The Three Stages of Security Hygiene: Evaluation

3.16.2017 | David Damato

In the first installment of our three-part series, Tanium CSO David Damato explores why good security hygiene is so essential, and details the first stage to getting your IT organization in order. ‘

Are you guilty of poor security hygiene? If so, take heart. You’re not alone. IT and security teams have long neglected basic security controls, including those controls defined in the NIST Cybersecurity Framework or CIS Critical Security Controls (aka SANS Top 20) over a decade ago.

My experience in responding to more than 100 enterprise breaches has taught me that the vast majority of security incidents are the result of failures in the practice we broadly define as security hygiene.

Take for example, asset management – the basic act of tracking all your devices and understanding their current state. Just as a business tracks financial assets, IT and security teams must track their assets – including devices, servers, operating systems and applications. You can’t protect what you don’t know. Yet, in nearly every major breach remediation effort I’ve led, technology or security leaders within the victim organization were unable to provide an accurate inventory of devices. In fact, most struggled to come within 10% – 20% accuracy of the actual count.

Another example is vulnerability management. Last year a number of organizations were affected by the Samsam ransomware. Samsam relied on a JBoss exploit more than a year old. At the time the ransomware was released, researchers estimated more than 2.1 million vulnerable instances of JBoss existed on the internet. Most organizations have thousands of outstanding vulnerabilities and are missing critical patches, leading to the proliferation of ransomware and other unsophisticated attacks. The 2015 Verizon Data Breach Investigations Report highlights how far organizations lag in patching vulnerabilities. According to the report, 99% of exploited vulnerabilities had been compromised more than a year after the Common Vulnerabilities and Exposures (CVE) was published.

I’m not the only one to notice most breaches are caused by poor security hygiene, rather than any particular sophistication on the part of attackers. Last year, Rob Joyce, Director of NSA’s Tailored Access Operations (TAO) division – the group responsible for launching sophisticated cyber attacks at the NSA – said, “We put the time in …to know [that network] better than the people who designed it and the people who are securing it. You’d be surprised about the things that are running on a network versus the things that you think are supposed to be there.”

Ian Levy, Director of the UK Cyber Security Program, took issue earlier this year with security vendors trying to present Advanced Persistent Threats (APTs) as a form of sophisticated attacks. He suggested instead that the initials APT stand for “adequate pernicious toe-rags.” Levy wants the ongoing conversation about cybersecurity to reflect what he considers to be the relatively unsophisticated nature of many attacks. “If you call it an advanced persistent threat, you end up with a narrative that basically says ‘you lot are too stupid to understand this and only I can possibly help you – buy my magic amulet and you’ll be fine.’ It’s medieval witchcraft, it’s genuinely medieval witchcraft.”

Understanding that most attacks aren’t sophisticated, and even sophisticated actors start with basic tactics before escalating their tradecraft, security hygiene should be the starting point for security leaders. Easy for me to say. So, as a security leader, where do you start?

I recommend approaching security hygiene in three stages:

  • Evaluate your existing environment and ensure existing solutions are functioning properly and are fully utilized
  • Align your security program with an industry-leading framework and rationalize solutions to achieve your desired future state
  • Measure your progress against the defined future state and continuously adapt capabilities as required

Below we detail the guidelines for tackling stage one in your security hygiene efforts. In upcoming posts, we’ll explore stages two and three.

Security hygiene stage one: Evaluation

The first step to improve security hygiene is to understand the current state of important security controls within your network. Many organizations are confident they are effectively managing asset databases and patching vulnerabilities – my experience has taught me that this confidence is often misplaced. The goal of this first step is to identify these gaps and ensure existing investments are fully utilized.

Start by selecting a set of prioritized security controls. Focusing on controls as opposed to an entire framework (we’ll get there in the next post), will make this step easy and help to address a set of controls generally agreed to be critical. The 20 CIS Critical Security Controls is a great example of a prioritized list of controls. The list contains actions for everything from taking inventory of assets to user training. In fact, you can select a subset of the list to focus on those areas of most concern. Contained controls are subcomponents of popular frameworks, like the NIST Cybersecurity Framework, which should allow us to expand this effort later.

Next, determine how effectively your organization addresses the prioritized information security controls. During this effort, rely on technical tests rather than simple interviews. For example, to determine the effectiveness of your inventory of devices, identify all devices on your network and compare the list to your CMDB. Gather information on patch levels for operating systems and major third-party applications (e.g. Java, Flash). Compare the patch information against existing vulnerability assessment results. Identified gaps should quickly reveal whether those controls are effective or ineffective.

For identified weaknesses, ensure existing investments are being used to their full potential. For example, utilize existing Windows utilities such as Bit Locker, App Locker and EMET to improve security without purchasing point solutions to address Full Disk Encryption (FDE), application whitelisting, and anti-exploit capabilities. Perhaps your anti-malware solution is only current or functional on 80% of your devices – fix it. The end result of this activity should be to address any “quick wins” and capture any remaining gaps, which will be addressed during a much broader security transformation project.

At Tanium, we’ve developed a Hygiene Assessment to provide customers with accurate and easy reporting on common gaps in security hygiene. The results have been eye opening.

  • A large financial customer had approximately 5,500 documented and approved applications. Tanium helped to identify more than 10,000 installed applications.
  • A large retail customer believed it had patch management under control. Tanium identified approximately 3,500 instances of Java which hadn’t been updated in over a year.
  • An international financial institution thought SCCM was accurately reporting across all devices. Tanium revealed that SCCM was not operational on approximately 15% of all supported devices, which also affected the accuracy of reporting for patch levels and the status of other solutions, such as anti-malware.

Once you have an understanding of these basic controls and have taken advantage of the tools that exist within your environment, you’re ready to focus on a larger transformation project, using a framework like ISO 27001 or NIST Cyber Security Framework.

About the Author: As Chief Security Officer, David Damato provides strategic product direction over module development for the Tanium Platform and manages the company’s internal security program. David brings a wealth of security expertise to Tanium, spanning incident response and forensics, vulnerability assessments, security program development, security operations and network and security architecture. Prior to Tanium, David most recently served as Managing Director at Mandiant, a FireEye company, where his team led incident response and post-breach remediation efforts at over 100 Fortune 500 companies. At Mandiant, David was also instrumental in developing new incident response services capabilities and establishing consulting offices both domestically and internationally. Prior to Mandiant, David led security consulting teams at PwC as part of its Washington Federal Practice and held IT roles at Raytheon focused on the management of internal and government networks. David frequently shares his expertise and insights at industry events and with the media.