How can your company reduce the risk of a successful cyber attack and create a defensible network?
It’s best to start with the three don’ts:
Don’t think network engineers are immune to device misconfiguration (including firewalls, switches, and routers) when making changes to the network to meet operational requirements.
Human error creates some of the most significant security risks. It is usually not the result of malicious intent, just carelessness. Technicians can inadvertently misconfigure devices and, as a result, fail to comply with network policy, creating vulnerabilities. If not closely monitored, configuration deviation can lead to significant business risk.
Don’t underestimate the risk of unsegmented networks believing they improve operational efficiency and reduce network complexity. The risk is much greater than the reward.
Many examples of network breaches could have been much less devastating if sufficient network segmentation had been implemented. The 2017 Equifax data breach is a prime example and resulted in Equifax having to pay up to $425 million in an agreement made with the Federal Trade Commission and the Consumer Financial Protection Bureau to help those affected.
Stop believing that annually applying software patches and perimeter audits on just a handful of devices is adequate to keep your network secure.
Configuration errors cannot be fixed in the same way that software vulnerabilities can be fixed. Misconfiguration vulnerabilities will persist through each software patch update until discovered and fixed by a network engineer. They need to be continually discovered and mitigated within your daily cyber hygiene processes. It’s an important first step in a zero-trust security strategy.
All of this requires changing your mindset to accept that security risks are now so important that you must properly invest in managing them before they cause critical business problems.
Where do you start? There are three things that will help you achieve better cyber security safeguards and improve cyber hygiene.
Segment your network: divide it into subnets. One way is to create separate areas within a network protected by firewalls and secure routers that are configured to reject unauthorized traffic. By preventing lateral movement within the network, you can limit the amount of damage caused by bad actors during an attack.
Network segmentation is a strong security measure that is often underutilized by network security teams. In today’s threat landscape with increasingly sophisticated attacks, successful prevention of network breaches cannot be guaranteed. However, a network segmentation strategy, when implemented correctly, can mitigate those risks by effectively isolating attacks to minimize damage.
With a well-planned segmented network, it’s easier for teams to monitor the network, quickly identify threats, and isolate incidents. It also facilitates more frequent testing of each network device (firewall, switch, and router) for misconfigurations on critical network segments compared to administrative ones. This can help reduce the mean time to detection (MTTD) and mean time to remediation (MTTR) of critical risks, both of which are key goals for security teams.
Meet and maintain compliance requirements. Compliance is one way organizations can manage risk, but too often it’s a resource-intensive process that doesn’t lead to a significant improvement in security posture. This is because, in the past, it was enough to show that a sample of devices was compliant, but not anymore. Networks need to be continually evaluated, and regulators are taking note.
Segmenting a network can make it easier to manage your compliance requirements and use a targeted approach to enforcing policies. You can choose to segment data by a degree of sensitivity, and regulated data can be separated from other systems. For example, PCI-DSS only applies to your Cardholder Data Environment (CDE), so effective network segmentation reduces the burden of PCI DSS compliance.
If you are in the federal supply chain, you are now subject to the CMMC or NIST 800-171 standards. A well-segmented network can help you meet mandatory compliance reporting requirements to remain eligible to work on government contracts.
Adopt a zero-trust mindset. Recognize that you cannot trust your network, applications, or employees to be secure, and assume that you have been or will be compromised. Embracing zero trust means investing in people, processes, and best-in-class security automation to continuously validate that those employees, networks, and applications are secure, and that your business operations, customers, people, and data are secure.
We are seeing more adoption of this. For example, the Department of Defense released its first zero-trust framework last year, outlining the steps agencies must take to achieve an effective zero-trust architecture. But it may take a major corporate collapse with devastating shareholder and employee losses followed by personal and corporate regulatory sanctions for companies in other sectors to open their eyes and act with the speed and scale necessary to effectively secure their networks. .
The best way to achieve success in all three strategies is to take an ongoing approach to assessing and monitoring devices. This means verifying everything as part of an ongoing process, because a device that is secure today may not be tomorrow. Whether it’s a simple internal error resulting in a configuration drift or a malicious attack enabled by lateral movement through your network, you can’t assure yourself or your regulators that your network will remain rock-solid if you don’t verify and repair repeatedly.
Traditionally, assessing the security status of a network involved staff performing device penetration tests. Even under the best of circumstances, this is not efficient: it is time-consuming, requires a large number of skilled personnel, and only a few devices can be tested. As a result, the scope and timing of these assessments is infrequent, leading to risks that go unnoticed for an extended period of time.
You need to invest in a tool that can deliver accurate, prioritized, and actionable network risk information. One that can identify to your teams which vulnerabilities pose critical security risks and how to fix them, wherever they are on the network. Automating the entire evaluation process is just the beginning.