Why do security programs fail? How does a company that passed a recent audit suffer a breach? Is there a silver bullet for securing my environment? It seems there are more questions than answers in cybersecurity today. In this session we'll provide guidance and talk about ways to focus your security strategy to reduce the volume of incidents so you can focus on business initiatives instead.
5. CIS, US-CERT, ASD, and other authorities prioritize these five elements of
cyber hygiene to significantly reduce security threats.
Inventory and control of hardware assets
Inventory and control of software assets
Controlled use of administrative privileges
Continuous vulnerability management
Secure configuration for hardware and software
The first 5 controls
6. The top 5 CIS controls have been
proven effective against the
most common cyber attacks.
(~ 85% of attacks!)
CIS Critical Security Controls
10. One of the largest risks to security initiatives?
User acceptance.
What IT would like the world to be…
Users want to be free…
Balance security with user needs.
The “Fog of More” term was coined a few years ago to describe the “Overload of defensive support…more options, more tools, more knowledge, more advice, and more requirements, but not always more security.” The Council on Cybersecurity, as it was known at the time, referenced the fact that - The rapid rate at which the IT security industry evolves ensures security and compliance professionals are constantly battling to keep their head above water in a sea of tools, data, advice, and reports. Meanwhile, criminals focus on attacks.
They go on to describe that as technologies grow more sophisticated and interconnected, developing an organizational approach to cybersecurity seems more complicated than ever. Security tools typically provide endless amounts of complex data, often hiding valuable security information amongst a sea of white noise and false positives. The tools require advanced IT knowledge to install, configure, and maintain, which means more time is spent fighting with tools than investigating security issues. So, when it comes to phishing attacks, ransomware, data leaks, IT security breaches – how can organizations protect themselves in a perpetually-advancing threat landscape?
Well, many organizations start with a cybersecurity audit to help them understand their current security posture. Sometimes these audits are required by regulatory organizations. However, companies that are conducting a cybersecurity audit – whether to meet compliance, protect intellectual property, or safeguard client/employee information – often run into “the fog of more.” This fog surrounds the multitude of problems and solutions facing businesses when it comes to cybersecurity, obfuscating the task ahead. The reality, however, is that most cyber attacks are not particularly sophisticated. In fact, attacks often rely on simply misconfigured or outdated systems.
The result of the Fog of More is confusion, misunderstanding, and ultimately mistakes. What tools should be purchased? What security issues are priorities? What does this ocean of data provided by my tools mean? How does management understand security posture? How can regulatory compliance be proven? Security and compliance professionals are so overwhelmed they do not have the time to investigate security events, follow up on insecure end-user processes, or report to upper management. One missed issue amidst the white noise, one configuration that is accidentally reset, or one misunderstood security event, and all of an organization’s investment in security may be in vain.
These are the kinds of issues that gave birth to and continue to drive the CIS Controls from the Center for Internet Security. The CIS Controls focus on what the cybercriminals are doing now, in order to ask “Out of all that I could do, what are the core, foundational, steps I can take to get most of my security value and stop these attacks?”
We’ve already got a lot of frameworks that guide us to what we need to do. It may be PCI compliance or GDPR or standards like ISO or FIPS to make sure we’ve got good cryptography or HIPAA to ensure that we’re protecting people’s personal data. Many of the customers that we work with are bound by many of these requirements. They provide a lot of guidance in terms of how to secure your environment and be compliant and if you cross reference what they are all recommending you come back to many of the basic security controls we have had for years. So what makes these frameworks so important and if these security controls have been around for years, why have they not been effective? Why do we still see breaches occurring in organizations that are expected to comply with these frameworks?
Well in most cases, these frameworks are just focused on certain parts of the organization. So, how should I secure the whole of my organization? More importantly, if I’m looking at how to make my environment PCI compliant, what’s the most effective way to go about it? PCI doesn’t come with a set of steps to say do this first, do this second…It just says – here’s all the things you have to do.
That’s where the Center for Internet Security comes in. They have applied the pareto principle to cybersecurity – the concept that for many activities, roughly 80% of the effects come from 20% of the causes. So, it is about focusing your efforts on the 20% that will make a difference, instead of wasting time, resources, and effort on the 80% that doesn’t matter much. By applying the pareto principle, the Center for Internet Security developed the CIS controls, a set of 20 prioritized actions intended to help any organization improve its cyber defenses.
