Nothing provides better security than a fresh pair of eyes. In a military operation, it is rare to have the same sentry defend a specific military post forever. It’s the same with a cyber security program – you need to diversify your security providers to minimize the overall risk to your organization.
A leading cause of security breakdowns is a failure to mitigate vulnerabilities in your software, infrastructure or environment. While recent outbreaks of the WannaCry ransomware were contained by Enterprise Security groups within organizations, the threat itself was exposed by a software vulnerability that was exploited by attackers. Needless to say, this blurb focuses on application security programs of mid-large sized organizations and in addition, includes pointers for smaller organizations that would like to kick-start an enterprise security program.
We can divide a typical security strategy to cover people, processes, technology and automation as shown in the following visual.
By focusing on the security of the goose that lays the golden eggs (usually your customer facing applications that generate revenue) you proactively preempt risks. The central idea is to diversify the risk by incorporating a few complimentary security measures covering people, processes, technology and automation:
1. Establish an IT / Corporate Security team that reports to higher management
- Risk management, security and compliance are all management functions and are to be owned by the board members of the company.
- Ensure the CIO / CISO’s security team is the first responder in case of a security incident.
- Delineate and segregate duties of the security personnel/admins.
2. Match security training with security requirements
- Hire experts to provide security training to your employees. Make sure the trainers have knowledge about the latest technologies and are not quacks.
- Ensure that the training covers a well-known standard such as OWASP, CERT or MISRA. Pick the training relevant to your industry.
3. Provision an internal security team and setup a secure development process for your products
- Identify security enthusiasts within your organization. Get a security community rolling using a collaborative tool such as Slack or Yammer. An email alias works too.
- Start an internal bug bounty program. Peer security testing is an effective measure for finding the low hanging fruit. Reward top contributors for any security vulnerabilities they publish internally.
- Implement a secure software development life-cycle that balances DAST (black-box security testing), SAST (white-box security testing), manual security testing as well as secure coding. Run a vulnerability management program and involve all stakeholders in weekly security discussions and threat modeling reviews.
- Subscribe to vulnerability alerts from US-CERT and monitor other sources such as Twitter and also the OEMs whose products/services are being consumed in the enterprise.
- Have a Business Continuity Plan / Disaster Recovery (BCP/DR) policy in place and hold regular drills to ensure people, processes and technology can survive a major incident arising from terror or natural disasters.
4. Hire External penetration testing organizations
- For your applications and infrastructure, schedule at least one external pentest per quarter with different providers that specialize in pentesting.
- Pick a startup security company or independent security consultants once in a while and you’d be amazed when they outclass the big players.
5. Use a Security Operations Center (SOC)
- Log aggregation and monitoring should be an integral part of your organization’s security posture. Use cloud-based log aggregators as per your budget and outsource operations to a specialist organization that runs a 24×7 dedicated or shared SOC.
- Feeds from Security Information and Event Management (SIEM) tools and Data Loss Prevention (DLP) tools must be proactively monitored by a shared or dedicated SOC team.
6. Outsource to security consulting providers
- Managed services provided by these companies come with commercial tools and good expertise in areas such as secure SDLC implementation, vulnerability assessment and penetration testing for cloud, big-data, data-center, web and mobile applications, and miscellaneous infrastructure.
- This is also a good way to focus on security strategy internally and outsource routine security scanning jobs to specialized vendor(s).
- Stay clear of vendors who offer security services with only open source tools and/or focus only on automated security testing. Also avoid contractors or their sub-contractors who may expose your intellectual property such as source code or reverse engineer your binaries without your knowledge or consent.
7. Run security Hack-days
- Get your developers and quality assurance personnel to attend a security hack-day once a quarter with the intention of finding the first level of vulnerabilities. 80% of the vulnerabilities may be found by 20% of your folks. Make them your security marshals.
8. Consider external bug bounty websites
- Get a version of your product on a bug bounty website that provides private disclosure. You can provide monetary rewards to security researchers or a simple “kudos” for finding vulnerabilities in your products.
- Note that doing so may expose you to the world (or a malicious person masquerading as a security researcher) so exercise caution.
9. Ensure physical security
- Can’t stress enough about security of your premises or hosting providers. It helps to host on the cloud but be aware that even major vendors such as AWS have had to deal with problems such as the recent S3 storage outage (Mar 2017). (Your hosting providers’ IT assets may not have been patched and restarted in several years which is not unusual phenomena)
- Make sure your wired and wireless networks cannot be tapped. Provision for 2-factor authentication even when using VPN. I highly recommend perusing the PCI DSS security standard to use as a benchmark to develop your security program.
10. Practice security!
- Everyone in your organization should take security seriously. Try to get employees to provide at least an email consent every month or quarter after having re-read your organization’s abbreviated security policy. Periodic reinforcement of policies is super critical.
11. Create a vulnerability knowledge-base
- You don’t need a separate system to track vulnerabilities. Something as simple as JIRA works well as long as you can assign proper labels to security issues for tracking and archival.
12. Automate and customize security tools and processes
- Automation is essential particularly for large security programs. Your suite of security tools must include open-source, commercial and freeware security tools.
- Many organizations implement a vulnerability management system that unifies the output of various tools and provides a single security report.
- Figure out a way to eliminate false positives from repeated security scans with automation.
Last but not the least, a security vendor who has no regard for confidentiality, processes, permissions and ethics with respect to security should be the last choice on your list. Security services may come at a price tag but with that you buy trust and the ability to laugh when others can’t.
The more you sweat in peace, the less you bleed in war
– Norman Schwarzkopf