides an in-depth understanding of exactly which processes ran or files were touched. This ability to detect and understand all activities, in turn, allows for more certainty when remediating any exploit. From this information, it’s possible to determine if a threat has or has not been fully cleansed and shows exactly what systems should be reviewed for compromise.
Let’s go back to the analogy of your business as a home. Advanced detection tools like EDR are like installing a security camera system. You can detect suspicious activity early, be alerted to it, and if there is a break-in, have clear records of what occurred.
Response Pillar
Responding appropriately to any given event is essential – this applies to all areas of life, including our IT Security Framework. This pillar includes the tools and resources you would employ should a breach occur. This can be small (a plan for cleaning out all traces of a malicious actor) to large (hiring a forensics team, communicating to clients, and filing an insurance claim).
An effective Response Pillar includes creating playbooks for how to respond in different scenarios. Does your Security team or IT Steering Committee need to meet? Are there any reporting requirements for clients? Does a Cybersecurity insurance claim need to be opened? Do Business Continuity or Disaster Recovery plans need to be implemented? These reactions can, and should, be thought about before they are needed. Table-top exercises with the Executive Team can be a great way to brainstorm about various scenarios and how the organization should act if they were to arise.
To continue the home security analogy, our locks and gate (Antivirus and MFA) attempted to prevent the break-in. But when that didn’t deter the invader, our security system detected that something was wrong, and the camera (EDR) recorded everything. After reviewing the footage (EDR data) and assessing what happened (was anything taken, was anyone hurt, is the intruder still there?), we can respond and take appropriate action.
Was the alarm triggered by suspicious activity (antivirus quarantined a malicious file) and no actual break-in occurred? Or was the incident serious (a Zero-Day exploit that allowed bad actors inside the network) and do we need to call for help?
We can see how all the previous pillars of the security framework support our abilities in the response pillar. Particularly the detection tools like EDR data, without which, analyzing risk and appropriate action becomes very difficult. Without this kind of clear insight, the organization may take actions disproportionate to what is needed – either by overreacting and spending unnecessary time and resources or by underreacting and opening themselves up to more risk.
IT Planning
We all know that protecting our companies’ infrastructure is critical to the success of the business. The foundational requirements for securing your business have shifted to meet the demands of today’s current security landscape, and they will continue to change over time. If your business is part of an industry with inherently high-security compliance demands (like legal or medical businesses), it’s likely you’ve already been implementing modern tools to maintain the highest level of compliance. On the other hand, if your industry has less stringent security compliance regulations, your business may have historically viewed advanced security tools as “nice to have” but not necessary. Unfortunately, the reality of the world today makes that mindset a luxury that no business can afford.
The best place to start is by evaluating your current solutions with these three pillars in mind. With a better understanding of this framework, how does your security stack up? Has your organization implemented modern prevention tools such as MFA? Do you have an EDR solution in place to bolster your prevention and detection abilities? Have you mapped out a response plan? If not, the first step is discussing your security with your IT expert!
ABOUT THE AUTHOR
Sean has been shaping the IT strategies of businesses across a wide range of industries and sizes for over 10 years. As a vCIO at CIO Solutions, he works with business leaders every day to create a clear IT vision, mature technology solutions, and ultimately, enhance business productivity and security through technology.
He and the rest of the Strategic Client Services team at CIO Solutions are constantly evaluating important trends in the industry and advising clients on best practices and long-term IT strategies for success.
Are you a current client of CIO Solutions? Contact your vCIO or Customer Success Manager to continue the conversation around your IT security!
Not a client yet, but curious about maturing your IT security? Let’s talk!