The CIS Controls are developed by a community of cybersecurity experts around the globe, bringing their knowledge and experience with a range of different technologies to the table. The controls have been developed based on their experience with actual attacks and, as a result, ensure that the CIS controls are not just another list of “good things to do” but a prioritized, focused set of actions driven by a community network to make them implementable and compliant with all industry and government security requirements. So, the controls span across all of these different regulatory frameworks. By following the CIS Controls, you can become PCI compliant but you can get some additional coverage as well.
It is a prioritized list containing 20 controls and the idea is that you start at the top and work your way down and with each step along the way you are maximizing the impact on securing your environment. If I jump straight down to number 20 on that list, I may solve a particular problem but it’s not going to be the most effective way to start out.
So, it is guiding you each step of the way - you are maximizing your investment in securing your environment and really helps you focus your investment.
The great thing about having a focused security strategy is that you avoid the problem that instead of getting defense in depth you get expense in breadth. The security industry is growing, it is an industry that is growing significantly, by 2020 it is going to be well over $100B in size and it is growing at about an 9% per year right now. It is also an area where companies are opening up IT budgets. There is budget here where it is not in other areas of IT. The problem is that it is still a finite budget – I’ve got to decide what I’m going to outsource to an MSSP for, what solutions am I going to buy to help the security team, what am I going to buy to help the operations side of the house effectively protect my systems as well. So, that budget isn’t infinite and there are a lot of tools out there.
If you go to security shows like RSA or Infosec you find many new companies every year and a lot of products focused almost entirely on a single thing. Building a strategy on these single feature silver bullet technologies can get costly very quick. Using a framework like the CIS framework and finding solutions that can address many of the requirements and then filling in with point solutions where you see the greatest threats will help you reduce costs while getting the Defense in Depth strategy you really need.
As I’ve already said, the CIS framework has 20 sections. Much of what you do in Cyber Security is an 80/20 effort. You can get 80% of what you need by doing 20% of the work. As you try to nail down the remaining 20% of risk and exposure you begin spending a lot more time, effort, and money. The CIS framework is built much the same way. The top 5 (or what has been called the Fast 5 or the Critical Security Controls) delivers layers of defense that, when implemented effectively, can mitigate or eliminate more than 80% of cyber threats.
Let’s look at the first 5 controls in the CIS CSC framework. The first 2 items here are associated with discovery. If I can’t see it, if I don’t know about it, I can’t secure it.
Inventory and control of hardware assets – I need to find these devices to see what’s in my network, what has access to my systems.
Next on the list is inventory and control of software assets. I need to make sure that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. This is where technologies like application control or application whitelisting play a key role.
Third on the list is continuous vulnerability management. Now that I know what software is installed how do I make sure that those applications don’t have vulnerabilities. So, I need to continuously scan for vulnerabilities and apply patches to remediate those vulnerabilities and minimize the window of opportunity for attackers.
Next up is the controlled use of administrative privileges or privilege management. If an attacker does get access to your network and they can do so with admin-level credentials they can do a whole lot more damage than if they just have standard-level access. A least privilege approach is a security best practice.
And then the 5th control is secure configuration - implement, and actively manage the security configuration of laptops, servers, and workstations in order to prevent attackers from exploiting vulnerable services and settings.
And the message from the CIS is if you do these 5 things well, what they refer to as cyber hygiene, you significantly reduce the number of security threats you are going to face.
And while I haven’t included it on this slide, more recently, the CIS have added the sixth control which is maintenance, monitoring and analysis of audit logs as one of the basic controls to help detect, understand or recover from attack.
So the top 5 controls have been proven effective against the most common cyber attacks. In studies that equates to about 85% of attack techniques. Now that’s a good number but you want to drive that number higher and that’s where you start to look at some of the other controls and where technologies like network defences and EDR start to come into focus. The key point is that once you’ve created this solid security foundation, you’ve got a much smaller attack surface and fewer incidents to deal with. It is a much more manageable problem and you can start to think more strategically about where to spend that additional IT budget to best address some more specific issues in your environment.
