Don’t treat cybersecurity hygiene like your car engine light

ESG has just released the key findings of its cybersecurity hygiene and posture management survey, and in a poll of 400 cybersecurity professionals in North American enterprises, the number one action respondents said would improve cybersecurity hygiene? You guessed it: continuous security control validation. Read More

ESG recently released the key findings of its cybersecurity hygiene and posture management survey, which polled 400 cybersecurity professionals in North American enterprises. Three takeaways stand out:

  • Organizations are struggling to get their hands around their cyberterrain, which is growing larger and more complex every day due to an explosion of devices, IT connections to third parties, and use of public clouds as infrastructure.
  • Security teams need to protect their organization by thinking like their adversaries, and continuously measuring the impact of their assumptions and decisions.
  • The number one action respondents said would improve cybersecurity hygiene is continuous security control validation.

Let’s dive into the first point on cyberterrain complexity.

The cyberterrain is the sum of your operational assets, security controls, data assets, and overall security decisions. It’s essentially the topography of your cybersecurity posture – and it changes constantly. Increased devices, connections, and public cloud adoption were reported as the top three reasons for the increase in cyberterrain complexity.

It’s not surprising, then, that enterprises cited an aggregate view of their terrain, as well as an understanding of blind spots in adversary tactics, techniques, and procedures (TTPs), as two of the top five metrics for effective cybersecurity hygiene.

Despite the need for greater visibility and confidence in controls and processes, more than a third of respondents are not testing them often enough to accurately report day by day, week by week, on how their overall program is performing.Testing once per month (20 percent), once per quarter (11 percent) and  once per year (3 percent) is insufficient to stay on top of adversarial behavior and potential cyberattacks.

Imagine if your car engine light only worked once a month to let you know your car was about to run out of oil. Would you risk operating it not knowing if your engine was about to fail?

Which brings us to the next two key takeaways, which are around moving to a more confident cybersecurity posture and thinking like the adversary. The way to build confidence in your program and take control of risk is by adopting a threat-informed defense. This starts with leveraging the MITRE ATT&CK framework, a globally available, free, open framework of known adversary tactics, techniques and procedures.Since its release, the ATT&CK framework has gained significant momentum as a globally-vetted, all-source repository of adversary behavior. According to the report, the MITRE ATT&CK framework is a growing priority, with over 30 percent of respondents reporting it has become increasingly important for cybersecurity hygiene.

Once you understand how adversaries target your data, you are in a better position to secure yourself. The natural next step is to deploy automated adversary emulations to continuously test that your cyberdefenses are working as expected, instead of relying on point in time and manual penetration testing.

In fact, the number one response to “which actions would most improve your organization’s security hygiene and posture management” was performing continuous security control validation to discover gaps in existing security tools,” which would then allow them to take the right steps to harden their security posture.

An added benefit of adopting a threat-informed defense is purple teaming, when red and blue teams share the results of emulating TTPs against their controls. Like a coached scrimmage, your teams can review test results together and collaborate on remediation strategies. The purple team model provides a more comprehensive picture of what needs to be addressed and how best to harden your environment.

In summary, don’t wait for the engine light to come on once a month – or less frequently – to alert you of potential failures. Focus on a threat-informed defense strategy and you will get the aggregate visibility you need to take control of risk.

Next steps:

  • Read the ESG report on Cybersecurity Hygiene and Posture Management.
  • Take an AttackIQ Academy course on Purple Teaming for full insight into how red and blue teams can collaborate strategically to protect your organization against imminent threats.
  • Read MITRE ATT&CK for Dummies to learn how to improve your cybersecurity effectiveness and shift from a reactive cybersecurity approach to proactive, threat-informed defense.