During a national series of conferences held by a large Australian systems integrator in 2019, I had the good fortune of presenting on The State of Cyber Security and how “Simplicity is the Ultimate Sophistication”. In these sessions, based largely on the dozens of assurance assessments I delivered, I spoke of four key areas we need to improve. These were too many layers, a lack of integration, inadequate visibility, and human error. Ultimately, they are all linked to each other.
The fact remains our current state of trying to defend ourselves from the mountain of evolving cyber threats is complex, misunderstood, and the subject of a million ideas how we “should” be fixing the problem but no consensus on the way forward. Some advocate a “shiny boxes and flashing lights” approach by adding to an already-convoluted environment while others promote an “observe and report” approach without a lot of meaningful action.
One of the best quotes exemplifying this is “Intention without action is useless” ~Carolyn Myss
An Information Assurance Ecosystem? What Is It?
You may call it a Cybersecurity Ecosystem, or a platform approach, or any of a number of things that may or may not be accurate but I prefer to call it an “Information Assurance Ecosystem”. Whether or not you agree, just hear me out and then decide. In my view, this ecosystem is composed of both technical and administrative controls, but is also comprised of as few layers as possible to create a defence in depth architecture that integrates with each of its individual pieces. Visibility is improved by removing gaps and overlaps and ultimately leads to reduced human error, nearly universally agreed as the core of most incidents either directly or indirectly.
My opinion on solutions is that they are not products-only, but rather the products mandatorily accompanied by services and governance to design, implement, operate, and manage them to their full benevolence. How many times have you seen a business buy a new piece of equipment only to use a small portion of it, or invest in new software without using all of the features? We buy the final vision rather than understand what it takes to achieve it – sort of like buying the idea of a gold medal without undertaking the training needed to win the race.
An Information Assurance Ecosystem begins with a consultative approach to understand the desired outcomes, the necessary and available inputs, and clearly defines milestones and dependencies while minimising assumptions and uncontrollable variables. Long story short, we first define what we want and how to get there long before a product is mentioned and then fill in the blanks with best-of-breed and fit-for-purpose systems. It’s worth noting those two things are neither mutually-exclusive or inclusive because it doesn’t matter where a product rates according to the experts; it matters how well it addresses the customer’s needs.
The second part of the Information Assurance Ecosystem is establishing how all the pieces work together at a high level and establishing a cohesive workflow between the administrative and technical controls. Identification of any roadblocks is critical and that can be a department that refuses to participate, two systems that won’t communicate, and incomplete or nonsensical inputs and outputs. Sort out any single points of failures such as single devices that can break the continuity and roles based on an individual rather than a group. Think about the weakest links in the chain and how to mitigate, accept, transfer, or eliminate the risk (the MATE principal). Hey, I’m Australian, after all!
Third, you start to sort out the “plumbing” of your ecosystem and the pieces that will make it up, so a thorough understanding of your business is necessary because the technology is supposed to enable your business, not either be the business or a hindrance in and of itself. Look at all options from all vendors dependent on what you need to do. Set your allegiances and allies aside; this is your ecosystem so choose wisely. Better still, get the right people involved and ask the right questions to save a ton of heartbreak later on when your grand vision is composed of duct tape and chicken wire and “sort of” works. Avoid the “that’ll do” and the “ready-fire-aim” approaches.
Fourth, it’s time to plug it together and set it up, and be wary that this can take time, patience, and money, but keep your eye on the end goal and never lose sight of it. In the end, your Information Assurance Ecosystem must be simple, sophisticated, and sustainable. Also, it should be repeatable, scalable, and maintainable without having to break the bank.
Thankfully, with the advances of cloud computing and some of the biggest tech companies in the world, you can buy a pretty good framework towards your own Information Assurance Ecosystem. A perfect example of a company that is getting to this point is Microsoft which, by all accounts, has just about everything you need to get started and keep going. That said, be sure to look at all your options – this is all about what works best for you, your budget, and your organisation.
I know that all sounds like a lot of high-level fluff, but I’m trying to outline that you don’t buy a solution; you build a solution and it has to be a methodical approach. If you get lost or confused, give us a call and we’ll help you.
Seems like a lot to do. Where Do I Start?
The first thing you want to do is create a plan that is focused on helping the organisation achieve its cybersecurity objectives. Are you looking to prevent the loss of critical intellectual property? Do you want to streamline the processes of on-boarding and off-boarding employees? Improve your ability to detect and respond to incidents? Gain awareness on what is happening in real-time in your finance systems? The first objective is to understand the business and the second is to understand how to protect its systems and data. The third is what needs to happen to enable that protection and the fourth is to ensure that what you implement is sustainable, manageable, and adaptable.
