The following 14 core technical capabilities were created to help guide and prioritise cybersecurity investments.*

With cyber threats constantly evolving, it’s important to identify the gaps in your security posture and being prepared for cybercriminals to get through your defences in this changing environment is essential. You need to determine where to start and what is most important.

1. Asset Management

Identify assets by leveraging automated tools and discovery solutions (to also discover rogue systems), including:

• Installed software (including on endpoints, mobile (leverage Mobile Device Management (MDM or EMM) solutions) and servers)
• Deployed hardware (including endpoints, mobile, cloud and “on- premise” systems)

2. Network Segmentation

Ensure networks are properly segmented, particularly separating the business side from the infrastructure networks.

Focus initially on high value assets and critical systems. Move away from solutions that focus only on “on premise” segmentation and deploy network segmentation solutions, such as Software Defined Perimeter that allows for granular role-based segmentation of on-premise and Cloud-based systems, including legacy systems. Additionally, leverage Network Access Control (NAC) when possible.

3. Network Security

Leverage intrusion detection and prevention systems (IDS/IPS) across enterprise and system enclave boundaries (including ingress, egress points), including using cloud-based appliances whenever possible to monitor cloud traffic.

• Select solutions that can protect both on-premise and cloud-based traffic and consolidate alerts/logs on a single dashboard
• Consider leveraging Deep Packet Inspection/Packet Capture (DPI)
• Consider deploying cloud access security brokers (CASBs) at cloud boundaries
• Leverage Domain Name Server Security (DNSSEC) to secure your Domain Name Server (DNS)
• Consider specific distributed denial of service (DDoS) protections to protect servers, applications, and networks
• Consider solutions that protect communication systems against telephony denial of service (TDoS) and DDoS attacks

4. Identity Management

Manage user access and roles by:

• Deploying a centralised identity management solution with access control management and identity proofing
• Leveraging a Single Sign-On solution across the enterprise and its applications
• Deploying multi-factor authentication across the organisation, particularly for critical systems and privilege access
• Using identity management best practices to ensure “need to know” and “least privilege”
• Properly disabling or deleting accounts according to the organisation’s policy requirement

5. Privilege Access

Privilege access management solutions should be deployed to manage and control critical infrastructure systems’ administrative accounts, including:

• Requiring multi-factor authentication for all administrative accounts, including on servers and endpoints
• Using solutions, such as Software Defined Perimeter, to enforce multi-factor authentication policies across the enterprise while implementing patching, need to know, and least privilege, among others

6. Patching and Vulnerability Management

• Conduct proper monitoring and patch installation, including testing prior to patch deployments
• Prioritise patches based on risk and critical impact
• Regularly perform automated scanning (daily ideal or weekly), including credentialed, passive, internal, and external scans. Include database configuration and web services configuration scans
• Install agents on servers and endpoints to facilitate scans whenever possible
• Scan applications both statically and dynamically
• Perform source code review when necessary

7. Continuous Monitoring

Continuous monitoring is recommended 24 hours a day, 7 days a week, including:

• Employ alerts and Security Information and Event Management (SIEM) solutions with a customised dashboard to monitor critical systems using proper log management
• Create/manage a security operation centre (SOC) to continuously monitor critical systems

8. Endpoint Protection

Employ endpoint protection solutions to:

• Mitigate against viruses, ransomware, and malware using solutions such as Application Segmentation (Micro Virtual Machine isolation), Advanced Endpoint Protection, and Antivirus/Anti-malware
• Deploy these solutions across all endpoints and servers, including mobile devices
• Leverage a File Integrity Solution to protect against file tampering/rootkits etc.

9. Public Key Infrastructure (PKI)/Key Management

Deploy both symmetric and asymmetric encryption key management solutions, including:

• Managing public and private keys used for application programming interfaces (APIs), email signing, and encryption using a PKI solution
• Employing key management solutions to store keys, including Secure Shell (SSH) keys and other encryption keys

10. Log Management

Centralise, correlate and consolidate logs, including:

• Ingress and egress logs
• Application logs
• Endpoint protection logs
• Firewall logs
• Security logs such as authentication failure, misuse, unauthorised access, insider threat
• Server logs
• Database logs
• Webserver logs
• IDS/IPS logs

Ensure proper timestamp by leveraging Time Synchronisation (Network Time Protocol (NTP)) solutions across every system.

11. Phishing Protection

Implement phishing training and plugin solutions, including:

• Mandating regular phishing training for all employees, including senior executives
• Deploying email validation system (Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM)) to detect and prevent email spoofing
• Deploying phishing plugin solutions on email servers and endpoints to allow phishing email detection, prevention, and reporting
• Conducting real-life phishing campaigns to all your employees to measure openings/clicks, and target training to employees opening those emails

12. Configuration Management

Adopt a configuration management solution to properly enforce configuration requirements on servers and endpoints, including:

• Prioritising solutions that can synchronise logs with SIEM and that support multiple operating systems
• Leveraging application whitelisting solutions to limit access to necessary applications on endpoints and mobile devices. Whitelisting is recommended instead of blacklisting because new malicious software is too difficult to track

13. Application Security

Application security is the use of software, hardware and procedural methods to prevent vulnerabilities in applications and protect sensitive information from external threats. Applications may include desktop, server, and mobile technology. Software security should be built into applications during their development phase:

• Fuzz testing (fuzzing) should be leveraged as a quality assurance technique, using a software tool called a fuzzer to discover coding errors and security loopholes in software, operating systems or networks. The technique involves inputting fuzz (massive amounts of random data) to the test subject to make it crash, find vulnerabilities, and identify potential causes
• Dynamic analysis can be used as the testing and evaluation of a program by executing data in real-time to find errors in a program and flaws in the source code while it is running, rather than by repeatedly examining the code offline. Dynamic code analyser software finds security issues caused by the code’s interaction with other system components like SQL databases, application servers or Web services to debug a program in all the scenarios for which it is designed
• Static code analysis is also available as one of the security tools the enterprise can use to identify flaws and malicious code in applications before they are bought or deployed. The process provides an understanding of the code structure, and can help to ensure that the code adheres to industry standards
• Leverage Web Application Firewalls (WAF) solutions to secure your web applications

14. Data Security

Implement solutions to secure data, including:

• Properly protect data, in particular, personally identifiable information (PII), personal health information (PHI), payment card industry (PCI), and sensitive, classified, and/or financial data, by using Data Loss Prevention solutions:
  • Leveraging solutions to detect and prevent data leaks and massive data exports on servers, databases, and endpoints, when possible
• Deploying backup solutions across the organisation endpoints, servers, databases, and critical systems
  • Establishing off-site backup, whether in a separate datacentre or on the cloud
• Mandating encryption for all PII, PHI, PCI, sensitive, and confidential data whenever possible. Examples include:
  • Requiring full disk encryption solutions for mobile devices, laptops, and removable media
  • Using encryption on databases and files whenever required

* 2018 Cybersecurity Guide – originally provided by Bromium featuring Nicolas Chaillan.