1How to Alleviate the 15 Top Stressors in IT Systems
2Stressor No. 1: Are We a Target?
How to alleviate: Accept the fact that everyone is a target. Threat actors are looking for easy targets, so focus on making yourself a hard target. Do your best to stay current on security patches for your critical public-facing Web servers, use two-factor authentication for all elevated privilege access, and build a defense-in-depth architecture that will drive up the skill level of that attack required for threat actors to have any success. — Jeff Schilling, CSO, Armor
3Stressor No. 2: Am I Already Compromised?
How to alleviate: Have a third-party red team or penetration team test your security operations and infrastructure to see if they have any success. There are also security companies that will perform targeted threat hunting by sitting on your network where threat actors are likely to reside and detect them before they know they have been seen. It is critical to catch them before they know they are caught. Once a targeted threat suspects it has been discovered, it will go dark and wait to re-emerge later through another backdoor that you don’t know about. — Jeff Schilling, CSO, Armor
4Stressor No. 3: Are We Going to Pass Our Audit?
How to alleviate: Audits are getting more difficult to pass, as the standards are raised as a result of successful threat activity. Perhaps it is time for your IT team to make the determination that you don’t have the architecture, technology or processes to stay compliant with regulatory standards and should consider offloading that responsibility to a third-party provider with more experience. — Jeff Schilling, CSO, Armor
5Stressor No. 4: External Devices/BYOD in the Enterprise
How to alleviate: Almost all enterprises have some form of bring-your-own-device (BYOD) policy because it is inconceivable to block employees from using their mobile devices, tablets or personal devices within the enterprise network. This poses a serious security risk because, once compromised, these devices might be a jumping point to the rest of the network. It is, therefore, crucial to identify, track and control access from these external devices. IP address management (IPAM) and dynamic host configuration protocol (DHCP) management enables users to actively monitor and control these devices. A well-written and enforced BYOD policy is also a must. — Andrew Wertkin, CTO, BlueCat
6Stressor No. 5: Vulnerabilities in Open-Source Libraries and Products
How to alleviate: As we saw in the example of OpenSSL, which is used by almost anybody from Google to major banks, a security vulnerability in a commonly used library has an immense impact. To alleviate the risk, an enterprise should choose third-party libraries wisely to ensure that it has a vibrant community support and enough maturity to keep up with emerging security threats. Some large enterprises that rely on these libraries actually support the open-source community actively. — Andrew Wertkin, CTO, BlueCat
7Stressor No. 6: PCI Compliance
How to alleviate: The latest Payment Card Industry Data Security Standard (PCI DSS) standard requires logs for external-facing technologies, including Domain Name System (DNS), recorded centrally and presented for forensic purposes. Collecting these logs and centrally managing them for compliancy is a challenge. To overcome this stressor, organizations must invest in solutions that can flex as enterprises move from the center to the edge—and are able to collect all of their DNS data centrally to be PCI compliant. — Andrew Wertkin, CTO, BlueCat
8Stressor No. 7: User Impersonation (or Credential Theft)
How to alleviate: Look at any high-profile data breaches and you’ll see that stolen credentials resulted in the unfettered access to an enterprise’s crown jewels—its data. To identify such behavior before it’s too late, security teams must use data science techniques, such as machine learning, clustering and statistical analysis, to develop a baseline of normal activity to identify any deviations that could signal an active or potential data breach. These techniques give security pros insight into the detection of an attacker’s presence, unusual behaviors and malicious activities inside their organizations. — Ravi Devireddy, co-founder and CTO, E8 Security
9Stressor No. 8: Do I Have Enough Visibility? Will I Be Able to Respond Fast Enough?
How to alleviate: With so much raw information flowing from so many tools, it’s becoming incredibly difficult to piece together a reliable view of what’s actually going on behind all the noise. Every new security tool added just makes the problem worse. To alleviate, we should consider some advice from Thoreau: “Simplify!” Security teams should be looking more at technologies that enable automated analytics and machine learning to assist them in cutting through the noise and focusing on what’s important. — Geoff Webb, vice president, Solution Strategy, Micro Focus
10Stressor No. 9: Do I Really Know Who My Privileged Users Are and What They Are Doing?
