The security industry as a whole has a tough job. Whether you’re trying to protect a home or a business, whether it’s physical assets, people or virtual assets, there always seems to be someone who finds a way to get around your security using a trick you never thought of before.
While there are many solutions offered to sort out your security, again both physical and virtual, a single solution won’t do the job. In the physical security world, you can’t simply rely on a perimeter solution. It needs to be part of a greater system of security that could include alarms and intrusion, surveillance, access control and so forth. It’s a similar case in the virtual security world. Your antivirus application isn’t enough, it’s a start, but you need more.
The combination of systems one has, assuming they work together to provide a holistic solution, can be called your ‘security posture’, or your overall security profile that will hopefully provide a comprehensive defence. Hi-Tech Security Solutions asked a few people in the industry to give us a better idea of what a security posture is and how to determine yours.
So what is a security posture?
“We are living in the age of the application economy where digital transformation is not an option, it is essential not only for growth, but also for survival,” states Sagan Pillay, CA Southern Africa solutions strategist, security. “Digital business initiatives are at the forefront of enterprise growth strategies in the application economy. Enterprises are looking to take advantage of new technologies and create opportunities to launch innovative new services.
“However, while this forward-thinking approach to business is crucial to growth, it can bring with it greater exposure to risk and security breaches. It is necessary to ensure there is synergy with the organisation’s security posture and the new innovations being introduced into the business. The security posture is the approach a business takes to security.”
Securicom’s Richard Broeke explains that a company’s security posture is directly related to the possibility of a security incident or breach taking place. “The best way to describe this would be to liken it to home security, where a property that has walls and electric fences with alarms would (we hope) be less likely to fall victim to a break-in than the neighbour with no boundary wall and an open front door.”
He says a posture incorporates what measures are in place to deter and stop cyber criminals, which are then used as a starting point to increase and improve the defences to make the company a less attractive target than someone else.
ESET South Africa’s CEO, Carey van Vlaanderen sums it up as “the current state of information security within an organisation at any given moment. It would refer to the entirety of the information systems that a company may be operating, for example, applications, servers, email systems, databases etc., and how secure those systems are, relative to what the expected security state (posture) is for the organisation.”
Your security posture is therefore a strategic plan that outlines the areas of security risks through various stages such as planning, implementation and ongoing refinement, continues Pillay. “In order to protect a business from internal and external threats the security posture will define, with technical and non-technical policies, what procedures and controls are required and how they will be managed.”
Harry Grobbelaar from MWR InfoSecurity sums it up as “a measure of your resilience to a cyber attack – do you have the capabilities to predict, prevent, detect and respond to different threats?”
As with most things in this world, know the ‘what’ is only the first step, the real challenge comes when trying to determine the ‘how’. The fact that it seems too easy to bypass security these days is testimony to the difficulty of implementing airtight security.
How to find your posture?
The easiest starting point to determining your posture is with a vulnerability assessment coupled with a threat assessment of what traffic is actually on your network, says Broeke. “These typically don’t take long and the information we are able to garner from these provides a great blueprint from which to work.”
Grobbelaar adds, “You need to review the asset you're trying to protect: how important it is to the business? Who is likely to attack you? What are their motivations, capabilities and resources? Asking these questions will provide you with a better understanding of the threat you need to defend against. Once you know that, you'll be able to evaluate the effectiveness of your current controls and identify strategic areas for improvement.”
In addition, van Vlaanderen advises that to determine the security posture of any specific system, one would need to understand what the expected behavioural characteristics of the systems are in the context of availability, integrity and confidentiality. The considerations need to extend to:
• Are the systems accessible (availability)?
• Is the information in the systems trustworthy (integrity)?
• Can I trust that only authorised individuals are accessing that information (confidentiality)?
One way to start would be to ensure that there are sufficient security controls around the systems that will deliver the availability, integrity and confidentiality of information in those systems. “This is done through regular security assessments of applications, networks and databases for integrity,” she says.
Focusing on the people aspect of your environment, Pillay suggests starting by identifying who has access to your data. What data is important to your company and where does it reside? This data could be on systems, in databases or simply file shares on servers. “The organisation must identify where it is vulnerable, and determine the solutions necessary to remedy the problems; examples include: upgraded firewalls, antivirus and other security tools.
“Once this is determined, one can then define policies and procedures to ensure the company is clear on what processes are in place for gaining access to data and who is authorised to access. Tools can be used to automate the enforcement of policies and procedures and protect data.”
If your security posture matches and surpasses industry best practices, you should be well on your way to preventing, detecting and responding to most attacks. However, Grobbelaar warns there will always be criminals who are smarter and many steps ahead. “Only by continuously reviewing and testing your existing controls against known techniques and attacks, and adjusting them where they fall short, will you remain resilient.”
Who’s neck is on the block?