The Australian Signals Directorate (ASD) is the Australian government agency responsible for foreign signals intelligence, support to military operations, cyber warfare, and information security.
Back in 2011 they developed a prioritized list of over 30 mitigation strategies to combat cyber security threats (see https://www.cyber.gov.au/publications/strategies-to-mitigate-cyber-security-incidents), the top 4 of which they reported would mitigate against 85% of targeted cyber attacks. These were:
Application Whitelisting
Patch Applications
Patch OS
Restrict Admin Privilege
This has since been revised into the Essential 8 (see https://blog.hivint.com/asd-top-4-expands-to-essential-8-a5d0f4bd0c33) adding another 4 mitigation strategies into the mix but the top 4 are still valid starting point.
From LinkedIn post:
Former Australian Signals Directorate Director-General Mike Burgess said “Every cyber incident we look at, there is a known problem with a known fix, that actually should have been fixed in 99.999% of the cases we look at. The best way to deal with this problem is go back to the boring unsexy stuff of actually the discipline and hygiene about securing things properly.” Via The Aspen Institute Cyber Summit - 8th Nov. 2018. #cybersecurity #securityawareness #cyberhygiene
The National Cyber Security Centre (NCSC) is a UK government organization that provides advice and support for the public and private sector in how to avoid computer security threats. The NCSC created, Cyber Essentials, an industry supported scheme to help organisations protect themselves against common cyber attacks. More information can be found here: https://www.cyberessentials.ncsc.gov.uk/about.
The language used by Cyber Essentials is different to that of the ASD and other security frameworks but really just mentions a similar set of mitigations to implement.
Secure your internet connection – relates to firewall configuration
Secure your devices and software – relates secure configuration and application whitelisting
Control access to your data and services – this relates to privilege management
Protect from viruses and malware – this relates to application whitelisting
Keep your devices and software up to date – this just relates to vulnerability management
So, let’s move on to talk about our approach here at Ivanti. Over the past few years Ivanti has brought a number of best-in-breed security technologies into its portfolio. This included technologies like patch management from Shavlik, application control and privilege management from Appsense, device control from HEAT Software and some additional capabilities from Landesk and what we’ve been doing over the past couple of years is taking these best-in-breed technologies and bringing them together. Part of our focus in doing that is to provide defense-in-depth, really trying to align with the CIS Top 5, ASD Top 4 and UK Cyber Essentials to ensure that customers get that solid security foundation.
But another part of our strategy has been around the user and ensuring that we achieve that right balance between security and user needs and also organizational or business needs. There is no quicker way to get a security technology removed from the environment than if it starts to impact on end user or business productivity. So, we’ve been very conscious of that as we’ve brought our portfolio together to ensure we get that balance right.
Users who can’t get their work done WILL call the help desk more, and even go around IT with “shadow IT” workarounds, introducing risk into the environment.
Learn about users and their needs.
Silently provide security through updates and risk evasion.
Increase productivity with the right tools.
I remember talking to an IT security administrator at a customer recently and I was asking him about his role and he told me that his job was to be invisible. It was a legal firm and any impact to productivity was very costly. His job was to ensure that the systems were secure but to try and ensure that nobody knew he existed.
This leads us on to talk about Ivanti Security Controls which brings together the best-in-breed technology from across the Ivanti security portfolio into a single platform. The name Ivanti Security Controls was selected to really align with those critical security controls we discussed earlier. Building on decades of market experience, what Ivanti Security Controls delivers:
A layered, modular defense-in-depth security suite to provide a solid baseline protecting against security threats
Simplified workflow with automated security processes that reduce the burden on system administrators while also improving response times for security issues
Security without adversely impacting user or business productivity
What is Patch Intelligence?
Patch Intelligence is part of the Ivanti Cloud Platform and is designed to help customers make informed decisions about patching their environment. This is live right now and provides access to the entire Ivanti security bulletin or patch database. So, you can go in there and get detailed information on a bulletin. You can see the patches that are included. You can see the associated CVEs or vulnerabilities. We are bringing this all together in one place.
