In our Threat Intelligence series, we’ve discussed the meaning of Threat Intelligence, the importance of it, Indicators of Compromise, and the different types of threat intelligence. Here in the third blog post of the series, we’ll discuss best practices—those which will improve your organization’s security posture and reduce the risk of attack.
Detect, Manage, and Prevent
Threat intelligence is a popular topic these days, and why shouldn’t it be? In today’s everything’s-connected world, any organization is at risk of being compromised by a malicious actor. But like we discussed in the last blog, “Don’t Compromise When it Comes to Threat Intelligence,” there are ways to not only prevent attacks, but to learn about the who/what/when/where and why of the attacks. Cybercrime is on the rise, but that doesn’t mean that your organization should accept “death by malware.” Organizations today must have a strong security posture in order to be able to detect, manage, and ultimately prevent attacks.
Where does one begin? There are a number of best practices that can work to improve your organization’s security posture. Following these will help you put the right defenses in place, and become the building blocks of a solid plan to ensure you react to a breach the right way.
Here are 10 best practices to reduce risk and build your security posture:
- Capture a complete picture of your network
Detail all exploitable endpoints on your system, keeping an inventory of devices. In the world of BYOD, this could be a number of things outside of your usual laptops and printers. In order to protect your network, you must have a clear picture of what your network actually entails. - Conduct a risk assessment to establish a baseline
What is the level of vulnerability across your network? If there is a risk, what controls do you currently have in place? Understand where your level of risk sits—or—what level of risk you’re willing to accept. You must do this in order to find out what the key risks are that could do costly damage to your business.
- Prioritize risk
Now that you’ve identified your key risks, assign security ratings. Having a ratings system in place defines the priority based on the impact to business. Generally, a 1-5 security system is recommended: critical, high, medium, low, and informational. Your business must decide and determine their own risk tolerance and security classifications, as they will vary.
- Monitor security metrics
Ensure you are providing metrics that matter. When determining metrics for your organization, you should keep in mind the mission of your security team and what value it provides to the organization. Metrics should identify, track, and report on KPIs (key performance indicators).Strong metrics provide insight into whether or not the organization should have security confidence!
- Complete root cause analysis
If a breach occurs, do root cause analysis. Each breach–large or small–should be utilized as a learning opportunity. By completing an analysis, you’ll identify the underlying cause(s) of an incident and be able to put a plan in place for remediation.
- Evaluate and patch vulnerabilities
Vulnerabilities must be identified, analyzed, and patched. Many organizations are breached because of lazy patch protocols–waiting too long to apply a patch, or simply not applying it altogether. Remember: once a vulnerability is found within an operating system, malware is generally created by cyber criminals within 48 hours.
- Run automated security solutions (feed)
Machine learning is a viable way to fill the role of a Tier 1 security analyst. Most tools can scan for issues using advanced probabilistic mathematics and can quickly identify threats. This will both assist with backlogs, and gives time back to your team to work on more high-risk elements.
- Educate employees/Build a user awareness program
Security awareness is key in order to prevent employee-related incidents, as untrained and negligent employees can put the organization in danger of breaches. It’s crucial that employees are trained to spot security risks and respond appropriately.
- Create an incident response plan
An incident response plan (IR) is put in place in order to effectively respond to a breach incident. A plan should be laid out in detail–identifying cross-functional stakeholders (corporate communications, legal team, etc.) as needed. The IR should detail who is responsible for what, what needs to happen, and the timeline in which it is expected to happen. IR plans should be periodically tested.
- Use your existing security tools
Perform an assessment of the tools you already have and the coverage they provide. This will help you discover any gaps you have and allow you to make incremental changes to address those gaps. Also, utilize this assessment to ensure you are using your existing tools to their maximum capabilities. You don’t need every new tool that’s available; however, you DO need tools (and people) that work together to keep your organization secure.
Threat intelligence is an important tool in the fight against cybercrime. It can both help security teams defend against a constantly changing threat landscape, and can educate employees to help in the protection of their organization. From common indicators of compromise and the types of threat intelligence, to best practices that you and your organization can take to reduce the risk of attack, threat intelligence should be a key topic for all. With well-trained security teams, and more security-educated employees, organizations can get ahead of future breaches and make it more difficult for cybercriminals to gain entry.
