No matter what we do, no matter what we put in place, we will not be able to prevent every attack. We will not be able to stop this adversary. We are going to get targeted.
Some people don’t want to accept the reality that we are going to get compromised. I was meeting with the CEO of a Fortune 50 company and he said, “We are going to prevent and stop every attack. That is non-negotiable.” I proceed to pack my bag and he asks, “Where are you going?” When I told him that “I’m not taking this contract,” he shockingly said, “I thought you want to work for us.” I replied, “Not under those conditions. You’re setting me up for failure. You’ve got to recognize that you’re going to get compromised.”
Here’s how I convinced him… I said, “Sir you’re 100 percent healthy. Are you going to live forever?” He said, “Of course not.” I said, “Are you going to get sick during your life?” He said, “Of course.” I said, “What if somebody came up to you and said their goal is they will never ever get sick for the rest of their life. What would you do?” He said, “I’d laugh at that. That’s naive.”
Every one of us recognizes that due to the threats of illnesses (& aging), we will all eventually get sick. Our approach to life is not say we’re never going to get sick. Our approach to life is minimizing the frequency in which we get sick and the impact it has. Getting sick is not a sign of weakness. Getting sick every month to be put in ICU is a sign of weakness. But getting sick once a year is natural and normal.
Saying you’re never going to get compromised is as naive as saying you’re never going to get sick. It’s going to happen. Your approach needs to be on minimizing the frequency and minimizing the impact in which it occurs. But we do have to recognize that breaches will happen. Therefore we will not be able to prevent all attacks.
During a security presentation, I heard somebody say, “We cannot prevent all attacks. Therefore we shouldn’t even try and we should put all our effort all our effort in detection.” I want to prevent what I can. I recognize I can’t prevent 100 percent but if I can prevent even 40 or 50 why wouldn’t I do that? Not being able to prevent all attacks doesn’t mean that we shouldn’t try.
In cases where we can’t prevent, we want to make sure we can detect in a timely manner. Good security it is like building a house. You have to make sure that you have a good foundation. Most organizations fall quickly because they built their security house with no foundation. Let’s be clear. Every organization this year that has had a breach has spent at least 30 million dollars on security. None of it prevailed or protected them because they didn’t have a good foundation. We all know we could build the most beautiful house in the world. But if it’s not on a good foundation, it’s going to collapse as soon as the rain, wind, or storm comes.
What is the foundation of the security house? Some major components are asset ID configuration management and change control. If you’re not controlling what assets are plugged into your network you’re not controlling how they’re configured and you’re not managing change you’re going to lose you’re gonna lose every day. Otherwise, what stops somebody from plugging a new device into your network that has major vulnerabilities that contains sensitive information that’s accessible from the internet?
You can’t control it. You can’t manage it. You won’t know about it and you’re going to lose. That is the foundation.
Go back to work and give yourself a report card. For “asset identification,” what grade would you give yourself? An “A” means you’re doing it perfectly. An “F” means not so much. For “configuration management,” for “controlling a magic configuration of devices” – give yourself a grade. For “controlling it as change” – give yourself a grade. Anything below a “B” (in anyone of those areas) should be your top priority. That’s where you should be throwing your entire budget for 2019, because if you don’t have those three things in place – really the rest doesn’t matter that much.
Once you have the foundation, you have to know what your critical data is and where it’s located. If you don’t know what your critical data is and where it’s located, how can you protect against it? I have never had a customer that when we’ve done “data discovery” gets even in the 90s. When we asked them, “what is your critical data and where is it located,” and then we verify where it is – they are never ever correct… Usually, they’re just partially correct. So our good customers will go and say, “OK our clinical data is on these four servers.” But the truth is that it’s on these four servers PLUS three additional ones. Now here’s the problem. If you believe your data is only on four servers, you are going to put all your energy and effort security on those. If you’re an adversary and you want to steal and compromised that data, you’re going to be focusing on the three that aren’t protected.
You don’t get partial credit and security. If you don’t know all the locations where you’re critical data is and you don’t start to protect it. We’re not going to be able to focus in on the right areas.
For more tips on how to build your security foundation, keep checking out my blogs or follow me on Facebook, Twitter, or Linked In. For your own company’s security assessment or any other questions or concerns, reach out to me at secure-anchor.com/contact.