Ten Recommendations for Choosing a Cybersecurity Solution for your Organisation.

With cybersecurity at the centre stage of corporate boards’ agenda, there’s no shortage of security products on the market right now. And given this variety of available options, it’s no wonder that companies face such a challenge in deciding what is right for their cyber protection needs. Recognizing that there is no single product solution to all security challenges. You can’t implement one product as a cure-all for your range of needs, assets, and potential threats.

Currently, security is mainly a product-based business, with tools available to help you with each area of the five NIST framework categories, from identifying threats to recovering from them. While this can be overwhelming, it can also be useful, because instead of buying a platform with many capabilities you don’t need, you can select from a variety of products and customised them to your specific needs based on your security strategy.

In this article, I provide ten recommendations to help you evaluate which cybersecurity solutions are best for your organisation!

Impose Allowed Interactions Between Your Data and User

data-network.jpeg

To decrease the number of attacks to which your network and data are exposed, your cybersecurity solution must allow you to granularly identify approved interactions between users and data based on the specific data you’re trying to protect — what it contains, where it’s located, how it should be used, and by whom.

Micro-segmentation is equally important when choosing a cybersecurity solution. Each network site likely behaves somewhat differently, and thus each requires a slightly different set of allowed behaviours. Identify and group users according to their privilege levels and to which data they should have access. The policies that you formulate must be enforced within the context of applications traversing the network and their expected interactions. Fine-grained network access policies are the key to reducing the attack surface and to blocking unauthorised access, as they provide the most crucial context around incoming and outgoing network traffic.

Identify Threats Everywhere and Constantly

cyber-threats.jpeg

Data is continuously in transit to and from both physical and virtual locations via a slew of different ports, protocols, and applications. Device‐to‐device communication represents a vector for lateral movement that’s rarely monitored, creating opportunities for attackers. Data moves back and forth from things like security cameras, VMs in the cloud via SaaS applications, POS devices, and printers — all of which have been used by attackers to circumvent traditional defences and gain a foothold within the target organisation.

A complete, end‐to‐end threat identification for all applications, users, and devices in all locations, on and off the organisation’s network, is imperative for an effective cybersecurity strategy.

Protect Data at Multiple Phases in the Attack Lifecycle

security-data-lifecycle.jpeg

Stand‐alone security tools, like traditional intrusion prevention system (IPS) or web proxies that focus solely on one stage of the attack lifecycle, may fail, especially where new or unidentified techniques are used. An adequate prevention strategy includes coordinated technologies that detect and prevent across each stage and easily block known and unknown threats to stop attackers from reaching their objective ultimately.

You should choose a cybersecurity solution that focuses on attack behaviours at multiple stages: blocking delivery through compromised web pages and malicious files, protecting against exploits kits and application vulnerabilities, stopping the execution of files (installation) containing known malware through accurate payload identification, shutting down outbound command-and-control communication, and restricting lateral movement through segmentation.

Attack surface reduction, combined with full visibility and prevention mechanisms at each stage, guarantees that as an attack progresses through each attack stage — even those that use new techniques — there is a decreasing probability it will succeed and an increasing likelihood that your network will remain secure.

Outsmart Threats Designed to Outwit Security Tools

Cybersecurity tools that offer protection capabilities in the form of static signatures that are too broad or too unique are limited in that they can only protect against threats that are known — known malware delivered by a known malicious URL using a known exploit, communicating to a known command‐and‐control domain. It’s incredibly easy for attackers to modify existing malware and feats to make them essentially “unidentified” to bypass traditional defences. These minor variations in threats create moving targets for security tools with static protections. What are more, malicious URLs and command‐and‐control domains come and go quickly, often only remaining active for a few hours or days at a time?

The sheer number of exploit and malware variations available necessitates protection capabilities that can handle the load, either by an enormous and continually growing library of the exploit and hash‐based signatures or by a smaller set of payload‐based signatures capable of detecting and preventing multiple variations individually. Smart signatures capable of uncovering threats deep within each packet and file and comprehensively across many protocols, file types, exploits, and hashes offer increased protection, as well as future protection against variation and reuse of the same attack components.

Translate New Threat Hunting Intelligence into Protections in Corporate Security Policies

security-intelligence.jpeg

In 60% of attacks, it takes only minutes for a compromise to occur. This infection speed necessitates the quick translation of data into intelligence, and then into protections that are enforced, allowing you to prevent network and device infection in near real‐time and rely less on manual research and remediate processes.

The cybersecurity solution can prevent gaps in prevention capabilities by quickly translating intelligence, such as new malware payloads, URLs hosting exploits, and command‐and‐control server locations, into protections that can be enforced by existing security technologies across your entire network.

