9 critical controls for today's threats

Credit: Flickr/Dennis Skley

Credit: Flickr/Dennis Skley

In the past, we always played catch-up by implementing controls to deal with new threats. This allowed zero-day successes and successful attacks against resources when only the attackers knew of one or more vulnerabilities in our network. We tended to rely on vulnerability detection and associated risk management to protect confidentiality, integrity, and availability (CIA). While still a necessary process, vulnerability management alone falls far short.

The Challenge

When assessing risk using the formulaic model THREATS * VULNERABILITIES *BUSINESS IMPACT = RISK, we tended to avoid threat management. The argument for years was that we couldn’t cost effectively manage threats. Instead, we focused on identifying and managing vulnerabilities in the name of prevention. Today, security professionals understand that we need to shift much of our security effort to managing threats we know will eventually find their way into our network.

The misconception that we should concentrate on preventing attacks still tends to govern many organizations: especially those without a strong security program. Organizations that understand that we can’t stop all business continuity events give equal importance to vulnerability management, monitoring solutions, and response processes.

In addition to shifting effort to threat management, approaches to prevention must also change. Endpoint design and access control policies often lean toward keeping users happy. This must change. While we should keep our employees productive, providing certain capabilities on devices used to process and store business information increases risk to unacceptable levels.

Finally, network design should include implementation of comprehensive monitoring. Further, threats should encounter numerous barriers before reaching a target. The approach is similar to physical security where we might place a fence and two or three locked doors between the attacker and the target. These barriers can also help contain threats already on our network.

The Solution

Solutions for business of all sizes exist to meet the challenges listed above. The following is a list of nine areas organizations should include when managing threats and associated risks.

1. Least privilege. Users should never be allowed to install applications on their devices. Further, applications not residing on the organization’s software whitelist should never reside on user devices: regardless of who is attempting to install them. This begins with using group policy—if you are in a Windows environment—to place restrictions on users. AppLocker and Intune are also great tools for managing end user applications.

2. Threat detection. Antimalware software, host-based firewalls, and host-based IPS are all necessary to help gather information about what is happening on endpoint devices. None of these alone provides sufficient prevention, detection, and response (PDR) capabilities, and PDR is only one facet of threat detection. Today’s advanced threats tend to operate in ways requiring information from many sources for us to detect them.

User and network behavior analytics solutions gather information from network and endpoint sources to analyze patterns of behavior. These patterns are compared to baselines to determine if a response is necessary. Pattern analysis often uses real time and historic information.

3. Network segmentation. Network segmentation via VLANsis a necessary control to prevent access, limit unwanted access, and to contain continuity events.

4. User awareness. Users should always understand what actions put the organization and themselves at risk: clicking on email links, clicking on email attachments, sharing passwords, etc.

5. Incident response process. Response to any unwanted event requires a documented process and a trained team. Aneffective incident response is always necessary to mitigate the business costs associated with a business continuity event.

6. Web filtering. Again, most attacks today are against user devices. One important control is preventing users, and malicious code residing on our systems, from visiting known bad sites and site categories known to be high risk. Because web filtering is available in devices such as the Cisco ASA, there is little reason today for not implementing web filtering.

7. Block high-risk IP address ranges. One of the ways attackers lure our employees is via redirection: sending users to a website other than the one they believe they are visiting. In addition to web filtering, consider blocking known high-risk IP address ranges.

8. Manage outgoing TLS communication. Attackers tend to hide their activity by using encrypted sessions. Organizations should never allow any endpoint device to connect directly to an external device with TLS. (Hopefully, you’ve already killed off SSL connections…) This prevents IPS and other filtering solutions from looking at packet payloads.

9. Block macros. Finally, block the execution of Office macros wherever reasonable and appropriate but especially from untrusted sources.

The Final Word

More security effort is needed to manage threats: including prevention, detection, and response. The solutions needed go beyond what most organizations do today.

The solutions listed in this article are not all inclusive. For example, they don’t include network-based IPS and firewalls. The list is intended to fill gaps many organizations have due to the changing nature of attacks.

Join the CSO newsletter!

Error: Please check your email address.

Tags Incident responsesecurity professionalsthreat managementleast privilegenetwork segmentationvunerablitiesweb filteringthreat detectionthreatsMacrosciaUser awareness

More about ASACiscoIPS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tom Olzak

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place