[EDITORS NOTE]: This article originally appeared on Mike Hamilton's monthly blog on CSO Online.
I’ve talked about doing the simple stuff before—mainly in the context of raising the resource costs for adversaries, so that they move on to a softer target. But this Coalfire survey really brought it home for me with this observation—smaller organizations are doing better than enterprises at information security. Since this is based on a survey, I will caveat this by saying that 47% of security professionals believe that pronouncements based on surveys are nonsense.
Before I unpack this concept of simplification for the security program and its cascading benefits, let’s start with a few observations from today’s marketplace.
Enterprise-level organizations are constantly in the sights of sales professionals, who are deployed by companies hawking next-gen cyber whizbangery. Venture capital has flowed with enthusiasm toward companies promising to develop the magic product that will remove information security hassles from the purchaser’s list of irritations.
It is definitely seductive to think that technology will solve a problem that is fundamentally about people. Big organizations buy into new tech, largely in the hopes of automating the detection and response to failures of preventive controls. As a result, what they are experiencing is the need to throw people at the AI/ML/SOAR tech they're buying, thus achieving an outcome that is exactly the opposite of the one intended.
From the data we collect from our consulting operation, we know that most organizations have us perform some type of assessment, the results of which identify "simple things" to improve. Vulnerability management and employee messaging are examples that are nearly universal. These simple things have been called out in several ways, with the universal message being, “you’re not doing the basics, and if you did the basics, 90% of the problem would go off a cliff”.
Here’s an example. The Twenty Critical Controls is an informal standard of practice. It is intended to articulate preventive, detective, and responsive controls that align with regulatory requirements such as the PCI data security standard. What makes this informal standard so useful is that it is packaged in a way that makes the implementation very straightforward. Many of the controls can be automated.
Has your organization implemented controls that align with the 20? If not, that’s a great foundation to consider.
Here’s another example: the NIST Cybersecurity Framework (CSF). Again, designed to be consumable by any organization, it’s an outcome-based framework. While the specific controls are not specified, the desired outcome is defined. How you choose to achieve that outcome is up to your organization’s level of risk tolerance, budget, etc.
The NIST CSF is split into 5 functions, the first of which is “Identify”. Has your organization identified your most critical and valuable network-facing assets so that you understand where to focus controls? If no, then maybe it’s time to de-prioritize machine learning, and prioritize building the fundamental functions of a robust cybersecurity framework.
Most “attacks” are not personal or targeted. In fact, cyber attacks are usually the result of someone tripping over a rigged website or opening an attachment that has come out as part of a global campaign. Most are also not sophisticated. Hackers are using tools, techniques and procedures that are recognizable; therefore, effective defenses are well-known and published. This is true for the bulk of the background noise of the Internet—that’s the cyber stuff that’s always banging on the front door. An assessment that identifies gaps in basic IT hygiene and execution of that corrective action plan has the potential to show rapid, positive change that turns the perception of these “attacks” into a benign annoyance.
Security pros at the smaller organizations don’t have the luxury of big budgets, so few enterprise-grade product vendors call—investors want them selling to whales. Waiting for the commoditization of these detection and remediation automation technologies, they actually are going to work on those simple things. And guess what? We’ve seen the smaller orgs work to fulfill mission-critical functions, and they actually move the security needle. Meanwhile, we’ve seen enterprises get distracted by the bright shiny objects at the expense of establishing strong preventive controls, vulnerability management, good monitoring, and rapid, effective response.
Smaller orgs are also more open to novel solutions like managed security services, as they don't have a large security organization to support—they can rely on trusted partners to provide experts. Given the escalating complexity of information security compliance—even if you're only a supplier to a covered entity—this is pushing smaller organizations into compliance activities in order to better compete. In order to do business, organizations must now routinely attest to security controls. Adopting novel solutions, like managed services from a trusted 3rd party provider, helps smaller businesses move more nimbly in the marketplace. Instead of managing a large security team, they can rely on trusted partners to provide expertise and resources so they can focus on growing the business and executing on the core mission. This is also a cost-avoidance strategy; HR recruiting, compensation, and retention costs for scarce resources become irrelevant.
I think a reasonable analogy here are the differences in the U.S. and developing countries' approach to telecommunications. Developing countries went straight to wireless, learning from the evolution in developed countries. The mid-market does not want to inherit the challenges of recruiting, compensating, and retaining qualified security professionals. In other words, rather than re-creating the mistakes of their more developed peers, they're learning from those mistakes and homing in on the simpler routes to success.