6 Essential Components of a Tough Security Posture

Featured article by Jeff Broth

Security posture, a popular buzzword in the cybersecurity field of late, is more than just installing security controls and formulating a security policy or protocol. It is about overall cybersecurity strength and the ability of an organization to predict, stop, and respond to evolving cyber threats. It entails the assurance that an organization’s cyber defenses are effective and, in case breaches happen, an organization can competently mitigate and remediate the impact.

It is not enough for organizations to have their antiviruses, firewalls, and endpoint security tools in place. There are other measures and factors to take into account. A formidable security posture has to include the following.

1. Suitable security controls 

It’s easy to find antivirus or firewall applications to install on a company’s computers. What’s more challenging and something many tend to disregard is the selection of the right security controls. There is no “one size fits all” solution when it comes to cybersecurity.

“Determining which practices, controls and countermeasures will work best in a given organization is based on that organization’s own needs: what works for it culturally, the level of risk that its business is subject to, and so on,” explains Ed Moyle, a cybersecurity expert who was once the Director of Thought Leadership at ISACA and a partner and high-ranking officer at a number of cybersecurity companies.

The cybersecurity defenses and strategies that work for a large hospital tend to be different from what would be effective and efficient for a FinTech company. The security controls deemed to be the best for a corporate entity may not be that great for a government agency. Organizations need to pick the antivirus, firewall, EDR system, and other tools that are most suitable for their specific requirements.

2. Automated and continuous security validation

After implementing the security controls that are deemed the best for the organization, it is important to examine if they work as advertised. Security validation is crucial as it ascertains the real-world efficacy of the security solutions. This process is impractical to do manually, so automated security posture management is essential.

Most organizations employ numerous security controls, and monitoring all of them one by one is not only going to be tedious; the process is also prone to errors. This is particularly true for organizations with an inexperienced IT team. It would be better to rely on a solution developed by experts, as they readily present the significant details organizations need to see to properly evaluate their security posture.

It is also essential to emphasize here that security validation should be a continuous process. Cybercriminals do not need days or months to consummate an attack. A few minutes would be enough for them to activate backdoors or drop a payload of malicious software to corrupt files, steal data, or hold an organization’s data hostage (through encryption) for a ransom. There should be no instance of weakness or vulnerability in an organization’s security posture, something that can only be achieved with automated continuous security validation.

3. Risk prioritization

It is impossible to address all attacks at the same time. There will be many instances when an organization gets swamped by a multitude of attacks targeting different areas of operation. Organizations must have a logical plan or protocol in addressing such cases. The core goal is to minimize damage or, better yet, avert an attack.

It is recommended to have a thorough analysis of all the risks an organization may face. The MITRE ATT&CK framework, which is integrated in a number of security validation platforms, can serve as a guide for this. It can help in identifying the different threats, anticipating their actions including their lateral movements, and implementing effective mitigating and remediating courses of action.

4. Security metrics

It would greatly help to quantify the state of an organization’s security posture. Coming up with security metrics allows organizations to more clearly see the state of their cyber threat preparedness. Also, these metrics make it easy to spot the departments or sections that require more urgent attention and resource allocation. It is useful in determining priorities when dealing with different kinds of risks.

Examples of security metrics organizations should start paying attention to include detected intrusion attempts, incident rates, response times, remediation time, the level of severity of each attack, vulnerability patch response times, the volume of data an organization generates, and potential exposure to threats. Organizations may also examine their metrics in comparison to industry numbers or the metrics generated by similar organizations.

5. Carefully thought out access privileges

The granting of administrative access privileges has to be meticulously decided upon. As much as possible, organizations should maintain a “least privilege policy.” This means that administrative privileges should stay with the most trustworthy people in an organization. Access rights should not be given out whimsically.

For teams that are doing certain projects, the privileges granted to them should be based on the specific tasks they are expected to complete, no more no less.  Some may consider this too restrictive or inflexible, but its benefits are far greater than the drawbacks.

Allowing too many people to have high-level access rights to an organization’s IT resources is a big no-no. As mentioned, humans are still the weakest link in the cybersecurity chain. Giving them unregulated and unplanned privileges is just like surrendering an organization’s entire security posture to bad actors.

6. Employee education

No matter how strong the cyber defenses of an organization are, they can easily be rendered ineffective when the people in an organization ignore them or interfere in their functions. Employees or those in the management may wittingly or unwittingly become tools for cybercriminals to succeed in their attacks.

To counter this pernicious problem, it is crucial to provide the right amount of cybersecurity education to everyone in an organization. “Technology is important, but the old expression that ‘humans are the weakest link’ in any cybersecurity program seems truer than ever. Employee training is a critical line of defense,” writes tech journalist Tam Harbert in a piece on the Society for Human Resource Management (SHRM) website.

This makes perfect sense considering how effective phishing, smishing, and other social engineering attacks are. Even those who have an idea of how certain social engineering schemes work still fall prey to these attacks. Imagine how those who are completely clueless would fare.

In summary

Creating a formidable security posture is definitely not going to be a walk in the park. However, it is not impossible or too difficult to accomplish. With the right security controls, continuous security validation, security metrics, and risk prioritization, organizations can effectively deal with more aggressive and sophisticated attacks.

Limited access privileges and security metrics also help strengthen or rectify the weaknesses in an organization. Additionally, employee training is something organizations should not forget. The cybersecurity awareness of everyone in an organization can make or break a security posture.