Layered security is not a novel concept but a crucial one that should not be overlooked. Although many organisations understand the significance of cybersecurity, they often fail to create and implement a robust security stack that can withstand present and future threats.
So, what does a modern security stack entail? Continue reading to delve into the critical layers you require and how to persuade decision-makers to support your approach.
The Importance of Layered Security
Five years ago, the industry believed that a good firewall, antivirus, email filtering, and DNS filtering were sufficient to stay safe. However, the constantly evolving threat landscape requires us to expand our security efforts and adapt to new challenges.
Hackers have become more sophisticated, collaborating and sharing technology to find vulnerabilities and exploit weak points. To address this, we need to move beyond a prevention-focused security stack and build a complete and mature one.
To respond to this reality, the NIST Cybersecurity Framework provides helpful guidance. If you’re wondering how to improve your security approach, this framework can provide answers.
Understanding the NIST Cybersecurity Framework
The NIST Cybersecurity Framework provides a transparent model for how different layers of security solutions can work together to minimise the risk of cyber threats. The framework has five core components: Identify, Protect, Detect, Respond, and Recover.
Identify involves determining critical functions and potential cybersecurity risks.
Protect is focused on limiting the impact of potential cybersecurity events, such as through AV, firewall, and DNS filtering.
Detect includes measures like continuous monitoring and threat hunting to uncover threats quickly.
Respond involves taking action against threats that have made it past preventive tools; and
Recovery includes having tools and strategies in place to restore capabilities or services after a cybersecurity incident.
Many MSPs and IT teams have gaps in the detect and respond areas, highlighting the need to focus on these critical layers in addition to existing security tools.
Closing the Gap in Detection and Response
Cybersecurity detection and response layers are crucial but often overlooked and underfunded. The reason for this is that security has historically prioritised prevention. Companies have focused on building up their external defences to keep hackers out, but today’s cybercriminals have found ways to bypass or break through those walls. Even with significant investments in protection-focused tools, a single convincing phishing email can grant attackers access. Once inside, preventive measures are no longer effective, and without detection and response capabilities, an organisation may not even be aware of an intrusion for weeks or months. That’s why it’s vital to have strong Detect and Response capabilities to identify and eliminate threats before they can cause damage.
To effectively implement detection and response capabilities, it’s necessary to have a team with security expertise and experience. Endpoint Detection and Response (EDR) and Network Detection and Response (NDR) solutions are frequently employed to address deficiencies, but if not managed correctly, they may generate an excessive volume of logs and alerts that can become burdensome. Sorting through this data to identify threats can be time-consuming and requires specific knowledge and skills.
However, most IT teams have limited time and resources to dedicate to managing these tools and hunting down cyber attackers. To address this issue, many teams turn to managed detection and response (MDR) solutions that can alleviate the burden of day-to-day security management.
In addition, while artificial intelligence and machine learning can aid in scaling a solution, they are not sufficient substitutes for human expertise. Specific tactics known as living-off-the-land techniques can deceive software and AI as they are created to appear authentic in ways that a software-only solution would consider. However, cybersecurity is ultimately a human-to-human contest, and people possess the contextual awareness and instinctual ability to identify potentially harmful activity. Additionally, human involvement is necessary for remediation efforts, including further investigating threats and piecing together the components for a quick and comprehensive recovery.
Getting Buy-In for Layered Security
Once we understand what a mature and modern security stack should consist of, how can decision-makers be convinced to invest in it?
While the detect and respond layers play a crucial role in the “post-compromise” phase, it may be challenging to communicate the value of a mature security stack to non-technical decision-makers. Budgetary constraints often compound this challenge. Many companies don’t realise the actual cost of a domain-wide ransomware attack until they experience one. However, some exercises can help decision-makers better understand the concept.
For example, a tabletop exercise can simulate an attack and consider how the business would respond.
It’s important not to hesitate to ask difficult questions to assess your organisation’s security preparedness. For example:
- If we were hit with a major cyber attack and had to shut down the network for a week to remediate, what would be our contingency plan to keep the business running during that time?
- Which services are critical and must always remain operational, regardless of any security incidents?
- In a data breach where sensitive customer information is compromised, what is our process for investigating the extent of the breach and disclosing it to affected customers?
After asking these hard questions, it becomes clear that investing in preventing such situations is more cost-effective than dealing with the aftermath. To ensure that your security stack is comprehensive and effective, reviewing your existing budget and evaluating whether you are allocating it to the right layers and areas is recommended. A helpful exercise is to compare your security stack against frameworks like NIST and MITRE ATT&CK to identify gaps or overlaps in your technology. This can help you prioritise where to invest your budget and ensure that you cover all the essential protection layers.
However, with so many security solutions in the market, teams can suffer from “analysis paralysis” and struggle to select the right tool for their needs. It’s essential to conduct thorough research, seek expert advice, and prioritise your requirements based on your specific security needs.
To avoid feeling overwhelmed, it can be helpful to seek advice from trusted advisors or other companies in peer groups to find the right security stack for your organisation. Additionally, frameworks like NIST and ATT&CK can help navigate the path and prioritise actions.
In today’s world, security cannot be ignored or postponed. It must become a top priority for all organisations, requiring a willingness to fight for it.
In conclusion, I would like to leave you with one crucial piece of advice: be prepared for hackers by having a comprehensive security stack and plan. Don’t be caught off guard when a security breach occurs. Contact Qamba to set up a robust security plan.