This is the third and consequently the last part of the blogs about the options you have in order to make sure that you make the right choices for your organisation in the area of cyber-security. In this blog, we address the more advanced measures that pertain to level three.
Level 3: advanced measures
In the previous two blogs, the minimum requirements and the basic measures were discussed. As an organisation, you should have the minimum requirements in order. With the basic measures, specific products or services that are used for a specific purpose were examined. Thus, you basically pick the lowest hanging fruit in the area of cyber-security for your organisation.
The next measures take this another step further. The measures that are indicated with level one and level two mostly focus on the prevention of incidents. Just like you are being told by slogan tiles, the following also applies to these situations: prevention is better than cure. This means that within cyber-security, you arrive at a point where the implementation of additional preventive measures is no longer cost-efficient. All the more so, it may even be that these additional preventive measures make it impossible to work in a conventional manner. It is then important to focus on detection and mitigation, because no matter how you look at it, not everything can be prevented. In those instances, cure is necessary.
Set-up of your network
The basis of every IT infrastructure is a network. Networks are available in all shapes and sizes. It can be a network in your own data centre, at a service provider, or at one of the larger cloud providers. Network traffic already contains considerable amounts of information, information that you usually do not have direct sight of. The analysis of network traffic on threats makes it possible to already have insight into suspicious activities before a hack will be successful. This then offers you the possibility of stopping a hacker in a timely fashion.
It is also useful to look at more advanced resources to protect your endpoints. Not a traditional anti-virus program, but a full-blown EDR solution that, in addition to blocking malware, also collects data to facilitate cyber-security analysis on an endpoint.
Data analysis is essential
In addition to this information from the network traffic and of the endpoints, you also have heaps of other relevant information within your organisation. Think about, for instance, information from the Active Directory, the firewalls, Office 365 Security Centre, Windows Event Log, and much more. The difficult thing about cyber-security is, consequently, to stay in control of all this information and to assess it in conjunction with each other. There are SIEM solutions for this. SIEM stands for Security Information & Event Management. By connecting all systems to this SIEM, you receive all the security information at one location. Even better is that SIEM assists you in correlating these events.
In-company or outsourcing?
The conclusion is therefore that there are many tools to assist you. One of the most important questions in this area is, however, whether you want to use these resources in-company. Is it in line with your services to set up a 24/7 cyber-security organisation and to make sure that it has the correct knowledge and disposes of the correct resources? If the answers to this is ‘no’, then you can say that you are in the market for a Security Operations Centre (SOC). By purchasing a SOC as a service, you take advantage of the knowledge and expertise, but also of the capacity to monitor your infrastructure 24/7. The latter in particular is important, because cyber-criminals simply do not observe your office hours. How inconsiderate of them.
If you do have your own SOC, then you also need to maintain it. After all, it remains a race between criminals and those who secure the assets. Of course, you need to keep knowledge up to date with training sessions, courses, workshops, and certifications. In addition, it is, like with awareness training, useful to assess whether it also has the desired effect. You can do this by deploying, for instance, red teaming. This is, simply said, a method where you give another party prior consent to try to hack you. Obviously, it is then important that your SOC spots this in a timely fashion and counters the attack. It goes without saying that, if the attack is not countered, it gives you a treasure-trove of information about the state of your SOC.
Conclusion
On paper it all sounds wonderful, but the steps that you want to take in this phase are most useful and have the biggest chance of success if cyber-security is also actually embedded throughout the entire organisation. This therefore means that, for instance, during the procurement process, cyber-security aspects are by default included (that smart refrigerator that we are going to buy, does it come with updates?). It also means that the line management accepts ownership of its information flows and, consequently, accepts responsibility for the implementation of appropriate cyber-security measures and for awareness training sessions that are part of the services portfolio of HRM / staff matters. Last but not least, it almost goes without saying, but for organisations in this phase, cyber-security is, of course, an item on the agenda that is discussed structurally by the board of directors and to which budget is allocated structurally.
