When looking to make improvements, or implement a new control, it’s common to want to do it “properly”, as we have the best intentions and want to do a good job. We can see the issues, have identified our opportunities for improvement, and certainly don’t want to do anything half baked. We’ve read up on frameworks and best practice, and have our plan approved and ready to go.
Of course we want to do things properly, what’s the problem with that?
Often that desire to do things “properly” means trying to do too much at once, and this unfortunately can set us up to fail. We set the scope too wide to encompass all the issues we want to fix, which often means our goals aren’t realistic. “While we’re doing that we may as well do this”.
We need to think “continual incremental improvements”, and not “we need to fix this”.
Yes, stop focusing on “fixing things”. Why? Because we can’t fix it. Everything in cyber security moves so quickly, and so often, that even if our large projects run smoothly, on time and achieve their initial goals, the original issue we were trying to fix is now different to when we first started.
Fixing is also too focused on reactive measures, we need to focus more energy on building (implementing) securely by default so as a result we have less to “fix”. “Fixing” implies waiting for an issue, then resolving it, whereas we should be focusing on removing the root cause as often as possible by implementing better secured systems by default.
We remove root causes with continual incremental improvements, and secure by design methodology.
Let’s address the elephant in the room, yes this is very difficult, in fact more than very difficult in some cases, and there can be a lot of resistance within organisations to this approach. The other big issue is that “cyber” teams need to be working outside of their perceived lane to achieve this. It’s much easier for a cyber team to implement a requirement for a new SIEM as this sits outside the IT teams and requires little input from other teams other than to assist with onboarding the log sources, or providing infrastructure support. The cyber team can then configure the alerts and reports they want to their hearts content. It’s relatively low impact to IT teams.
However, hardening the base Windows 10 endpoint configuration, enforcing application controls, and Attack Surface Reduction rules (ASRs) requires some heavy lifting, skilful negotiation with IT teams, and meticulous testing of new configurations across all teams within the organisation.
But which of these will provide the best return?
The primary focus seems to be detection and remediation, rather than prevention.
This is not surprising, trying to implement what is mentioned above is a huge undertaking if turned into a project and the intent is to do it all at once, however we do not have to do it all at once. Too often cyber improvements are seen as projects rather than business as usual (BAU). We can select a single ASR rule and work towards implementing it, then the next then the next, it’s not a project it’s BAU. If you manage to implement half of them before you hit a major blocker then you’re winning, and doing them one at a time is not such a scary propositional for an overworked IT endpoint team. These improvements will add up, and the best thing is with every one, your cyber security posture is improved proactively to prevent an attack, not identify an already successful attack.
Picture a dam, where water is continuously pouring over the top out of control, flooding the area behind it, with the water rushing through too quickly and without respite, leaving little opportunity to improve the dam or build it higher. The dam simply cannot cope with the volume of water.
The first thing we need to do is slow the flow of water getting to the dam in the first place. Once this has been done to proactively lessen the flow of water we can improve the dam, or perhaps with the flow slowed sufficiently, the dam can handle the flow with no improvements or changes. The water can now flow through as designed in a managed and controlled way.
That’s how I see most cyber teams currently, desperately trying to hold back the torrent of signals and alerts. No amount of resource provided for the dam will result in managing the flow.
If the demand reaching the cyber team can be reduced by implementing secure by default continual incremental improvements, then the flow can be reduced to a manageable level.
A issue we often see is that cyber teams require more resource, however there is rarely budget available for this. By reducing the amount of alerts, vulnerabilities, weaknesses and flaws inherent in the infrastructure, we are essentially providing additional resource to the cyber team by way of reducing the workload before it reaches them, and at essentially no extra financial cost. This is why cyber strategy is so important.
Of course we will never eliminate all alerts and attacks, and detection will always play a big part in our overall strategy, but it should not be the primary mission.
We need to understand that high-quality, well-configured and implemented IT systems and controls results in stronger cyber security. When organisations focus on “cyber security” more often than not they end up with an isolated function which is high performing within it’s own right, however its impact across the organisation with regards to reducing cyber security risk, the organisations attack surface, and the likelihood of a compromise is negligible.
We have yet to fully realise as an industry that secure by design significantly reduces cyber attacks. The Microsoft threat report for 2023 reported that the implementation of MFA can prevent 99% of account compromise attacks! That’s a staggering percentage, let’s assume some inaccuracy and that perhaps it’s only 75%, that’s still 75%! Yes it can take considerable resource, and determination to implement, but the return on your investment is massive.
When we implement cyber security systems we are looking to show a return on our investment, however we don’t often do the same with time spent by staff. Is having cyber teams responding to the endless stream of alerts, and countless hours managing vulnerabilities a good return on investment? We can make much better use of their time, and see a significant return and impact.
Let’s start today with small incremental improvements towards secure by default to slow the flow. Let’s move upstream to tackle the root causes, rather than staying downstream getting soaked. Who knows where we might end up in a few years’ time.
Cyber security is easy, right?
@2codemonte 