The 3 Security Questions You Must Ask Every Quarter
Microsoft processes over a billion authentications per day and monitors tens of thousands of attacks. We've seen some stuff! What we know from our own telemetry and the best practices that we see is that you can't rest on the strategy and assumptions that you put in place a year or two ago (these may indeed be as robust today as they were yesterday, but you need to assume that they aren't). With a constant "challenge our security posture" mindset, these are 3 of the key questions that you should be asking formally and regularly (at least once per quarter):
- 1. Is our Cybersecurity Insight Team challenging the status quo? It's a question which may beg asking: Do we even have/need a Cybersecurity Insight Team? And, what is our security posture’s status quo (or “baseline” or “minimum required functionality”)? Yes, you should employ a CIT. This is a team from a cross-functional sample of your core organizations (IT, InfoSec, HR, Finance, Sales & Marketing) where the tough questions are asked about policies, processes and assets. Everyone should be playing devil's advocate, pushing the buttons on "what if" scenarios and assuming worst case security scenarios. Further, you should understand your "minimum security requirements" and revisit them as the CIT pokes holes in your standing assumptions: Should we now require MFA not just for executives, but for all customer facing roles too given their exposure to sensitive information as part of the new government contract? Should we ensure that all field user's computing devices are managed without domain joining their machines to ensure they do not have access to a broader range of corporate assets that they may not require after the recent doubling of our field force? Do we force encryption policies on all files on all file shares for the product development teams after discovering a suspiciously similar design from a competitor?
- Are we protecting from the “inside out” as vigorously as we are from the “outside in?” Internal threats, both malicious and accidental ones, are on the rise just as fast as external threats. In fact, in 2013 the FBI estimated that each malicious incident of internal origin cost its company $413,000 (Fred Donovan, FierceITSecurity: Is the person sitting next to you a malicious insider?). The stakes are clearly high and the wise modern enterprise is complimenting their security stack with new solutions in Information Protection (forcing rights management policies on sensitive file shares and network traffic that contains flagged information), end-user behavioral analytics (detecting deviations in user behavior that may signal, for example, the transferring of massive quantities of corporate date) and Cloud Application Security Brokers (understanding where corporate data is going in the cloud and the risks associated with that activity). What are you doing to ensure that your employees are playing by the right set of policies and behaviors?
- How many active breaches do we have right now? Ah, that’s a bit of a trick question, but it’s also the most important one. Are you a prevent-the-breach shop (i.e. did you answer that question by saying “we don’t have any breaches”) or are you an assume-the-breach shop (i.e. did you answer with “any known breaches are contained”)? Btw, if you answered that you don’t have any breaches, you need to go retake the quiz. You have likely been breached and should always assume that you are the victim of an active attack where some layer in the security onion has been peeled away. Now what? You need to implement a security layer that monitors for advanced threats (like Pass-the-# and Golden Ticket) and shows you the blast radius of the attack so that you can contain the damage and trap the threat (you can even create a "breacher honeypot" that lures would-be intruders into an area where no damage can be done and you can take swift action). This required approach utilizes advanced solutions to thwart advanced attacks/intrusions that no traditional firewall, AV or end-point based protection can effectively do today. For more information on such a solution, check out Microsoft Advanced Threat Analytics here.
By asking these questions, and asking them regularly, you'll learn one of two things: that you need to implement new policies/invest in new solutions, or, you'll find that you are doing all of the right things. Either outcome is a win-win.