In the past, most companies had someone responsible for physical security and someone (more often than not an IT manager) responsible for cybersecurity. The dramatic increase in cyber attacks has led to the cybersecurity field becoming more important, and larger companies are likely to have a senior person responsible for the company’s information security.
But it is beyond the scope of a single person. The risks we face today are varied and their scope is broad and no single person can manage it all, and it requires a collaborative effort from the trenches as well as from the executive suite. Pillay notes that while the adoption and implementation of a strategic plan requires skilled IT security architects to guarantee delivery of the desired outcomes, it is also important to have buy-in and overt support from senior management.
“Management will define what are acceptable boundaries and constraints to the information security posture, and the technical functions will ensure that these are delivered from both a design and architectural perspective, as well as from an operational perspective,” adds van Vlaanderen. “Security metrics defined by the management of an organisation will dictate how successfully the security posture is being implemented by the technical resources.”
Once the technical controls are in place, says Broeke, they should then be re-evaluated on an ongoing basis and the results fed back to management and adjusted as the business risk requirements evolve. And as noted above, there is no single solution available today that one can simply install with the assurance that all your vulnerabilities are sorted.
Filling the gaps
Since there is no single solution to choose, some companies may decide to opt for the easy route and pick and choose products that ‘fill the gaps’ identified in their security posture. While this may seem like a reasonable solution, it is not the optimal way to secure your company.
“The focus should not be on filling gaps,” says Broeke, “but rather on the overall bigger picture, or the security posture. If we have an effective security management strategy which should include monitoring, visibility and then management of appropriate technology components, then we will not need to focus on ‘gaps’ as they will close themselves as part of the process.”
He adds that focusing on filling the gaps will likely result in the company only seeing certain vulnerabilities, while missing the breaches happening right under their noses. “If we are only watching the front gate and spending all our efforts to make it bigger, heavier and more secure; we give a great opportunity to the guy using a ladder to get over the back fence.”
The most effective way to address gaps identified, according to van Vlaanderen, is to take a defence-in-depth approach. “Apply security controls, be they organisational or technical in nature across the enterprise at both a technical as well as managerial level. Implement key technologies that address functional vulnerabilities, assess developmental vulnerabilities, define operational policies and procedures, and most importantly, agree on risk management metrics that define whether a risk is acceptable or not and how to treat these once they have been identified.”
And for those of us who would like to think security depends on the installation of a product, or multiple products that we can ‘install and forget’, Grobbelaar reminds us: “Any solution you deploy is going to be up against human attackers who specialise in subverting technical systems. Additionally, all solutions become outdated over time as new threats and techniques are developed. As such, security should be approached proactively in order to ensure that you are defending your organisation with the most up-to-date solutions.”
He adds that with the current skills shortage, many companies are relying on paid, off-the-shelf solutions which allow them to rapidly deploy a tried-and-tested solution. Unfortunately, the chosen solution may not necessarily fit the organisation's exact needs and may leave yet more gaps. A solution tailored to the organisation’s exact problem would be a better option, although this may require specific skill sets, may take time to test and deploy, and will require constant maintenance and improvement.”
Some available options
When it comes to determining your security posture, there are naturally products and services that will assist an organisation. The interviewees describe the solutions their companies offer as follows:
• Van Vlaanderen explains that there are products in the ESET catalogue that assist organisations with managing their security posture across the enterprise. “These are the endpoint security products that offers the antivirus, personal firewall, etc., capabilities. Furthermore, there are encryption products in the catalogue that allow for the implementation of a comprehensive encryption strategy within an organisation that will ensure that information stored on client systems are encrypted and held securely.
“There are also conditional access products that manage the access control of users accessing more critical systems by employing a two-factor authentication technology for an extra layer of security for access to more critical systems.”
• As a focused managed security services organisation, Securicom provides end-to-end enterprise grade security services which provide a solution to the question: “How do we secure data in today’s cloud and consumer-centric environment?” Broeke explains the answer is: “We do this by providing services that secure your data where it exists, regardless of where that might be, while at the same time ensuring that those services are cost-effective and simple enough for any size or type of business to be able to make use of them. Our portfolio includes e-mail, web, endpoint, mobile and perimeter security services.”
• As for CA Southern Africa, Pillay says the company provides specialist consulting services aimed at defining what the security posture of customers is, and guiding them through the necessary journey to strengthen their identity control and access management procedures. “We deploy a range of CA Technology products – rated by Gartner in the Security Leaders Magic Quadrant. These include: CA: Advanced Authentication; API Management; Identity Suite; Privilege Access Manager and CA Single Sign On (SSO).”
For more information contact:
CA Southern Africa: www.ca.com
ESET South Africa: www.eset.com/za/
MWR InfoSecurity: www.mwrinfosecurity.com
Securicom: www.securicom.co.za
© Technews Publishing (Pty) Ltd. | All Rights Reserved.