Go Beyond Defense-in-Depth for Resilient SecurityBy Robert Lemos | Posted 2015-06-30 Email Print
While defense-in-depth is a good concept for thinking about security, companies should focus on building a more resilient network to better protect their assets.
3. Put more effort into detection and response.
The layered focus of defense-in-depth strategies typically is heavy on prevention, but light on detection, response and remediation. Security programs need to focus more budget and effort on early detection of successful compromises and quick incident response, because every company has been, or will be, breached, says NCC Group's Whitehouse.
"The best programs make sure that, when things fail, the company has the processes and people to not only spot a compromise, but remediate it," he points out. "That is the biggest sea change we have seen. The rise of the internal response team has been unprecedented in the last five years."
4. Focus on people and processes over technology.
The majority of companies still purchase security products hoping for a silver bullet, but no security product protects against every—or even most—attacks. Pointing at the breaches such as Sony Pictures Entertainment and the U.S. Office of Personnel Management, the University of Tampa's Clark says that attackers will always find the organizations with weak or outdated security.
"Cyber-criminals are targeting organizations that are paddling without a strategic direction or effective information security leadership," she explains. "Cyber-criminals are often successful in breaching organizations that put more than 75 percent of their efforts toward procuring what they hope will be silver-bullet technology solutions."
Only a minority of organizations focus on areas that actually improve security and manage risk, Clark adds. These include third-party oversight, employee security training, and improving the confidentiality, integrity and availability of data.
5. Size makes a difference.
Because skills and people matter so much to security, an organization's approach to defense relies on the size of its security team. Only larger teams typically have the resources to monitor and triage security events. Small teams need to focus on following up on critical alerts, remediating them quickly, and maintaining defenses by doing vulnerability scans and training the user population.
With skilled security personnel in such short supply, companies may not be able to create the program that they hope, Clark says. Smaller organizations may have to bring in consultants and service providers to fill in gaps in their security program. Such organizations can help figure out where the weaknesses are in their defenses, by performing a risk assessment, reviewing third parties and creating policies for the safe handling of information.
In the end, there is no single recipe for security success, says CHNC's Bartolotta. "Every organization and every industry that could have sensitive information is unique," he says. "It is unique, not just because of what the company does and how it's organized, but because of what it has already invested in security."