By Ez Yiap – Cyber Security Consultant (GRC) and Assistant Trainer for the Institute of Data’s Cyber Security Program.
An IOD alumni who pivoted into cyber security, Ez now helps organisations assess and strengthen holistic cyber security. Ez is passionate about contributing and coaching in the cyber security community.
Connect with him on LinkedIn!
In 2022, there is certainly no end to the possible cyber security solutions an organisation can look at implementing, let alone knowing which are the most important.
There is no right or wrong answer or an all-inclusive and applicable list. Organisations should take a risk-based approach in assessing and treating their cyber risks and look to balance value and functionality with security controls and systems.
This article outlines ten of the top cyber security solutions organisations are implementing to mitigate cyber security threats better.
Awareness Training and Coaching in Cyber Security
Have you heard of the phrases ‘The Human Firewall’ or maybe, ‘People are the weakest link’? When it comes to security, regardless of the latest and greatest technology, an organisation relies on its people for security, privacy and protection as the first line of defence and response.
Organisations should start by developing a security awareness strategy, then a program of security awareness training and or coaching that works to address the day-to-day tasks users and customers face that introduce risks.
Security awareness programmes may include a range of modes to engage users with different learning styles.
Approaches to staff or even customer engagement include but are not limited to:
- Face to face sessions
- Virtual presentations/webinars
- Interactive modules (computer or online driven)
- Video content
- Gamified content
- Simulated phishing engagements
- Poster/banner/warning collateral
Increasingly, organisations are turning to security coaching models over traditional awareness training/education models.
Coaching is about continual improvement and growing self-awareness.
Coaching requires defining a purpose, gaining buy-in and working with individuals to become a part of something greater as a collective. Where training may deliver quantitative metrics, coaching invites feedback, discussion, contribution and intrinsic motivation to secure day-to-day duties.
Cyber security policies, processes and procedures
Every organisation needs governance, strategy, accountability, and clear expectations from the boardroom to the basement, even around the topic of cyber security. Formalising and documenting are often seen as bureaucratic red tape to an organisation’s growth.
The result is processes and operations developing without being formalised and documented. Risks arise when staff turnover or organisational direction, requirements and contexts shift, meaning that business gets stalled as people try to recalibrate the what, how, why, and where to-dos and the what-ifs.
Organisations should aim to formalise security by implementing an information security policy suite that supports the organisation’s goals and promotes growth, functionality and maturity.
Typically, policies outline the high-level purpose, scope, context, requirements or details. Processes aim to outline what to do and are more operational. They will have step-by-step instructions that can be followed and are intended to make cyber security understandable and accessible to someone in a pick-it-up and go-with-it mode.
Procedures layout the way to go about a task and address finer detail in the ‘how tos’. Procedures are written for an audience with an expected competency level or expertise in the subject matter at hand.
Some examples of policies include:
- Information Security Policy
- Acceptable Use Policy
- Human Resources Security Policy
- Third-Party Management Policy
- Access Control Policy
Some examples of processes include:
- User Access Control Review Process
- Incident Response Process
- Data Breach Notification Process
- Change Approval Process
Some examples of procedures include:
- Onboarding/Offboarding Procedure
- Daily Backup Procedure
- Operating System patching Procedure
- User/Caller Identification Procedure
Identity and Access Management
Identity and access management (IAM) is the set of controls that determine the entities that can access resources, the extent or type of access to those resources permitted and the verifications that sit alongside it. IAM includes and addresses controls for identification, authentication and authorisation.
For enterprise organisations, IAM may have a multi-person team of trained cyber security professionals handling the ongoing tasks that come with a big moving machine that can include specialised software, structured processes and procedures.
Access controls are essential in preventing unauthorised disclosure, alternation and unavailability of resources, data and systems. This places IAM in the top solutions organisations focus on when architecting their cyber security posture.
IAM can include solutions such as privileged access management (PAM), single sign-on (SSO), multi-factor authentication (MFA), access controls like role-based access control (RBAC), or even federated authentication using the likes of Google, Facebook or Microsoft to authenticate and allow access.