Using a consultative approach, engage external expertise if needed to help define what needs to be done and how to achieve it. Sometimes trying to “go it alone” or handle it internally overlooks critical elements and doesn’t have the end-to-end visibility or understanding needed. That, and we’re all busy with our normal jobs and don’t have the ability to be proactive over reactive. Be sure to look beyond the technology; it’s the people, process, and environment that really matter.
With a plan in place (and understanding adjustments may need to be made along the way), take stock of everything. On the administrative side of things, review all of your policies and procedures and identify the gaps and overlaps within your governance and risk management. Do they reflect the current state of business in your organisation? Do they allow for the current legislative considerations like GDPR and the like? Are they signed off by management and enforceable? Are they clear, concise, and without ambiguity?
Looking at the technology, are there systems and services that are legacy, cannot be updated, and present a risk? Do you have several disjointed tools and applications that “sort of” do the same thing in different ways? Are there similar tools used by separate groups that could be consolidated? Are there technologies that you have invested in but don’t use to their full potential? Like the above, identify the gaps and overlaps and then streamline your operations. Don’t chase your losses – if it’s not working, stop doing it, get rid of it, and replace it. This often happens when businesses buy the latest & greatest tech but only use it for a limited purpose. For example, buying the Microsoft 365 E5 license but only using the Data Loss Prevention (DLP) component, or a new Unified Threat Management (UTM) appliance but only using the firewall service. Even more common, having the latest Endpoint Detection and Response (EDR) protection but only ever using the anti-virus service.
So that’s Process and Technology, so what about People and Environment? Environment means taking stock of the workspace in which everything else resides. Is your datacentre suitable? For example, a stock room in your office that also serves for storage of paper products and kitchen supplies is not ideal. Maybe you use a co-location datacentre – are they fit for purpose? Maybe you’re migrating systems to the cloud.
Regardless, take stock of where all your systems reside and ensure Confidentiality, Integrity, and Availability (the CIA Triad). After datacentres and communications rooms, look at the rest of the workspace – are your employees secure along with the data while they use it? Is there any technology exposed in public areas like IP phones that could be unplugged and replaced with an intruder’s laptop connected to the same port? Vulnerability Assessments should consider the environment from connectivity, power, and cooling right down to ingress and egress points and the ability of an intruder to access and exploit technology.
The “people” element of an Information Assurance Ecosystem is one of the most critical, yet most difficult elements to address, and it includes everyone; not just the IT department. Every person involved in the organisation is a stakeholder in this regard because if the enterprise is no longer viable, then they may no longer have income. Ensure you have the right people in the right roles and that they’re aware of their responsibilities. Awareness training that targets behaviour and safety over the traditional yes / no, don’t do that approach is preferred. If you don’t have dedicated security staff, like many don’t, consider outsourcing this to a trusted provider to handle the assurance operations. I can recommend a few if you like.
I know this is a lot to take in, but do yourself a favour and get some help. As an insider with a vested interest in your business, you may be biased and unable to take an objective approach. Ask a lot of questions and be sure you get everything sorted before proceeding with putting it all together. It sounds like a cliché but failing to plan really is planning to fail.
OK, done. So… how do I make It Work?
If you’ve followed the above advice, you now have a grasp on where you stand with both the administrative and technical controls, and you understand what you need with regards to people, process, environment, and technology. You know what you need to accomplish and what the required inputs are and what the required outputs will be with a clearly defined, end-to-end workflow. There should be no single points of failure (and if there are, they’re accepted risk) and the Information Assurance Ecosystem is understood, accepted, and supported by the majority with senior management and executive oversight.
From a people perspective, ensure that you have an educated, aware, and enabled workforce where key staff are aware of their roles in information assurance. Ideally, you will have someone in charge of the overall information assurance, even if only on a part-time basis and has the resources they need to be successful. If need be, consider using a trusted third-party to manage this for you. Accountability will be critical, and communications is vital to ensure that systems and data are adequately protected and safeguard the users. Businesses are made up of people, not just systems and data.
From a process perspective, ensure all policies and procedures are up to date, validated, reflective of the current state of the business, address the current threat landscape, and are aligned with the mission and purpose of the business. Ensure that people understand the policies and their rationale and that they’re enforceable. When it comes to incident response procedures and those for Disaster Recovery and Business Continuity, be sure to test them regularly both from a tabletop (mock DR exercise) and in anger by staging an annual DR/BCP test in real time. Plans are useless unless you can count on them! Policies and procedures must be more than just paperwork; they must be a way of doing things in real life.
Think for a moment. If you refuse to test your DR/BCP plan because of potential disruption, how can you count on it when you really need it? Recent environmental disasters illustrate the need for a solid strategy that works.
