These four guiding principles can serve as a useful starting guide to the organization’s security policy in general and the choice of the right technologies to be specific. There is little advantage to be gained by piling on new technologies when there is little knowledge of what requires protection against or why the protection is required in the first place.
Selecting the right tools and technologies can be a daunting task but again this should be approached strategically and systematically using the organization's Policy & Compliance requires, Knowledge of the Network and Training capabilities as a guide. In some cases, aspects of these can be outsourced if internal capability lacking and likely to present a security weakness such as skills or personnel shortage. Tools and technologies can be vetted and selected using the following as a starter guide:
- Perimeter Security
- Communication Security – Email, Messaging, Documents
- Endpoint & Device Security
- Identity & Internal Network Security
- Automation, Continuous Monitoring & Context
1. Perimeter Security
Cloud services, mobile devices and shadow IT have all contributed to moving the network perimeter beyond a fixed physical location. Users may utilize several mobile devices to access both personal and corporate data from different locations and work. However, where the network perimeter needs to be protected, such as the case of a data center or cloud environment, the following protections should be considered in their physical or virtual equivalents:
- Firewall (Stateful, Next Generation, API capable)
- Anti-Botnet and Botnet Activity Detection
- Anti-malware
- IPS – Intrusion Prevent System
- Encrypted Content Decryption (e.g. HTTPS Inspection)
- Web Security – Web and Application Control
- Sandboxing and Emulation
2. Communication Security – Email, Messaging, Documents
- Anti-Spam & Anti-malware
- Anti-Phishing and Malicious Link detection
- BEC (Business Email Compromise) prevention with Intelligence capability
- Email Security
- Messaging Security
- Document Security
- Physical Filing Systems Security
3. Endpoint & Device Security
In most cases, endpoint protection systems serve as the last line of defense in the network security strategy. The security measures implemented on the endpoint, therefore, need to have context, intelligence, and real-time decision making to deal with known and unknown threats however sophisticated. Some of the most useful capabilities should be:
- Application Control (Default Deny Allow list)
- Detection and Response with AI
- Disk Encryption
- Exploit Prevention
- Firewall (Network layers and Application)
- Forensics Capability
- Port and Media Security
- Heuristics & Sandboxing
- Host-based Micro-segmentation
- Mobile Device Management
- Host Web Security
4. Identity & Internal Network Security
In a lot of cases, breaches begin with some compromised credentials and or vulnerability in a target system. User and Device identity verification and authorization irrespective of the location should be a key component where the user is only allowed if the correct identity is presented and the device is also verified. On top of that, the authorization if not to the whole network but the specific resource requested. An example being Single Packet Authorization (SPA). In the case of vulnerabilities, they can be inherent in the system or misconfiguration from the user of the system. Misconfiguration occurs in situations where best practice has not been followed or administrator knowledge is lacking in using the technology. Some of the protections under the scope of Identity and Internal Network Security will be:
- Asset Inventory and
- Identity and Access Management
- Data Security and Encryption (Data at rest, Data in motion & Data in-use)
- Host-to-Host Context & Communication Mapping System (App Dependency Mapping)
- NAC - Network Access Control
- Threat Hunting (Proactive & Passive)
- Vulnerability and Patch Management
- Physical Security (Swipe Cards, Automatic Locks, Alarm Systems, CCTV)
5. Automation, Continuous Monitoring & Context
The problems facing cybersecurity in the modern day are as much a problem with lack of visualization with context as it is a tool problem. Visibility, continuous monitoring and baselining normal behavior is key if anomalous behavior is to be easily detected.
The features and technology examples detailed above are not intended as an exhaustive list but merely a guide in the selection of the right tools and technologies. Where possible and efficient to do so, it is advisable to consolidate features into a single offering. For example, a Host-based segmentation solution should also be able to provide application dependency mapping and third-party integrations into a Security Information and Event Management (SIEM) or Configuration Management Database (CMDB) solution. Another example is that a perimeter firewall should also be able to consolidate IPS, Threat Emulation, Anti-malware, and Botnet prevention capabilities.