First, you have to lessen the regulatory myopia in your program. Although there is no question that a plethora of regulations provide an impetus and a business and funding driver for many security activities, these regulations should not be the guiding strategic drivers for security program outcome. Why? Because most of these are non-specific, infrequently updated, or not focused on mitigating the kinds of threats that are seriously hurting organizations. Now that so many cyber threats have moved up the stack to the application layer, many of the hefty control requirements commonly found across almost all regulations provide, at best, a baseline level for data assurance.
Another key change is to refocus your security program to the inside of your network. We've heard for decades that 80 percent of the problems are internal and that we are soft on the inside — but what have we actually done about it? In almost all instances, security programs reflect the inverse in their resource allocation and bias in operations. Most organizations have done a respectable job with network layer perimeter security controls — only to see those controls circumvented by spear phishing and “designer malware” and custom exploits that take full advantage of the trust placed in end-users, systems and processes operating inside your network. When combined with rogue employees and honest mistakes in the user population, the order of magnitude associated with the internal threat problem magnifies to its true level. In response, emphasis must change in security programs to put more investment and effort into looking for problems inwardly, versus externally. Many organizations that have been victimized by designer malware do not even realize the extent to which data has been or is being exfiltrated from their network by focused and highly motivated adversaries. As a matter of general principle, your security program should focus more attention on the internal infrastructure.
And finally, pay closer attention to what is happening and look more closely for problems. There are many ways in which employees can bypass corporate security. Encryption controlled by the organization can have enormous value when used for good reasons, but when used by rogue or disgruntled employees, any unauthorized encryption or tunneling protocol can simply create a gaping hole for data exfiltration. Modern malware and tunneling protocols take advantage of the simple facts that common ports such as 80 (HTTP), 443 (HTTPS) and 53 (DNS) are frequently wide open, and these ports are not well monitored due to their high volume usage. The problems associated with focusing your security program on achieving true network visibility are critical.
For most public and private organizations with serious security programs, the basics are already in place, but the challenge is to keep the focus of security program activities and investments on the threats that will hurt the most. All security programs fail in one area or another, but in the end, security program failure or success should be measured less by the numbers of audit findings, and more by the effectiveness of the organization to meet key data governance and control objectives in an operational context.
Security program failures can be lessened by increasing the focus on operational security, particularly with respect to internal security issues and deeper visibility into the behavior of users, systems and processes.
- Amit Yoran is chief executive officer of NetWitness Corporation, maker of next generation network security monitoring solutions.