Mahmoud Mounir, Regional Director, Secureworks MEA, highlights five recommendations that organizations should focus on to improve their security posture.
Cyber criminals continue to leverage and coalesce around tactics that they know will work, because organizations still struggle to tackle the basics of cybersecurity, according to Secureworks’ 2019 Incident Response Insights Report.
1. Choose a Framework
It is easy for organizations to examine incidents and their ensuing root cause analyses in isolation and develop point-in-time solutions to address the issues. But building a security program around an existing industry standard framework ensures that the organization addresses many of the security gaps, and not just the systems that have already been compromised. While there are a number of frameworks to choose from, the practical and pragmatic CIS Controls framework includes straightforward guidance for defenders. Most of Secureworks analysts’ recommendations are found in this framework.
2. Implement Multifactor Authentication (MFA)
The most common and effective recommendation Secureworks analysts provide is to implement MFA on all externally facing services. Every service available on the Internet, including cloud applications such as Office 365/Outlook, external VPNs, and SSO pages, should require users to provide a one-time password (OTP) in addition to their regular password. The OTP can be generated from a physical token or a software app. Though deprecated by some standards, an OTP via SMS message to the user’s phone is better than a single factor. This rule should apply to all users, especially senior managers and suppliers/vendors that need access to the organization’s systems.
3. Increase Visibility
Incident response efforts are often hampered by a lack of visibility in the environment. This condition may be due to a lack of historical logs that allows network defenders to forensically piece together what happened, or it may be due to a lack of appropriate tools to monitor for ongoing threat actor activity. Organizations should check that log policies are configured to log useful data for an appropriate amount of time. Endpoint monitoring tools are essential for detecting suspicious activity in the environment after other controls have been evaded.
4. Conduct Preparedness Exercises
Cybersecurity technology solutions cannot address all cybersecurity risks. Business email fraud is a good example of how people and processes play a starring role in either increasing or reducing risk.
Organizations should establish a process that involves multiple approvals for transactions, out-of-band confirmation of changes to bank account details, and no regular exceptions for “urgent” requests from senior management.
5. Using Exercises to Understand and Improve Security Posture
Table-top exercises can benefit organizations at different stages. In some cases, the scenarios and subsequent discussions can help participants understand their environment. Involving stakeholders from Legal, Public Relations, and other groups across the organization provides insight about what data is and is not important and why.
Common Gaps Identified Through Incident Response Tabletop Exercises
- Misalignment of playbooks (e.g., internal CERT and Executive Crisis Team)
- Lack of communication plan within the incident response plan
- Inability to determine what data is or is not important, and why
- Unclear roles and responsibilities
- Employee susceptibility to social engineering
- Gaps in basic hygiene