Many people have New Year’s resolutions of going to work out at the gym or eating better. As we start another year that is sure to yield more vulnerabilities and breaches, we should also resolve to implement a solid security plan for all of our cyber assets. We should review our security in-depth strategies to make sure we have the proper technology, people and processes in place to support and secure the business infrastructure. When you walk into a gym for the first time, you may wonder to yourself, “Where do I start?” Similarly, let’s dig into where you should start with your security.
Inventory all your businesses technology assets, even the server sitting under someone’s desk. Once this is completed, start finding out which operating systems, applications, databases, and networking and security infrastructures are supporting your business.
Determine which antivirus, patch management and email and storage encryption products will work with your list of assets. The list will narrow pretty quickly if you have a mixed environment like Windows, Macintosh and various versions of Linux.
Research which log management tools, application code scanners, web application firewalls, backup solutions, mail and web filtration work for the environments you want to protect.
Implement proper network security controls through firewalls, intrusion detection solutions, deep packet forensics, NetFlow anomaly analysis, network access controls, and scanners to continually test the environments for vulnerabilities.
Taking these steps will result in a solid security in-depth strategy, but there is something missing that ties all four of the above technology strategies together.
What tie them together are security information and event management (SIEM) technology and continual content updates to stay current with the latest threats. The SIEM technology solves some of the communication issues that arise within a structured group built on different teams with different objectives. The SIEM will ingest all the logs from the above technologies to find patterns that will be escalated as security incidents. These incidents will be sent to the appropriate teams for resolution.
The tough part about SIEM is generating the content. Content is truly the backbone that makes your security strategy work. The content needs to be updated consistently with the proper testing and analysis. Content is fed into the SIEM and the engine identifies new and emerging threats that we are faced with on a regular basis. Threat intelligence is also an important factor that supports content. Intelligence consists of blacklists of malicious URLs and IP addresses, emerging malware and global data threat trends that can be delivered to the SIEM for the creation of up-to-date content.
This is a long list of security steps, but the most important item is to make sure you implement your strategy with the proper amount of people and process to make it all work efficiently.