One of the really interesting features is the known issues field. The Ivanti team will post any issues that they are aware of as they populate the database but as our customers do their testing, if they identify any issues they can add them in as well so you get that community feedback from other customers to help you make decisions about the overall reliability of patches. Where we are taking this is we are effectively crowd sourcing the testing and issue gathering for patches.
Patch Intelligence Tenant Data Mapped to Patches
So, absolutely, you should patch everything, and that’s a really great start but, on its own, it is not going to give you everything you need.
While you can patch known vulnerabilities, you also have unknown or undisclosed vulnerabilities / zero-day vulnerabilities and for which there isn’t a patch available.
Even ignoring these, there will always be some gap between a vulnerability being disclosed (day zero) and an organizations ability to deploy the associated patches. The risk of an exploit increases over time and at around 14 days the risk of exploit starts to increase significantly.
Last year, according to Verizon, within 2 to 4 weeks, 50% of vulnerabilities that will be exploited will already have been exploited. However, last year the average time to patch was 34 days. That gap from 14 days to 34 days (which is the average time to patch) creates opportunity for an exploit to occur.
You also have situations where patches can’t be applied because they conflict with some business-critical application so you have to mitigate that risk. And you also have legitimate applications like PowerShell that can be used in a nefarious manner to infect vulnerable systems, the so-called fileless malware.
So, those are just some of the main reasons why the Center for Internet security and others have Application Control right up at the top of their list of priorities for an effective layered security solution.
Application control has 3 key features to it: Executable Control, Privilege Management, and Browser Control.
The purpose of executable control is to ensure that untrusted applications and scripts are not able to run. Untrusted applications will generally be those not approved by the organization, and malware falls into this category too. Executable control also protects against zero day threats where a security vulnerability has been exploited and for which there is no patch available to fix it.
Security best practice dictates that, where possible, you should remove local admin privileges. In addition, untrained users with admin privileges can break their own machine, other users’ machines and potentially servers if they modify settings they don’t understand. With the Privilege Management feature, you can elevate or restrict admin privilege on applications and allow or restrict access to sensitive windows OS functionality.
Consider a machine infected by malware. If access is restricted then the malware will have less options on what it can do so the attack surface open to the malware is reduced. In addition the malware will find it more difficult to copy itself to another machine on the network which impedes the spread of malware.
Browser Control provides the ability to enhance your end-users productivity by restricting web-site access.
We’ll discuss each of these further on the next few slides.
Trusted Ownership is part of the Executable Control feature.
Every file on a Windows machine has an owner. Trusted Ownership uses this fact to determine whether something should be allowed to run. When launching an application, if the owner of the associated exe file matches one of the trusted owners then it is allowed to run. If it doesn’t it is blocked.
Trusted ownership cuts down substantially on the manual effort of managing a typical whitelist. With Trusted Ownership most applications that should be blocked or allowed will be. However there will be some that trusted ownership has blocked that need to be allowed. For these you override trusted ownership by creating individual rules. So some management is required, but much less than manging a typical whitelist.
Privilege management can function in two ways. Either:
Users are given standard accounts and any privileges that they require to do their job is given to them just for the things they need to do. This may be elevation of an application or access to a sensitive part of the Windows OS. This is best practice.
Users retain existing admin accounts and privileges are restricted from them that they don’t need. This is typically quicker to implement than option 1 so will offer much better protection than doing nothing. This could also be used as a stepping stone to option 1.
The best use of either of the approaches is for untrained users with admin accounts. These have the ability to break their own machine, other users machines and potentially servers if they tinker with things they don’t understand. Employing one of these approaches will reduce the risk.
As already mentioned Browser Control provides the ability to enhance your end-users productivity by controlling access to the internet. For example you can use it to restrict access to social networking sites so your end-users aren’t distracted by it. This feature is also sometimes known by the name of URL redirection because restricting access to a site is the same as redirecting an end-user to a different website.
The list of rules can either be managed as a whitelist or blacklist:
A whitelist is where everything is initially blocked (i.e. redirected to a default page) and rules are added to allow access to specific websites.
A blacklist is where everything is initially allowed and rules are added to block (i.e. redirect to another page) access to specific websites.