4 steps to better security hygiene and posture management

As the old security adage goes, “a well-managed network/system is a secure network/system,” and this notion of network and system management is a cybersecurity foundation.  Pick any framework (e.g., NIST Cybersecurity framework), international standard (e.g., ISO 27000), best practice (e.g., CIS 20 Critical Controls) or professional certification (e.g., CISSP), and much of the guidelines presented will be about security hygiene and posture management.

Another time-honored colloquialism also comes to mind here: “An ounce of prevention is worth a pound of cure.”  From a cybersecurity perspective, all frameworks, standards, and best practices suggest that security strategies start with some fundamentals like an inventory of all assets on the network, hardened configurations, least privilege accounts, system/data classification, rapid vulnerability discovery/remediation, and continuous monitoring.  Get these right and you make it harder for adversaries to exploit your assets. 

Cybersecurity hygiene and posture management are the equivalent of automotive maintenance recommendations like changing your oil and rotating your tires.  Do these things to reduce the risk of more costly problems down the line.

Yup, every security professional knows about the importance of the basics, but they also know that security hygiene and posture management isn’t quite as straightforward as sound automotive maintenance. There are several reasons for this:

• Cyber-risk management continually increases. In a recent ESG survey, 84% of business, IT, and security managers said that cyber-risk is greater than it was two years ago due to a growing dependence on technology, an increasing attack surface, and a progressively dangerous threat landscape. 
• Software vulnerabilities are vast and unrelenting. Alarmingly, 70% of IT and security professionals claim that the volume of software vulnerabilities can be overwhelming.  This is because it takes lots of time and money to scan for vulnerabilities, understand which vulnerabilities are likely to be exploited, prioritize patches, work with IT operations on patch management, etc.  Oh, and we are talking about thousands of software vulnerabilities across the enterprise at all times. 
• Security hygiene and posture management is a manual slog. Nearly half (46%) of cybersecurity decision makers say that continually monitoring security hygiene and posture across the enterprise is their biggest cyber-risk management challenge.  Why?  Think of the parable of the blind men and the elephant: Each man touches the elephant in one place, uses this experience to form an opinion of what the elephant looks like, and, no surprise, their descriptions differ wildly. The only way to get a more comprehensive picture is through the sharing of all individual data points.  Unfortunately, the tools used for security hygiene and posture management are like the blind men as they look at things like assets, configurations, user privileges, software vulnerabilities, or effectiveness of security controls.  CISOs need a team of analysts and spreadsheets to get a complete picture of the security hygiene and posture management elephant.  This, too, takes resources and is prone to errors. 
• The SolarWinds hack introduces even more complexity. Before the SolarWinds hack, 47% of cybersecurity decision makers said that monitoring risks associated with IT vendors was their biggest cyber-risk management challenge.  Based on many anecdotal conversations, I’m sure this percentage is a lot higher today.  Because of SolarWinds, CISOs are reassessing their IT vendor and third-party risks and plan on more stringent requirements moving forward.  This means more oversight that spans from purchasing through testing, deployment, and ongoing operations.  

Think about the quandary this presents.  CISOs know that cybersecurity depends upon a foundation of strong security hygiene and posture management, but increasing scale and complexity make the basics all but impossible.  So, what do they do?  Leading CISOs I’ve spoken with recently take the following steps:

• Take over attack surface management. Rather than rely on configuration management databases (CMDBs) and other types of asset management systems, security teams are adopting their own tools for attack surface discovery and management.  Some tools focus on internal assets while others take an outside-in view looking for risks associated with servers, files, and user credentials on the public internet.  Furthermore, many of the attack surface management tools go beyond discovery, finding vulnerabilities and even suggesting or automating remediation.  Increasing interest in attack surface management prompted Palo Alto Networks to acquire Expanse and integrate it into Cortex for security operations.  
• Focus on the crown jewels. Organizations with thousands of assets realize they cannot get to everything, so they tend to concentrate on business-critical assets.  While this may be obvious, it is not easy, as it starts with the discovery and classification of assets.  Security teams cannot do this alone, however, and need guidance from business owners who better understand which assets underpin critical business processes.  Proactive CISOs are reaching out to line of business managers and performing continual assessments to create some type of asset taxonomy.  Once this is completed, they prioritize security hygiene and posture management in business-critical assets by locking down access controls, segmenting networks, deploying security controls, and continuously monitoring for any changes. 
• Invest in cloud security. Cloud computing introduced a pace and complexity hand grenade to security hygiene and posture management with new tools, agile development, and temporal workloads.  ESG research indicates that organizations are addressing cloud computing security with massive new security investments in areas like cloud security posture management (CSPM).  In other words, organizations are bridging this gap by spending cloud security budgets like drunken sailors. 
• Increase testing. Regardless of security hygiene and posture management efforts, security professionals are never sure if they are protected or not.  To alleviate these concerns, many organizations are increasing the frequency and scope of penetration testing and red teaming.  This has led to the rise of continuous automated penetration and attack testing (CAPAT) tools from AttackIQ, CyCognito, Cymulate, Randori, SafeBreach, XM Cyber and others.  FireEye was so enthused that it purchased Verodin and made it part of its security operations strategy. 

If I were a younger man, I would approach some top-tier VC, raise money, and start a company focused on developing a cloud-native security hygiene and posture management system that could consolidate and analyze data, automate processes, and deliver a real-time CISO dashboard.  Others like Kenna Security, ServiceNow, and Tenable Networks have similar ideas. 

Meanwhile, there is no magic bullet here, so CISOs need to be a bit more diligent, proactive, and creative to have any chance of keeping up with security hygiene and posture management.