Casey Ellis, founder, CTO and chairman of Bugcrowd, discusses a roadmap for lowering risk from cyberattacks most effectively.
When thinking about cybersecurity risk management, think about the last time you were comparing health-insurance policies. Each policy offers a means to protect yourself and your family from financial losses (e.g. from hospital coverage), and many policies include things that are designed to reduce the likelihood of those losses occurring in the first place (e.g fitness benefits, preventative healthcare, etc.).
While buying these policies doesn’t guarantee that the policyholder will be immune to “having a bad day,” it does deliver reassurance and pathways forward should a negative event occur. Cybersecurity risk management is a similar concept.
In today’s business landscape, there are several basic cybersecurity policies that are becoming increasingly critical to adopt. Whether companies are just beginning to roll these out or view themselves as experts, there are a few tips that organizations should ensure they are following to make their cyber-defenses are as robust as possible.
1. Make Use of Cybersecurity Frameworks
Cybersecurity frameworks such as ISO 27001, the international framework that defines best practices for an information security management system (ISMS), can help organizations tackle business risk and enhance overall cyber-defense.
In addition to ISO 27001, there are several other frameworks to consider, including the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which offers in-depth support to help enterprises identify the necessary actions to address and decrease risk. The Center for Internet Security (CIS) Critical Security Controls also publishes the CIS Critical Security Controls (CSC) which is made up of 20 critical security controls broken down into key recommendations and best practices to help organizations decrease the likelihood of a successful cyberattack.
2. Establish a Risk-Assessment Rulebook/Checklist
Implementing a risk-assessment process means clearly defining how the company will prepare for, conduct and convey key findings from a risk assessment, as well as how the process will be maintained over time.
An organization’s IT systems and networks are constantly changing as software applications are updated and users are onboarded and offboarded. All of this is a breeding ground for new vulnerabilities to emerge, and there is no shortage of both change in these systems, as well as emerging and new risks to stay on top of.
When preparing for a risk assessment, organizations should follow this checklist:
- Strategically outline the scope of the evaluation, including any significant up-front assumptions or expected constraints;
- Pinpoint the specific information sources that will be utilized;
- Describe the risk calculations and analytics methodology being used;
- Make sure to include any compliance regulations that impact the organization. Each regulation has is own set of requirements for risk assessment and reporting.
3. Leverage Threat Intelligence for Improved Risk Prioritization
Threat intelligence delivers timely data on top threats that are presently the most likely to impact the business. Threat intelligence can empower security teams to make crucial modifications to the existing risk assessment framework, to prevent newly developing threats from taking hold.
Threat intelligence data is gathered, evaluated and investigated to empower security and information teams with information that can help them make quicker decisions about threats. The entire process is rooted in data, such as information about threat groups and the latest attack tactics, techniques and procedures (TTPs), the attack vectors used and known indicators of compromise (IoCs).
4. Penetration Testing for Vulnerability Insights
When safeguarding themselves from cybercriminals, organizations need to surround themselves with people who think like a hacker and can predict and defend potential targets within the business. Some companies choose to do this with vulnerability scanners. However, this automated practice is prone to missing newly discovered vulnerabilities, and may have a hard time if the bugs are too complex. Additionally, false positives are a frequent occurrence, particularly when dealing with a large infrastructure.
Human ingenuity is crucial when seeking out vulnerabilities, which is why companies are increasingly turning to penetration testing. This method allows organizations to bring in security researchers to “hack” into their system and network to gain visibility into a range of vulnerabilities. These individuals are highly specialized and carry out the search with full approval from the company. Carrying out penetration testing on a regular basis is a crucial component of an organization’s cyber-risk management.
5. Tool Rationalization = Enhanced Cybersecurity ROI
A major benefit of cyber-risk management is the ability for organizations to identify gaps in performance and coverage, or even redundant layers within security controls as they seek to fully implement the cyber-risk-management process. Security and IT teams should seize the opportunity to carry out tool rationalization in order to expand operational cybersecurity abilities at the lowest possible cost.
Companies should consider setting a target security posture and then systematically evaluate their current security infrastructure compared to the objective. Every dollar allocated towards security controls must deliver the defense the organization anticipates. Redundant tools that aren’t required to manage the risk of the company can be merged, removed or restructured within the business.
Casey Ellis is founder, CTO and chairman of Bugcrowd.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.