“To know what you know and what you do not know, that is true knowledge.” — Confucious
Many use the term “security posture” liberally in conversations, presentations, and reports. According to the NIST Computer Security Resource Center, security posture is defined as: “The security status of an enterprise’s networks, information, and systems based on information security resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.”
OK. But what does that really mean?
Let’s take this opportunity to create a better working definition of what security posture is and should be in high-functioning cyber programs. From this definition, we will break down the necessary steps you need to take to achieve a better security posture. You CISOs and security types will need to put on your detective hats and put on your gumshoe glasses. Because the best way to understand what security posture means — and where your enterprise stands — is to ask the hard questions.
Do You Know What You Have?
The most crucial part of any effective security posture is to know what you have. By this, we mean, know what is operating on your networks. Know what IT assets your employees are using. Know where all your servers are — virtual and physical — and know what they are doing. Know what types of networking gear are running which networks. Know what IP addresses you own and what they are for. This is, of course, much harder than it sounds. And no enterprise ever has a perfect inventory of all assets. But in the past, far too much of this work of knowing what you have was splintered among siloed point solutions for different asset classes — hardware, software, SaaS, IaaS, mobile, network management, and IoT. And humans were tasked with manually pulling together all the information in spreadsheets, a process bound to generate errors and risks. For managing and optimizing the modern security posture, an automated, programmatic approach to building an asset inventory is required.
Do You Know Who, Where and When, What’s It Doing?
Related to the first section is your ability to answer not only what you have but who owns it, where it is or should be, and what it should be doing. The reality is, most breaches and security risks are not from Zero Days or APTs cracking directly into a network. Rather, most breaches and IoCs come through human interactions. That could be an insider attack (intentional) or spear-phishing and social engineering (unintentional). In any case, being able to immediately track a compromised asset back to an owner — who — is critical to both blocking an attack and to understanding the kill-chain the attacker is pursuing.
Where and when is also critical because often location and time of day are clear evidence of anomalies. For example, a piece of malware or a Trojan installed on a device or a network often broadcasts traffic to unrecognized IPs and sends data during off-hours to avoid detection. Or business email compromise gangs using compromised email systems often time communications to certain days of the week or leverage bank holidays in other countries to delay scrutiny of wire transfers. This gives them time to move the money out of reach. Lastly, knowing what all IT systems should be doing is a key piece of information for enforcing proper security policies. Unauthorized systems should not be attempting to access critical infrastructure or, for example, financial or security systems.
Do You Know Your Weaknesses?
Every organization has weaknesses due to the attack surface being incredibly convoluted and constantly changing. Security control configurations that worked six months ago may not work as well against new generations of attacks or when new capabilities and privileges are given to DevOps and CloudOps teams. API versions that were safe from abuse before become unsafe over time. There is no way to test everything all the time. But not testing at all is sheer madness. And testing as often as possible is the best way to know where the weaknesses in your security posture lie.
In other words, a real assessment of security posture should be data-driven and programmatic, constantly simulating real-world attacks. The only way to find weaknesses is to look for security risks on a regular schedule and compare results over time. This means constantly running playbooks and TTPs that attackers themselves have demonstrated in the wild. A continuous security testing program using real CVEs and real known attacks, mimicking tactics of real cyberattackers, can tell you where your defenses are weak and which controls are working as intended.
Answer the Question, Please.
Well, maybe not as aggressively as the detectives might ask on “The Wire”. But basic questions remain the best path to moving beyond a vague definition of security posture to a data-driven baseline and tracker of progress (or backsliding). And while we’re at it, let’s offer a new definition of security posture. “A defined set of procedures and processes, leveraging programmatic data gathering and automated testing running on and at regular and frequent intervals, that provides a detailed data picture of all the IT assets of an enterprise, including asset ownership, location, and expected behaviors. Security posture also includes a detailed listing of all known potential risks and vulnerabilities to an enterprise and efficacy of security controls against as many known attack types as possible.” That’s a little bit opinionated, but detectives tend to have strong opinions. We think CISOs should, too. Learn more about how to better manage your security posture.