Arms race anyone?

Today i was reading the updated Trend Micro 2017 Annual roundup of threats and it stuck me that all of the large vendors release their reports in the same manner, looking back over the past 3/6/9/12 months, analyzing the events, the methods and the  madness that is the cyber security challenge.

I compared this the the Fortinet Landscape report Q4 2017 and it makes for very interesting reading.

The main drive to all of the various reports is that the bad guys are escalating, whilst the good guys are being swamped and always playing catch up. But remember, this is from a singular vendor view.

Even if you could have every single vendor technology on your network ( assuming that they all play nicely together, which is never the case ) even then your still not totally secure as some bright bad guys will deploy something none of the vendors have ever seen before ( Zero-Day anyone? ) and your back to square one restoring a lot of data from backups.

Defense in depth dictates multiple defensive lines to frustrate and cause obstruction to the enemy to delay and confuse them. Same things also applies to Cyber Security. There are many thoughts on the layering approach, from individual layers responsible for specific threat types to multiple generic layers to isolation and barrier layers. Any amount of layers is better than one or none.

From a professional point of view, i see the defensive depth as being an absolute requirement today. There is no one single magic bullet that does it all, no matter which vendor tells you this, its mostly told to you by sales engineers with a % in their eye, sales people with a target to meet or those who truly have no experience with it.

So i have a little advice for you.. for free, as its a Friday and i’m feeling nice warm and fuzzy… And i’m assuming your mostly following best practices as your all professionals and seasons IT veterans..

  1. Deal with your Budget now!! Security isn’t cheap. It shouldn’t cost the earth or the total GDP of a small south american country, but expect to pay a chuck from your IT budget, or better still, create an IT security budget, ring fence it, spend it.
  2. Deal with your users first. They are on the front line and are the quickest route to your networks heart from the outside. Train them, drill them, test them, but make it fun as thats the best way to make the knowledge stick in their heads.
  3. Deal with the encryption now! When they get in ( notice its ‘when’ not ‘if’ ), make it a non worthwhile time-sink for them. The data they get is encrypted and its worthless to them. Make sure its properly encrypted and the keys are held away from the systems and cannot be reached by attackers.
  4. Deal with your detection next,  if you don’t know or can’t see, your disadvantage is on a truly galactic scale.
  5. Deal with DLP systems next, have in place auditing methodologies that will help you track down who, when, how, what. This will then help you to work out why and where. GDPR is fast coming and unless you can answer those questions and satisfy the ICO, your name is going to be up in bright lights here ( ) You cannot avoid it, its a legal requirement, don’t hide your head in the sand, deal with head on if you expect to survive.
  6. Finally, Spend your remaining budget on Endpoint security that works, spend it on training, spend it on buying the anti-threat systems that can either black-hole or isolate an infected machine on your network automatically. It takes less than 30 seconds for a drive by attack to drop an encryptor on a network workstation to start encrypting files. Your then spending days recovering from backup terabytes of files. I’ve seen this on a bad day, I’ve also seen systems protect and isolate an infected machine in seconds, so i know it works.

Have a good weekend!