arthead - stock.adobe.com
Security hygiene and posture management: A work in progress
Security hygiene and posture management may be the bedrock of cybersecurity, but new research shows it is still decentralized and complex in most organizations.
It may be high priority, but organizations still approach security hygiene and posture management haphazardly in silos, which opens doors for cyber adversaries.
Security hygiene and posture management is the bedrock of cybersecurity. But before thinking about acceptable use policies, security awareness training or an assortment of security technologies, organizations must have a full understanding of the assets they possess, who owns them, what those assets are used for and whether they are configured securely.
Each standards body and security best practice, such as NIST-800 series, CIS Critical Security Controls and ISO 27001, and every security regulation -- including HIPAA, PCI DSS and FISMA -- start with a mandate for strong and continuous security hygiene and posture management.
To put the topic in context, think of security hygiene and posture management as the practice of locking and maintaining the integrity of all your doors and windows to protect your house and family from intruders. But what if you live in a European castle with dozens of family members and hundreds or thousands of doors and windows? Different staff members throughout the castle are responsible for maintaining and locking a designated subset of the total, and your safety depends on all these people getting it right, which is extremely difficult to monitor or verify.
New research highlights security hygiene complexities
The example above summarizes the state of security hygiene and posture management today -- distributed, siloed and difficult to keep up with. Recent research from TechTarget's Enterprise Strategy Group illustrated the following issues:
- 73% of security professionals claimed spreadsheets remain a key aspect of their organization's security hygiene and posture management. When spreadsheets are involved, security and IT personnel can spend hours and days gathering and normalizing data, deduplicating and checking data integrity and ultimately establishing a static asset inventory. Aside from process overhead, this approach to asset inventory creates a mere snapshot that becomes less and less accurate over time. Even if it were 100% accurate, IT and security teams must still analyze the data, prioritize remediation actions and then track risk mitigation.
- 73% of security professionals said their organizations have strong awareness of about 80% of their total assets. Based on my experience, 80% seems like a stretch, but let's assume this is true. It means that 20% of assets remain unmanaged, poorly managed or completely unknown. In this case, what you don't know can hurt you.
- 68% of security professionals said that, while their organization recognizes the importance of security hygiene and posture management, it can be difficult to decide on the highest priority risk mitigation actions to take. CISOs realize they need comprehensive visibility, but more asset, configuration and vulnerability data create an analytics bottleneck, which raises the question: Which of these issues is most critical and should be prioritized for remediation? This is one reason why so many security technologies are now built around machine learning, attack path mapping and risk scoring.
- 56% of security professionals claimed their organizations find it difficult to decide which assets are business-critical. I know it should be obvious to know which systems pay the bills, but it's not so easy. Business-critical systems may be connected to third-party websites. Development and test systems may include production data. A single mundane application service may be used by multiple customer-facing applications. Cloud-native applications and DevOps often push new code into production several times a week, making things even harder. Business-critical systems may be comprised of dozens of connected and changing assets that are owned by different groups. This exacerbates already existing complexity.
- 50% of security professionals said it is difficult to keep up with security hygiene and posture management due to growth and frequent changes in their attack surface. More than half (62%) of organizations said their attack surface has grown over the past two years, driven by third-party IT connections, a growing pool of remote workers, increasing use of public cloud and digital transformation initiatives. In other words: More assets, more problems.
CISOs try to address problems at scale
CISOs see these problems and realize that things are getting out of hand. The research also pointed to the following steps organizations are taking to address security hygiene and posture management at scale:
- 92% of organizations are interested in investigating emerging technologies for security hygiene and posture management. Consider the following technologies:
- Attack surface management offered by CyCognito, Detectify, Mandiant, Microsoft, Palo Alto Networks and others.
- Security asset management offered by Axonius, Brinqa, Interpres Security, JupiterOne, Panaseer and more.
- Risk-based vulnerability management offered by Kenna Security, a Cisco company; Qualys; Rapid7; Tenable and others.
Regardless of the category, these tools are designed to provide visibility into blind spots, aggregate and analyze siloed data, and deliver some type of risk-based guidance on which issues to prioritize. Historically, security hygiene and posture management technologies received little venture capital funding, but given the growing attack surface and sophisticated threats the Silicon Valley Sand Hill Road crowd is jumping onboard.
- 83% of organizations prioritize security hygiene and posture management mostly or only for business-critical assets. This is crown jewel security, where organizations focus security controls and monitoring around their most important assets. I get it, but this approach isn't effective when those assets are constantly changing, and everything is connected to everything. Crown jewel security is a good place to start, but it should be followed by more comprehensive security hygiene and posture management coverage.
- 81% of organizations use the Mitre ATT&CK framework to help identify security hygiene and posture management priorities. In this case, the framework provides a map of adversary tactics, techniques and procedures. Security teams can focus on adversaries and campaigns most likely to target them like those based on industry, region and historical attack patterns. The teams can then lock down the assets hackers use in those attacks -- such as particular Common Vulnerabilities and Exposures used for exploits -- and run penetration testing or red teaming to validate security defenses. Automated testing tools from vendors such as AttackIQ, Cymulate, Randori and SafeBreach are often used as part of this process.
Soon after I joined Enterprise Strategy Group in 2003, I gave a presentation on vulnerability management at a security conference. I talked about best practices, division of labor and tools. When it was time for the Q&A, a few audience members posed the following questions: "How do we know we've discovered all the assets?" and "How do we prioritize which vulnerabilities to patch?"
Twenty years later, our research indicates we haven't adequately answered those questions, while the scale of the problems has increased exponentially. Our windows and doors are fragile and often open when we think they're strong and locked. Without a security hygiene and posture management baseline, cybersecurity protection becomes little more than a roll of the dice.
Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.