The statistics on IT security threats are staggering. A survey from the Ponemon Institute revealed that seven out of 10 organizations said their security risk increased significantly in 2017. More than half of the respondents experienced one or more successful attacks that compromised data and/or IT infrastructure. The same report pegged the cost of a successful cyber-attack at over $5 million. Most distressing, more than two thirds of the organizations surveyed feel their antivirus protections can’t stop the threats they’re seeing.
The chances your organization will suffer a data breach are significant. The odds of being hit by lightning are one in 960,000. The chances of dating a millionaire are one in 220. The odds of experiencing a data breach? One in four.
In an effort to stem the tide of the growing wave of security threats, IT leaders are presented with an overload of potential solutions. The IT security market is flooded with products from threat intelligence feeds, intrusion detection systems, and home-grown tools. In fact, there are now well over 2000 cybersecurity solution providers on the market, but despite the presence of so many tools, many organizations still struggle to gain synergy from their investments.
As IT security breach threats continue to increase, how can you sift through the noise and develop the right solution to protect your organization? You have two models you can follow: the castle or the vibrant major metropolis.
Changing the mindset around IT security
The castle is designed primarily with security in mind while the vibrant metropolis is built for productivity. Traditionally, security leaders have instinctively favored building castles and it’s easy to see why, since most security tools have historically focused on prevention at the edges of the environment – the endpoint and the perimeter. For years, IT organizations have built the walls higher and thicker, lending themselves to a mindset of blocking, restricting, and excluding potential sources of uncertainty from the network. This model - static, rigid, limited, inaccessible – ultimately obstructs your organization’s productivity, incentivizes users toward circumventing controls, and encourages the use of “shadow IT” to get around perceived barriers to collaboration.
The metropolis model on the other hand is not built on the premise to keep people out, but instead to let people in safely. Such a model is flexible, dynamic, and accessible and focused on identifying, enabling, and engaging which allows people to do business and increase their prosperity. It grows things rather than restricts them. Ultimately, prevention IS possible, but only through complete visibility and excellent cyberhygeine. Within this model of a data metropolis versus a data fortress, security teams must in turn stop using prevention-based metrics and move toward measurements based on visibility and response. In our data metropolis for example, the security team acts as the police force – striving to maintain visibility through patrol and observation and by doing so create a safe space – but ultimately, it’s even more significant whether the team can effectively respond to incidents when they occur, protect users from compromise, and prevent assets from being exfiltrated. Unfortunately, the national trend is that it takes between two to three hundred days from the time a breach occurs until it is discovered, and over 80% of the time, it’s a third-party that discovers it.
To unleash the power of your organization you must transform your thinking about IT security from something that is an obstacle to the business to something that is an enabler of success. Security policies and tools must be tied to specific control points within business workflows and should not exist simply for their own sake, or because it’s assumed to be necessary. Risk must be measured in a meaningful way that allows security teams to easily understand the importance of those control points and how they are unique to their specific environment. Every deployed control must in turn, be evaluated according to how it either produces or consumes threat intelligence, where in the cyber kill-chain it fits, and whether it creates conflict, confusion, or excessive redundancy with another control.
In so doing, your IT security becomes distributed, proactive, and intelligent. Every component of your control framework from your network, to the endpoints, to the data and applications themselves is producing, and sharing, meaningful threat intelligence. Going back to the metaphor, for the metropolis to be safe you need as much visibility as possible. The same is true for your IT security. Before you can address any potential threats, you need to be able to see what is happening within your systems.
Also keep in mind that most threats originate from the inside, whether through a malicious insider, negligence toward security procedures, or even simply an individual being unaware of the impact of their actions. The modern workplace is a porous environment and keeping the threat entirely out is simply not feasible – as are any attempts to predefine what the threat is or to utilize defenses that only account for what has already been seen.
The Threat Intelligence Lifecycle
The first step in the Threat Intelligence Lifecycle is detection which comes from visibility. This is defined as having complete knowledge of every application, user, and device on the network – at all times. Once you have discovered all that there is to discover on the network, you need to understand how everything discovered aligns – or if it aligns at all – to the goals and objectives of the organization. Having done this, the next phase is reduction – and the first step toward mitigating the threats you’ve uncovered comes by not attempting to protect more than is necessary for the success of the organization. Businesses and agencies do not exist to be secure – businesses exist to be profitable and public sector agencies exist to fulfill their organizational mission or mandate. Toward those ends, these organizations must adequately and reasonably control risk but only to the extent that doing so fulfills their primary purpose. By preventing your adversary from defining your threat surface for you, your team can proactively understand where to focus their attention and where to avoid, transfer, or accept given risks.
Once you’ve narrowed down the areas where you absolutely must be exposed, you move to the third step which enhancing your security controls in those areas. During this phase of enhancement, you can start to introduce defense in depth in a meaningful and strategic way rather than a patchwork of overlapping products. That leads to the final step of optimization. Up to this point, you’ve done enough to quiet the landscape, cut through the noise, and collect relevant information that you can use to establish ongoing visibility, improve response times, and conduct meaningful investigations. You can then repeat the cycle to create continuous improvement, being sure to always measure and evaluate the tools and procedures in use, look for opportunities to enhance or provide correction, and perhaps most importantly, ensure that the tools and procedures in place continue to align with the goals of the organization.
Evaluating and optimizing your security systems is often difficult to do alone since IT security solutions are so many and varied. There is no one-size-fits-all solution. Every organization is unique in what it has for infrastructure and what it needs from its systems. That’s why it’s important to engage with an experienced expert who can assess your risks and help you develop the right solution. DynTek is a leader in threat detection with a proven record of helping companies develop optimum IT security plans. Click here for information on how our end-to-end IT security solutions can help protect you against outside threats.
 10 Must-Know Cybersecurity Statistics for 2018, by Jonathan Crowe, Barkly Stats and Trends, February 2018.