For environment considerations, be sure that your cloud, on premise, or co-location and hosted environments are fit for purpose, secure, and well maintained by whomever is providing the services. Ensure that your workspace is safe for employees, that everyone is using safe work habits (no passwords on sticky notes, no confidential documents left on printers, no leaving workstations logged in and being away for a long time, no ability for intruders to access your technology without safeguards, and so on. The environment in which you work and where your systems and data reside must be protected, even if that’s your home office or even the temporary space you work in while on the road.
Finally, technology. Keep three things in mind: minimal layers, integrated systems, and visibility. A defence in depth strategy does not mean layer upon layer of technology. Rather, focus on technology that can do more within its own architecture. A perfect example is how we went from having separate firewalls, IDS/IPS, web filters, email filters, and anti-virus and malware protection to a single appliance that does all of this in one form factor, physical or virtual, or even in the cloud altogether. Another great example is Microsoft and how their offerings, like the Microsoft 365 E5 license gives you access to all the bells and whistles in a ready-made ecosystem framework.
Whatever you choose as your core for your Information Assurance Ecosystem, most likely your “source of truth” like Active Directory, be sure it’s cleaned up before starting and that every object, from user accounts to computers to policies to configurations, is validated with all invalid and unused objects removed.
As for integration, be sure that you choose technical solutions that integrate with each other and can even operate bi-directionally where needed. Do your homework and select vendors that have strong partnerships with other vendor products in your environment. Ask lots of questions and demand proof. Where needed, do Proof of Concept testing. Among this, if you have already inventoried your existing systems and data, you know exactly where your gaps are and where the integrations need to occur. In the end, your technology must be end-to-end integrated and aligned with your administrative controls and workflows.
Again, a great place to look is the Microsoft solutions offering because in addition to being the source of truth, they have a strong cloud presence and integrate with most security-aligned vendors to some extent. Just do your homework and get help wherever possible and where required. You’ll be glad you did.
The third part of technology is the visibility component. This is two-fold. First, ensure that anyone that can “see” the information and systems absolutely needs to. Be mindful of privacy and manage the confidentiality of your systems. Consider this the (outside-in view) and make the second aspect your visibility of systems and data, avoiding information overload and alert fatigue. Single-Pane-Of-Glass is an ideal that is hard to achieve, but just reduce the data you’re looking at and the areas you have to look at it to a minimum essential set. Knowledge is power and seeing is believing.
Sounds like a lot can go sideways. What are some of the pitfalls?
The pitfalls involved in creating an Information Assurance Ecosystem are many, and could easily make up a separate blog. At the core of it, you need to create and stick to a plan. You’ll often find that while the most important, people can become the greatest obstacles. In some cases they don’t want to get involved or be responsible despite being a key stakeholder in their very own careers. This is where you need to have a champion of change to help manage the human resources the whole thing is intended to protect and enable.
Costs are another major pitfall, so please be aware this cannot be accomplished overnight or even within a few months. Adoption of an Information Assurance Ecosystem will take time and money, and a good plan and may stretch over more than one financial period, but it is well worth the effort. Not everyone can simply rebuild their office, buy a bunch of new tech and hire a bunch of new people without going through a lot of other processes first. Weigh up all options, prioritise, and proceed accordingly.
The technology itself should be last on your list and not the first. Be sure to address the people, process, and environment elements before looking at the plumbing that holds it all together. There are a wealth of options out there, so take your time when you get to that point. Choosing the wrong fit because it was the cheapest or because you already have other tech from that vendor will put you back to square one very quickly. Always remember: fewer layers that are integrated and with improved visibility.
What are some of the ghosts in the machine?
No matter how well you consult, plan, design, implement, and operate your Information Assurance Ecosystem, there are always ghosts in the machine. Technology fails, vendors get acquired, people quit, networks get congested, new threat vectors are discovered, and procedures lose their impact. Complacency will be one of the biggest ghosts you will encounter so never think “set and forget” or “if it isn’t broke, don’t fix it”. Once you have this ecosystem in place and working as needed, be sure to service it regularly. Hey, we all clean our houses (sometimes) and take our cars in for regular service, go to the dentist, and get annual medical check-ups. Your Information Assurance Ecosystem must be treated the same way.
There are some elements I did not cover in this article, such as cybersecurity frameworks like NIST, PCI compliance, and legislation considerations like the Notifiable Data Breaches amendment to the Privacy Act here in Australia. I could also go on about Information Security Management Systems (ISMS) and a variety of other topics but ultimately, these should be addressed through the planning process and implemented accordingly.
You will often find your systems and data are like that big box of Lego pieces we had as kids. No matter what you want to build, you probably have a lot of the bits already. Don’t chase your losses with pieces that don’t fit or work, and be sure to get the most out of the useful pieces you already have.
Stay safe out there!
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock.
Image source for this article: Pixabay