More and more often, we hear about another high-profile cybersecurity breach or ransomware attack at a large, well-known organization. Cybersecurity breaches seem to be inevitable at this juncture. While reading about these events, one thing is painfully clear: cybersecurity practitioners are allowing attack surfaces to persist longer than acceptable. This largely stems from neglect of the ABCs of risk suppression: configuration management, vulnerability management, and credential management – all things we can manage today with tools we have at our disposal. But how do we maintain these basic controls? And how do we move our security practice to a more mature posture?
The Birth of the Pilot’s Checklist
Suppressing risk isn’t a new concept.
In World War II, The Boeing Company was in a race against other defense contractors to provide the United States with the next great war bird, one that would help the US dominate the skies. Up to this point, Boeing had little success in the commercial space and was deemed “at risk” from a financial perspective. The B-17 Flying Fortress was their chance to cement their financial viability as well as their role as a leader in aviation overall.
The maiden test voyage ended poorly. The captain neglected to release the elevator lock, a routine step, which made the plane unresponsive to pitch control, and the plane went down. People died. Others were seriously injured. This was a tragic event and one that could not be repeated.
Boeing engineers huddled to work out a solution – they needed to deploy operational checklists for various stages of flight to ensure that routine measures are not skipped over. As they learned, skipping the basics can lead to catastrophic results.
The outcome? The remaining twelve of the original thirteen B-17’s ordered by the US Army went on to fly 1.8 million miles without any serious operational incidents. The Army proceeded to buy nearly 13,000 of the B-17 bombers which went on to be the most widely used aircraft in World War II and helped shaped Boeing into the aviation behemoth we know today.
ABC’s Causing Pain
The data shows, and it’s clear to see, that we, as cybersecurity professionals, need to be applying the same technique as pilots now do in order to suppress operational risk when practicing the fundamentals – the ABC’s of reducing attack surface. Last year, 5.4 billion records were leaked and more organizations were ransomed due to misconfigurations, lack of vulnerability management, exposed admin accounts, and exposed databases – considerably more than from pure hacking attempts.
Here are a few examples of some major breaches which may have been avoided with better establishment and adherence to the fundamentals:
- Dow Jones – 2.5 million records exposed due to a misconfigured cloud server
- Verizon – 6 million records exposed due to a misconfigured cloud server
- Deep Root – 198 million records exposed due to a…misconfigured cloud server
See the trend?
What’s the solution?
The Security Administrator’s Checklist
It’s time to adapt The Pilot’s Checklist to the security space. The Security Administrator’s checklist needs to be born. If our most elite pilots, ladies and gentlemen that fly at forty thousand feet, at twice the speed of sound, and sometimes pulling as many as 9G’s, are using rigorous checklists in their day to day operations, we should be doing the same.
These checklists will be different for every organization, but the core principles remain the same. Administrative, Technical, and Operational checklists need to be cultivated. The good news is that there are dozens of fantastic GUIDES to get started. Take a look at some of the things SANS issues. Their System Security Plan, Web Application Checklist, and Firewall Checklist are great starting points. Examine these, choose what makes sense your organization, then adapt.
First, identify core administrative, technical, and operational gaps. Cultivate checklists to ensure the basics we’ve discussed are addressed. Next, execute the checklists on regular intervals – calendarize them. Third, detailed documentation around processes need to be maintained and updated as the need fits. From there, train your teams whenever changes are made to any process, and mandate regular interval training on these processes and procedures for even the most senior team members. Remember, last year, the vast majority of data leakage and destructive ransomware attacks could have been suppressed if the ABC’s of reducing attack surface were better addressed.
Beyond The Stratosphere – Cover Your Six With Carbon Black
Having these core tenants of security covered is absolutely a leap in the right direction, but there is a lot more attack surface out there. Many more emerging threats. Majors shifts in the way we conduct business and store data. A lot of activity occurring in places we cannot see using traditional tool sets.
Visibility is of utmost importance in today’s fluid threatscape. It’s impossible to get ahead of the adversary if you can’t see what they’re doing.
Pilots, much like security analysts, are relying on raw telemetry and visibility in order to detect and prevent potential threats. It is imperative to have solution sets that provide unfiltered telemetry and evaluate that information against world class threat intelligence. This provides much needed insight into our environments and brings next generation security techniques into the fold.
Carbon Black has a suite of solutions that can help with security, risk, and compliance programs relating to GDPR and beyond. The controls we provide are the set of checklists that will take your security practice where you need to go. Whether iron boxing critical assets with Cb Protection, gaining total visibility across your enterprise and empowering your SOC with Cb Response, or deploying Next Generation Anti-Virus in the form of Cb Defense which uses big data and streaming analytics to analyze event streams in real time in order to make predictions about – and provide protections from – new and emerging threats.
And let’s face it – technology moves at an incredible rate, much too fast to rely on strictly manual checklists. Carbon Black, using Watchlists and LiveQuery, gives cyber defenders the ability to automate many of these checklists, letting YOU know when expectations are not being met. Want to be alerted to CVE’s on a public web server? Set up a Watchlist in Cb Response:
Maybe you just read about a newly discovered browser extension vulnerability and you want to check your fleet of assets for any installs, use Cb Defense LiveQuery functionality:
Do your current solutions solve next generation security problems? How much of “the basics” can you automate? Are you able to align your solutions to the bullets below? If not, Carbon Black can help.