As IT drives automation to improve service delivery, and delivers direct, positive impact to top line revenue, information security is taking a percentage of that revenue away by requiring investments in securing confidential data – customer, user, intellectual and business data. At a time when the number and complexity of cyber security incidents is growing far more quickly than security staff, the era of relying solely on signature-based security technologies and compliance driven risk management is coming to a close.  

In spite of investing millions of dollars in security technologies such as anti-malware, next generation firewalls, identity and access management, encryption and others, organizations of all sizes continue to see increasing number of sophisticated targeted attacks. The bad guys are becoming more intelligent and resourceful in their ability to identify vulnerabilities (systems and people) and exploit them at an alarming rate – completely circumventing traditional, signature-based security tools in the process.  The recent high profile attack at Target, which resulted in over 40 million customers having their data compromised, could be a seminal event for any company that captures and stores customer credit card, financial and confidential personal data.  Target is an example of a company that invested millions in best of breed security technologies and is compliant with all the necessary regulations such as SOX and PCI-DSS. Let the Target breach be wake-up call. Organizations in retail, banking, health care, education and media verticals should not only worry about business disruptions and negative PR, but they must also deal with class action law suits from customers as well as potential investigations and sanctions from state attorneys general. These developments should force organizations to reassess their overall approach to IT security.  

A number of security forward leaning organizations have begun to implement critical security controls for effective cyber defense and the initial results have shown tangible benefits in improving security posture and significant reduction in security incidents.  Well thought out best security practices like the SANS 20 Critical Security Controls (CSC) encourage  comprehensive security controls implementation and automated assessment to deliver continuous security intelligence. CSCs can proactively find weak links in an organization’s IT infrastructure and security strategy – people, process and technologies. This proactive and continuous assessment of key controls can help identify attacks, patterns, malware, suspicious user behavior, vulnerabilities, un-authorized system changes, while improving overall IT security.  

According to Jon Oltsik, senior principal analyst at Enterprise Strategy Group, “Reliance on manual assessment, response, and mitigation has contributed to the poor state of cyber security. With the incidents of cyber crimes on the rise, organizations should use guidelines like the SANS Critical Security Controls to help them automate processes and address IT risk.”  Oltsik describes the SANS Critical Security Controls as “an extremely focused, metrics-based strategy for addressing the most common security vulnerabilities.”

According to the recent SANS 2013 Critical Security Controls survey, less than 10 percent of organizations actually have proactive and automated assessment of security controls. The corollary question every CEO should ask of their top security officer should be, “Does our organization have a way to detect unauthorized access?”

It’s impossible to secure any network without continuously knowing the who, what, when, where and how of your IT infrastructure activity. Mobile employees and contractors with privileged access to sensitive data present greater risk of intentionally, accidentally or indirectly misusing that privilege and potentially stealing, deleting or modifying data or creating backdoors that can be exploited.  While technologies do exist to enforce access rights, privileges and policies, the technology is only as good as the people and processes that are put into place. If people who manage and or use these technologies decide to circumvent the technology’s ability to enforce policies, or make an exception or ignore violations, or do not instill sufficient supervisory mechanisms, then the technology will fail. 

SANS CSC adoption is in early stages with less than 10 percent of organizations implementing them to date. Organizations that have begun to implement SANS CSCs are seeing meaningful and tangible benefits resulting in significant reduction in malware, vulnerabilities and attacks while saving significant budgets. Unlike compliance driven initiatives that take several years to come into effect and rarely change to adopt to changing threat landscape, SANS CSCs continues to evolve rapidly to meet cyber defense challenges.

With the 2014 looking more ominous for cyber security, now is the time to implement the SANS CSCs.