Security practitioners face a multifaceted challenge during an economic downturn. Their organization wants to enhance security, so they look to new technologies. For example, a zero-trust strategy requires micro-segmentation, but the company’s current cybersecurity tooling stack lacks extended detection and response (XDR) capabilities. Simultaneously, as the economy contracts, security professionals watch budgets evaporate.
In response to these conflicting mandates, security teams should look inward rather than outward. By getting back to security basics, teams can use low-level tasks to make a high impact.
Start with the Basics
Modern environments are complex, connecting on-premises, cloud, and multi-cloud resources. For most security teams, adding more tools feels like the answer. Unfortunately, this often means people lose sight of their basic goal.
Every security team’s fundamental goal is to prevent cyberattacks from interrupting business processes. Over the years, organizations have added layer upon layer of defensive security controls. For example, many organizations deployed a Security Information and Event Management (SIEM) tool. Yet, attackers continue to succeed.
The problem is not a lack of layers. The problem is that these layers are incomplete.
To do more with less, security teams need to focus on these incomplete layers so that they can close the security gaps.Is Each Layer as Good as it Can Get?
Over time, many companies have taken a “good enough” and not a “good as it can get” approach to each security layer. Doing more with fewer means finding the activities that optimize security with minimal technology.
Patching
Patch management is a fundamental, basic security control. However, SIEMs are a detection and response tool, not a patch management tool. They can alert the team to an incident, but they won’t provide proactive visibility into the unpatched vulnerability that the malicious exploited.
Server/Hosts
Organizations often have incomplete coverage at the patching layer. According to research, the average mean time to remediate (MTTR) at the device/host layer was 57 days. However, the average MTTR a Critical risk was 61.4 days. Further, the same report found that organization size had little or no impact on the time it takes to fix vulnerabilities.
Often, patching tends to be a problem that operations teams must solve. However, security teams need visibility into what’s going on with patching, but the various security-focused tools don’t do this.
Getting back to basics and using log management enables the security team to monitor where patches are installed, monitor patch installation failures, and understand why the install failed. The visibility is even more important for larger companies.
For example, if the operations team needs to deploy patches across 80,000 endpoints, patches that fail or cause an issue must have a reason. A company like Microsoft is not generally rolling out patches that are going to break everything for everyone. Security teams need to know why a patch failed. To gain this visibility, they can get back to basics by sending the Windows endpoint data to a log management solution where they can monitor what happens at the process, install, and registry levels.
Too often, organizations assume that having a 90-95% patching rate is acceptable, but from a threat landscape perspective that can be a gaping hole. Security teams need to know what server failed to get patched and why it failed so that they can create an action plan.
User Devices
Typically, organizations do a better job taking care of their servers than their user endpoint devices. Although more attention is being paid to user device security, security teams have not always focused on it.
End-user device security is another area where a security team can reduce the attack surface. They can utilize Sysmon to monitor their endpoints and then pair that data with information within their configuration management tool. With this visibility, they can piece together a picture by sending out test patches to certain groups the night they come out and review it for issues.
Traffic
Remote and hybrid workforce models mean that monitoring network traffic is critical. Combining user device data and network traffic monitoring is another way to get more with less. A lot of activity happens on networks that security tools can’t pick up. Endpoints are the intermediary between the public internet and a company’s internal environment. Patching the endpoints is the first step, analyzing network traffic gives that extra visibility that teams need.
Security teams can use log tools to understand whether the source of the traffic is concerning. In this context, getting back to basics means looking at inbound connections to and outbound connections from their networks for visibility into things like open Remote Desktop Protocol (RDP) and Secure Shell (SSH) ports.
For example, it’s not abnormal to have RDP in a Windows server, but it’s important to know where the RDP connections are coming from. When security teams have all their devices and resources logged into a central repository, they can investigate the activity, like where the SSH into the internal network is coming from or why it’s going to a security camera.
By shoring up this layer, security teams gain visibility without having to buy new tools or hire new staff. Additionally, most companies already have a log management tool that their operations team uses. Instead of purchasing a new tool, they can get more out of what they already have.
Invest in People, Not Technologies
Security teams that need to do more with less should focus their investments on their people. Too often, companies spend too much money on tools that do more than they need. During an economic downturn, companies often reduce their training budgets and their investment in their people. In security, re-evaluating security analyst skill sets often bring the highest return on investment.
The best way to optimize a reduced budget is to offload technology spending into lower-cost alternatives that enable a “back to basics” security approach. Then, they can reinvest that money in their people, giving them the skills and training that enable them to write better protection rules, more effectively analyze data, and enhance overall security.
About the author: Joe Gross is the Director of Solutions Engineering at Graylog. He began his career hacking into the university network for a computer science project and has served as an IT consultant, systems analyst and solutions engineer. Joe is passionate about creating sophisticated cybersecurity solutions based on outcome-based log management.