To automate this process, you should consider a solution that is self‐learning. A constant feed of newly created protections against freshly discovered attacks, broken down into its components, translated into protections, and distributed to points of enforcement within your segmented network, increase the success of your cybersecurity solution.

Get Intelligence and Protection Against the Last Attacks

Cyber threats are constantly changing as attackers advance their methods in a continuous effort to be more deceptive and evasive. The rate at which attacks are evolving dictates that what protected your network against attacks this morning may not be effective against attacks being launched in the next few minutes. Keeping prevention capabilities within your security technologies as current as possible helps to minimise the risk of infection and restricts attackers to threats containing pristine, zero‐day exploits and malware, and brand‐new command‐and‐control domains. This seriously increases their cost to attack and severely limits their opportunities for success, resulting in fewer attacks for you to deal with.

Attackers are continuously automating new threats, so your data‐to‐protection process must also be automated to stay ahead of the game of cat and mouse.

Enable Quick and Accurate Mitigation

After being hit by a sophisticated attack, it’s critical to identify the infection quickly and protect other devices and network segments against its spread. Because most network defences comprise best‐of‐breed tools from multiple vendors, prevention becomes difficult. The process is arduous, highly manual, and time-consuming — especially if threat data isolated in different systems and stored in different locations.

Contagion doesn’t necessarily mean your network has been penetrated. If you’re able to prevent outbound communication with attackers (command and control), you’ve effectively stopped the attack, even though you may still need to identify and clean the infected device(s). In addition to strengthening prevention capabilities, technologies that ingest a constant feed of threat information can help. In the world of cybersecurity, where remediation is concerned, every minute counts.

Your organisation should consider a solution that correlates suspicious behaviours to highly accurate infection alerts, so you know that infection has taken place and can prioritise accordingly to limit more extensive network exposure. Many attackers will try to leverage singular and therefore possible undefended attack vectors, so any threat analysis tool must also cover all locations and devices within your enterprise network infrastructure.

Coordinate Actions Across Individual Security Technologies

Security technologies and individual sensors contain information‐gathering and enforcement capabilities that, if built to work together, have the power to make your efforts to secure the organisation more effectively. Being able to identify what’s going on in a given attack stage and correlate it to create a broader picture of the attack as a whole is essential to effectively stopping it spreading. The big picture sets the context of the offence for understanding where gaps in security may exist, where protections must be created and distributing enforcement to block the attack and close those holes.

Coordinated cybersecurity technologies are of great importance when it comes to usability and closing security holes in your network infrastructure. Technologies that are natively integrated, or have open APIs that can be easily integrated, are best suited to share intelligence and update policies across your entire network comprehensively, and immediately alert you to infection, regardless of location.

Keep Your Organisation Running

Many organisations struggle when it comes to choosing between securing the organisation and enabling the thousands of applications that accelerate efficiency and productivity. Turning on security protections often means users must accept high latency or be restricted from using the apps or accessing the data they need.

Reducing the attack surface is a key to maintaining usability. Eliminating unknown or unnecessary traffic and data interactions minimise the amount of traffic that must be scanned for threats, which lightens the processing load that your cybersecurity tools must take.

Given the requirement for computationally intensive tasks (for example, application identification and threat prevention performed on high‐traffic volumes), your cybersecurity solution must provide dedicated, specific processing for management, security, and content scanning, so traffic isn’t processed more than once.

It Must Be Easy to Install, Integrate and Use

Manually integrating data from different products can be an arduous process, often introducing mistakes and imperfect results. As each additional hour passes after compromise occurs, the infection spreads, and the likelihood that you’ll need to disclose a breach to your executives and board members increases. You can’t afford the extra time associated with laborious monitoring, investigation, and reporting.

Look for a cybersecurity vendor who correlates security data both at a local level (so you know exactly what’s going on in your network and can respond accordingly) and at a global scale (providing you with actionable intelligence on threat campaign details).

Conclusion

At one time, the concept of cyber attacks as continually moving targets was impossible, an irrational theory only possible at some point far into the future. But now, the future is here, and this is our reality.

10 Things Your Next Cybersecurity Must Do validates the fact that the best location to execute secure application enablement is at every place within the network and cloud, and on endpoints. It should be clear after using the tools within this article that attempts to claim effective security using single-function devices in a bolt-on approach are unrealistic. Therefore, to indeed prevent a breach, a holistic cybersecurity solution that can dynamically adapt to the changing threat landscape is crucial to you as a defender.

Posted by Dan K Jatau Sr. MSc, PhD, MBCS, MInstLM

Dan K Jatau is a Nottingham, UK-based Information security and technology infrastructure expert and researcher who likes to write about technology subjects from both a business and technical perspective. His current interests are business-driven security architectures, identity and access, the Cloud, virtualization security and all aspects of security. He currently works in security program development and architecture and develops enterprise security programs for SMEs.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.