The CWPS Blog

Stephen Coty, Chief Security Evangelist, at Alert Logic, talked to a packed house at the CWPS lunch and learn event on March 18. His message was loud and clear: vulnerabilities and breaches are on the rise but with a solid security plan, you can prevent them from happening. 

Stephen spoke about implementing a solid security plan for all of your cyber assets. You should review your security in-depth strategies to make sure you have the proper technology, people and processes in place to support and secure the business infrastructure. You may ask yourself, “Where do I start?” Here is a list of steps towards a solid security plan:

Taking these steps will result in a solid security in-depth strategy, but there is something missing that ties all four of the above technology strategies together.

What tie them together are security information and event management (SIEM) technology and continual content updates to stay current with the latest threats. The SIEM technology solves some of the communication issues that arise within a structured group built on different teams with different objectives. The SIEM will ingest all the logs from the above technologies to find patterns that will be escalated as security incidents. These incidents will be sent to the appropriate teams for resolution.

The tough part about SIEM is generating the content. Content is truly the backbone that makes your security strategy work. The content needs to be updated consistently with the proper testing and analysis. Content is fed into the SIEM and the engine identifies new and emerging threats that we are faced with on a regular basis.  Threat intelligence is also an important factor that supports content. Intelligence consists of blacklists of malicious URLs and IP addresses, emerging malware and global data threat trends that can be delivered to the SIEM for the creation of up-to-date content.

This is a long list of security steps, but the most important item is to make sure you implement your strategy with the proper amount of people and process to make it all work efficiently.

By now most organizations have started to recover from the fire drill of their incident response process that the shellshock vulnerability caused. Servers are patched, applications are upgraded, and security technologies have been updated to look for attacks meant to exploit the vulnerability in the GNU BASH (Bourne Again Shell) code. As the dust settles it’s time to look at how our organizations responded and what we, as an industry, can do better when the next vulnerability or attack hits.

For many organizations the response to the shellshock vulnerability was much faster than the response to Heartbleed a few months earlier. This indicates a couple of key changes occurring within IT security organizations. First, to respond to Heartbleed organizations were forced to react to a wide scale threat that resulted in the formation, or refinement, of an incident response plan. The knock on effect was that when Shellshock hit, organizations were in a much better position to react quickly. Additionally many organizations took a look at their security detection and response capabilities after Heartbleed and began adding and/or updating their tools to fill in the gaps that became apparent during their Heartbleed response.

To ensure that you are prepared for the next vulnerability and/or wide scale attack now might be a good time to review this cyber security best practices checklist:

• Secure your code: Hackers are continually looking for ways to compromise your applications. Code that has not been thoroughly tested and secured makes it all the more easy for them to do harm. By testing your libraries, scanning plugins and the like you can save yourself headaches down the road.

• Create access management policies: Logins are the keys to your kingdom and should be treated as such. Make sure you have a solid access management policy in place, especially concerning those who are granted access on a temporary basis. Integration of all applications and cloud environments into your corporate AD or LDAP centralized authentication model will help with this process.

• Adopt a patch management approach: Unpatched software and systems can lead to major issues for your organization. Keep your environment secure by outlining a process where you update your systems on a regular basis. Test all updates to confirm that they don’t damage or create vulnerabilities before implementation into your live environment.

• Review logs regularly: Log review should be an essential component of any organization’s security protocols. Take the time to review your logs — you never know what you might uncover.

• Build a security toolkit: No single piece of software is going to handle all of your security needs. Be prepared for the unexpected by having the tools you need already in your arsenal.

• Stay informed of the latest vulnerabilities that may affect you: The Internet is a wealth of information; use it to your advantage. Search for the breaches and exploits that are happening in your industry. You can take lesson from that breach to protect your environment so that you don’t become the next victim.

• Understand your cloud service provider's security model: Security in the cloud is a shared responsibility. Get to know your provider, understand where the lines are drawn, and plan accordingly.

Cyber attacks are going to happen, vulnerabilities and exploits are going to be identified. By having a solid security in depth strategy, coupled with the right tools and people that understand how to respond you will put you into a position to minimize your exposure and risk.