Multiple security controls apply to email. One of the most used is email filtering, often known as a secure email gateway (SEG). This solution usually offers a string of protections for user inboxes that may include:
- Spam filtering – flagging mail as spam and then directing it to a dedicated folder with warnings provided to the user cautioning opening it or its attachments.
- Granular filtering – instead of an out of the box or signature-based filtering, a solution may permit the administrator to provision set conditions or settings that filter emails and quarantine them or block them entirely.
- Quarantining – an email may be quarantined if it meets criteria identifying it as potentially malicious. If the user accepts the risk, a request then needs to be made to release it from quarantine.
- Phishing reporting – the solution may integrate with the organisation’s mail solution to permit the user to flag suspicious mail as phishing or report it, allowing the organisation to investigate further and develop reporting and analytics on emails
- Attachment scanning – scanning email attachments for known malicious signatures, parameters or contents may provide extra protection from users engaging with viruses and malware.
There are many flavours of email security. Some will include security controls for not only inbound messages but also outbound ones. An example of this is the ability to encrypt outgoing emails to protect the contents being sent. Organisations usually need to undertake business impact analysis, cost analysis and run proof of concept on email security solutions to ensure they get the needs of the business met.
Endpoint Detection and Response
Antivirus software has been around since about the late 1980s. It has evolved in such a way that there are few if no solutions that exclusively call themselves antivirus and only provide that offering. With the evolution and proliferation of malware, continual cyber threats and an ever-growing application and device sprawl across organisations and in our personal lives, it is no wonder that solutions have grown to address multi-front risks.
Endpoint detection and response (EDR) is a cloud-based solution where an agent resides on the user’s device. The agent works to log and monitor events, looking to uncover indicators of compromise (IOCs), threats on the device, anomalous behaviour, viruses and malware and accordingly take action to mitigate anything deemed an incident. EDR has the capability to feed a Security Information and Event Management (SIEM) tool that can aggregate, correlate and assist in triaging events and incidents by a security analyst or team of them.
Extended Detection and Response (XDR) is also sometimes known as Cross-Layered Detection and Response. XDR takes the detection and response to the next level by pulling and pooling multiple sources, including endpoints, network devices, cloud solutions, third party data, threat analytics, and possibly more, depending on the vendor. Data is usually correlated and normalised to reduce the amount of noise the team receiving the information has to deal with and provides greater context and relevance to assist in security incident management.
Operating systems, software and firmware are in constant need of updating, not only by developers and vendors for general improvements but also for security. New bugs are discovered all the time, and without an organisation applying the latest patches, vulnerabilities may exist that threat actors could exploit in cyber attacks.
Vulnerability management is typically a programme of work established to scan external and internal infrastructure and applications to determine any missing patches or vulnerabilities.
An organisation may do this itself with a scanning tool or outsource it to a Managed Security Services Provider (MSSP) to license the tool and provide the resources to scan and report on. In almost all circumstances, remediations lie with the organisation due to interdependencies, testing updates, rollbacks that may be required, and the delicate nature of many environments.
Some standards, like the Payment Card Industry Data Security Standard (PCI-DSS), mandate regular vulnerability scanning, adding an element of compliance in addition to good practice security. Many organisations struggle to stay on top of patching vulnerabilities due to the sprawl of technology and applications and the resources required to manage it all regularly.
Usually, an organisation will rate vulnerabilities by severity and set out a specific timeframe for the remediation. For example, critical vulnerabilities may be deemed necessary to remediate within three business days, whereas a low vulnerability may be deemed necessary to remediate within two months.
Security Operations Centre
A security operations centre (SOC) may involve several layers of service offerings. Typically, a SOC is built around a SIEM tool with analysts monitoring for IOCs and abnormal activity in order to respond as quickly as possible.
Many SOCs run on a 24/7 basis year-round, with security analysts doing shift work. Various models exist of entirely outsourced managed detection and response (MDR) to hybrid models where an organisation may have in-house analysts 9 to 5 then outsource the monitoring outside of hours or, in some instances, may put its analysts on call outside of hours.