How to alleviate: Privileged users are still keeping chief information security officers awake at night. This is made worse by “privilege creep” that occurs with long-term employees and even contractors. Servicing the needs of privileged users (who often have overly broad rights to far too much sensitive material) while keeping data secure and private remains one of the top causes of stress among organizations. Alleviating this stressor is a three-step program. First: Reduce the number of privileged users by implementing a good access governance policy. Second: Reduce the privileges those remaining privileged users have, often by carefully managing who has access and when, rather than offering carte blanche to the elite classes of users. Third: Monitor closely (and in real time, if possible) what they do with the privileged access they have. — Geoff Webb, vice president, Solution Strategy, Micro Focus
11Stressor No. 10: I Have a Major Incident, but My Security Budget Is Maxed Out
There are three ways to alleviate this stress. First, separate incident response costs from core security spending during the budgeting process. An incident should not have to make you choose between core services and handling a critical incident. Core services should remain more or less fixed, while an incident budget should be treated as a rainy day fund and have flexibility should an incident occur. Second, work flexibility into your supplier contracts. If your budget is truly fixed, then you will have to move around dollars with existing suppliers. Make sure you have the contractual flexibility to delay projects, remove project scope and scale down services. Many suppliers say they scale, but usually they only mean upward, so make sure you can remove services and scale downward as well. Third, add cyber-insurance coverage. A proper cyber-insurance policy will allow for incident response and forensics services once a deductible is met. — Michael Patterson, vice president of strategy, Rook Security
12Stressor No. 11: More Threats Than Time
How to alleviate: Industry analyst firm EMA recently analyzed organizations that experienced between 500 and 1,000 critical alerts per day and found that 88 percent of those organizations only had enough staff to investigate 25 or fewer incidents per day. Unfortunately, this means that the vast majority of critical events were being ignored. To get past this stressor, move to automated analysis of network events. While there always will be a need for skilled security analysts, the rate and scale of threats simply demands that organizations automate the analysis of threats. Behavioral models and machine learning solutions are becoming popular for automatically analyzing and correlating events so security teams can avoid manual investigations, and instead spend their time on enforcement. — Wade Williamson, director of threat analytics, Vectra
13Stressor No. 12: Encryption by Default
How to alleviate: As more Web apps are moving to the practice of encrypting traffic by default, more of the traffic traversing the enterprise network is obscured from traditional security analysis. To overcome this stressor, organizations need to complement payload-based network security with behavior-based network security. Unlike signature-based systems that need to decode traffic down to the payload to find a threat, behavior-based systems can recognize the patterns of malicious traffic and behavior even when the traffic is encrypted. This allows security teams to protect their environment without having to break into every encrypted conversation. — Wade Williamson, director of threat analytics, Vectra
14Stressor No. 13: Inability to Find, Hire and Retain Quality Security Engineers
How to alleviate: The market has thousands of open positions but very few good, qualified security engineers, making it one of the hardest positions to fill. You’ll either need to train a new person in security or be prepared to partner with a third-party vendor. — Ryan O’Leary, vice president, Threat Research Center, WhiteHat Security
15Stressor No. 14: It’s Only a Matter of Time Before Your Application is Breached
How to alleviate: This is reality for almost all security professionals. Security groups should take a multipronged attack to combat breaches. First, developers need to be trained in secure coding. This will prevent vulnerabilities from being introduced in the first place. Next, good static analysis tools are needed to catch issues as code is being written. Then dynamic analysis and pen testing can be used to find business logic flaws and issues that static can’t find. Finally, a good process to fix vulnerabilities must be identified along with ways to virtually patch issues while the development team is doing the fixing. — Ryan O’Leary, vice president, Threat Research Center, WhiteHat Security
16Stressor No. 15: Justifying Security ROI
How to alleviate: All organizations want to demonstrate a return from their investments. Calculating the ROI on security is a difficult task, and CISOs usually have a tough time justifying this expense. The rational way to justify security investments is to look at the cost savings you would have from such investments. CISOs should plan all their spending based on risk and the possible savings that would come from mitigating this risk. This is a language that is well-understood and appreciated by business people. — Mostafa Siraj, senior security advisor, WhiteHat Security