By Craig Riddell, senior solutions architect, SSH Communications Security
The Agile framework is most often thought of with respect to application development. However, there is now the concept of Agile security, in which security is factored into the design of a network environment from the beginning. The other approach is retrofitted security, in which systems must be patched, updated and modified along with other solutions to piece together a secure environment.
Retro-fitting seems like a reasonable and affordable plan, at least initially, but dealing with several different appliances that must be managed as one-off point solutions makes the environment overly complex and adds costly overhead. This raises the total cost of ownership and leaves a business dependent on the vendor or vendors that sold the solution. Integration with these appliances that weren’t part of the design from the start will almost certainly leave gaps that bad actors can exploit.
Skirting the security issue
It’s not that organizations haven’t considered security to be important. It is just that the possibility of a security breach and the penalties that would follow have been less of a concern than the possibility of slowing down the business with a strict security protocol.
IT security teams must juggle safety and productivity. They have to make sure every part of the architecture is as safe as possible (reducing risk to an acceptable level) without slowing down the speed and growth necessary for modern businesses. This has been true for the entire digital age with the invention of the internet and how quickly it was adopted as a platform for outreach, sales, and marketing. Security was a secondary concern, and the only thing that mattered was getting the business online.
In this cloud era, businesses are hosting their data on someone else’s servers and relying heavily on them for security, sometimes to a fault. For example, in the Department of Defense (dod) AWS breach, security was only as good as the people implementing it. The dod had all of the proper systems in place, along with their AWS hosts, but a contractor left the S3 storage publicly accessible, and top-secret data could be downloaded, along with the system image that was used for Linux-based virtual machines.
The standard network defense has involved protecting the perimeter from outside forces, but cloud computing, if not designed properly, is flat – allowing for unchecked lateral movement. The threat landscape is ever-changing, and the focus has shifted from keeping the attacker out (which, of course, is still important) to “What do we do and how will we know if they are already in?”
Security front and center
A security discussion that involves both business professionals and security professionals, from the earliest point possible, will allow them to design a plan where the business can grow but also be secure. In this way, they can make sure that all of the proper counter-measures are in place so that as the company’s footprint grows on-premises or in the cloud, the attack surface remains as small as possible.
Interactive access should be monitored and controlled, privileges need to be minimized, and all network traffic should be treated as untrustworthy. Organizations need to adopt a “zero-trust model” and proactively inspect all network traffic to validate the authenticity of user activity.
The model consists of these basic steps:
• Watch cloud, app and database behavior to catch anomalies that can indicate threats and compromise.
• Commit to patching and configuration control to reduce the attack surface.
• Segment networks and reduce single points of failure.
• Reduce access scope and rights.
• Build resilience so teams and products can recover quickly from incidents.
• Consider using Endpoint Detection and Response (EDR), an emerging technology. It is a category of tools and solutions that focus on detecting, investigating and mitigating suspicious activities and issues on hosts and endpoints.
• Consider using Network Behavior Anomaly Detection (NBAD) – the real-time monitoring of a network for any unusual activity, trends or events.
If an employee keeps leaving the back door open, all the network defenses in the world are useless. Start training employees on Day One so that they start thinking about cybersecurity best practices. Security should matter to everyone from the admin to the CEO. This will build resilience into products and teams.
Best practices include:
• Choose strong passwords and password management practices and solutions.
• Keep sensitive data secure and off your laptops and mobile devices.
• Look out for suspicious emails and calls from outsiders trying to obtain your information (phishing).
• Make sure your software is up to date.
• Make sure your antivirus software is up to date.
• Use caution when clicking links online and in emails.
• Don’t leave your devices unattended.
• Always back up your data in case of a ransomware attack.
A solid security foundation
When leadership teams meet to form the business strategy, cybersecurity is on the checklist. Everyone understands the high level of importance attached to safeguarding the network. But for organizations that formed before cybersecurity became a critical necessity, security measures have been added on piecemeal, for the most part. This can lead to gaps in safety, which malicious actors are looking to exploit. However, whether newly formed companies have applied the Agile framework to their cybersecurity or an older company is knitting together its defenses, the best practices above will help protect the network environment and its business-critical data.
About the Author
Craig Riddell is an IT Security Systems Architect with over 10 years of experience across all major business platforms, primarily in evaluating, designing, implementing, and supporting enterprise solutions.