A SOC may undertake security responsibilities such as:
- SIEM management
- Levels 1 -3 security analyst work
- Network threat analytics
- Security orchestration and remediation (SOAR) oversight, configuration and management
- Threat hunting
- Vulnerability management
- Incident response
- Digital forensics
SOC solutions often provide organisations with incredible value due to the resource requirement of establishing, maintaining and having a truly effective in-house team to do all the tasks on a 24/7 basis. MSSPs leverage a wide variety of technology and vendors to suit budgets, scale, client requirements and capabilities as needed.
In addition to organisations developing and implementing solutions with security and privacy in mind, they also need to provide assurance of security to stakeholders, suppliers, customers, clients, regulators, government, partners etc.
One such means of assurance is penetration testing. Sometimes known as ethical hacking, this is where a network, system, application, hardware or even a physical environment will be scoped for a simulated attack to determine what vulnerabilities and security holes exist in order for the organisation to remediate them (hopefully) before a threat actor can.
Penetration testing scope is always agreed upon between the client and the service provider (penetration tester), whether in-house or external. In most circumstances, penetration testing teams are either fully independent or segregated from other parts of the business like software development to ensure no one is marking their own homework, so to speak.
Penetration testing commonly occurs on web applications either during development or before launch, as threat actors commonly target these to access sensitive information and environments. Additionally, penetration testing can be undertaken on external, internal and wireless networks.
Hardware and Internet of Things (IoT) devices are increasingly subject to penetration testing requirements. A physical penetration test usually involves testing physical security controls an organisation has, such as security cameras, social engineering vulnerabilities, secure area access, lock picking, access control vulnerabilities, etc.
Data Loss Prevention
Data loss prevention (DLP) solutions come in many flavours, with varying inclusions, details and implementations. Typically, DLP addresses two scenarios. The first is the risk of an inside threat actor. They may be intentional or unintentional in their actions but are exfiltrating (leaking) data outside of where they should and exposing risks to confidentiality by doing so.
This may result in compliance, regulation, and legal issues in some instances. The second is the risk of an external threat actor that has gained access to the internal environment and is seeking to exfiltrate data for malicious purposes – selling it on the dark web, espionage, or holding it for ransom.
DLP usually requires some security prerequisites in order to be effective. This includes such policy and practices as data classification and labelling for sensitivity in order to have the DLP solution determine what can and can’t occur with set file types. DLP will rely on integration with other solutions and may need to access cloud environments to monitor traffic between end-users and cloud data storage locations within web applications or cloud storage services.
DLP is often a solution implemented in later stages of maturity of an organisation due to cost, resources, complexity and the dependency on other established security controls.
Secure Code Development
Secure code development, sometimes known as DevSecOps, is all about ensuring that secure coding practices are embedded within the development of code for applications. Application development is not usually driven by a high priority to be built securely.
Rather the focus is on time to market, user experience, functionality, reliability etc. Security tends to be an afterthought in development, and increasingly businesses are looking to shift security into the agile development process to minimise risks and reduce time mitigating and treating vulnerabilities discovered closer to release or once an application has gone live into production.
Secure code development requires an organisation to develop software aligned to an industry recognised standard such as the Open Web Application Security Project (OWASP), or the Center for Internet Security (CIS) controls for application software security or NIST’s Secure Software Development Framework.
Secure code development also incorporates practices such as secure code development training for coders that may not have learned security practices during their education. This may also be complemented by training from penetration testers who review and test applications.
Secure code review is another control that can, in some instances, be automated with technology to search for security vulnerabilities within the code or can be a manual process of going through code looking for vulnerabilities or some combination.
What’s next for cyber security solutions?
Security requirements and systems will continue to evolve and shift.
As a cyber security specialist, each of the outlined solutions has its own domain and speciality that you can do a deep dive into. Important to keep in mind is that security requires a holistic, defence in depth layered approach.
To find out more about each of these solutions, their applicability to organisations and help discover an area of special interest to you, speak to the Institute of Data and get inspired.