5 lessons to help security pros craft a New Year's resolution

The holiday season is often a time of reflection, a time for organizations to look back and ask themselves 'are we doing things right'.

Judging by the continuous news stories spotlighting the latest data breach, it appears most organizations still aren't getting security right. Organizations are scared and worried about security but they are not focusing in on the areas that really matter. As we reflect upon 2014, we will look at five lessons organizations need to learn from 2014 so that they can have a better, more secure 2015.

[ 11 predictions for security in 2015 ]

Tis the season to be merry is a common catch phrase around the holiday, yet in reality, people often find themselves stressed and overwhelmed during this time of year. Looking back, they realize all the goals that are still unmet. The cyber security holiday season is no different. While some organizations might be happy they did not get breached this year, behind closed doors everyone, including the CEO, is likely wondering at what point a breach will happen; will it be in 2015? The answer, which no one wants to hear, is that a breach will happen. However, if handled correctly, the damage can be very minimal. Consider these lessons from 2014:

Lesson #1 -- Organizations will be breached; timely detection and response are key

2014 was a year of enlightenment; people began to realize just how vulnerable organizations are and that anyone can be breached. However, much confusion remains. The issue is not that an organization was breached, rather it is the length of time that the breach went undetected and the resulting damage. If an organization is attacked but they have timely detection and control, the damage is usually not too bad. However, if a breach remains undetected for a length of time, the damage becomes increasingly worse. Therefore, the intrusion itself is not the problem, it is the lack of detection and the amount of damage that is problematic. Organizations must focus efforts on timely detection and minimizing the impact.

Lesson #2 -- Allocate proper headcount

A typical knee-jerk reaction in response to the breaches we have witnessed over the past year is for organizations to spend money in the hopes of finding the silver-bullet to help them avoid falling victim to a hacker. Yet it is not a matter of spending more; it is often that they are not allocating enough head count for the security team.

[ The biggest challenges faced by CIOs/CISOs heading into 2015 ]

In order to solve these security problems the proper resources must be allocated. Resources are not only monetary resources but also human resources to configure, monitor and maintain security devices. In many organizations there are not enough people to manage the security devices that they have. Therefore, if more security devices are purchased, an organization is actually making the problem worse by spreading their already taxed resources (people) even thinner. Organizations need to allocate proper head count to properly manage the security devices they have, before they spend more money on additional devices.

Lesson # 3 -- Don't underestimate the value of a CSO

2014 is considered the year of the breach. While there are many contributing reasons these intrusions occurred, a key issue is executives are unaware of how insecure their networks actually are. Cyber security has gotten to the point where it is a boardroom discussion, if it isn't, it needs to be. Executive teams need to get information directly from the person in charge of security. Burying security under the CIO does not work.

Information uptime and cyber security are two different problem sets. They are critical enough to an organization that they require a separate reporting structure, a CIO and a CSO. The CSO must report directly to the CEO and have a clear metric for implementing security.

Lesson #4 -- A solid foundation is critical

Building and implementing an effective security program takes time; it is not something that can be simply pieced together. Similar to a home, a security program requires a solid, well thought-out foundation to be successful. There must be a clear plan of action and a robust architecture design when building out a security program. Therefore, while there might be a firewall, IDS and DLP, without the proper foundation the infrastructure will collapse very quickly as soon as the winds of adversity start blowing.

For organizations that have not built their security program correctly, they need to put the foundation items in place. The core foundations of security are 1) asset identification, 2) configuration management, and 3) change control. If an organization does not know what is on its network, how they are configured and properly control change, the organization is going to lose and get breached. An organization must have a proper foundation which allows all the devices connected to the network to be controlled and managed.

Lesson #5 -- You can't protect critical data if you don't know where it resides

In 1933 when Billy Sutton was asked "why do you rob banks", his reply was "because that is where the money is". For an organization, its money is its data; that is why adversaries break into organizations. This is perhaps one of the most important lessons the industry has learned in 2014.

Today's attacks are focused on the critical data and ways to exploit this data for the attacker's advantage. If an organization does not know where its critical information is, it can't protect or control it. Therefore it is critical that organizations identify what their critical information is, locate which servers it resides on, and provide proper measures to protect it. Organizations must perform data discovery to identify and control their critical intellectual property.

Those who do not learn from the past, are forced to repeat it. Based on the amount of security activity that occurred this year, organizations are truly at a reflection point. Are they going to keep doing what they have been doing, which evidently does not work or are they going to step back and change how they approach security? In many cases, organizations need to start over. By putting in the proper foundation, allocating the proper resources, setting up the proper infrastructure and focusing on timely detection of breaches, organization can overcome the sins of 2014 and have a more productive 2015.

Eric Cole is a SANS Faculty Fellow and director of the SANS Cyber Defense Program.

Join the CSO newsletter!

Error: Please check your email address.

Tags SANsapplicationssecuritydata breachsoftwaredata protection

More about CSODLP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Eric Cole

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts