Government agencies, critical infrastructure providers and organizations of all sizes are in the crosshairs of cyber attackers that include nation-states, criminal gangs and even insiders. Mitigating risk, whether it originates from external threats or insiders such as disgruntled employees, contractors or supply-chain partners, requires a coordinated program for risk and security management. The following five-step framework provides a road map for mitigating threats in any environment.
Start with the Highest-Risk Users and Entities
The biggest opportunity to reduce risk is by focusing on securing the highest-risk users and assets. Privileged users and accounts hold the “keys to the kingdom” so they absolutely need to be locked down. Technology can help. Privileged access management (PAM) programs place privileged accounts in a vault that requires users to check in and check out passwords. While PAM creates an audit trail for compliance, it won’t monitor what privileged users are actually doing. One alternative, session recording, does not scale and consumes an enormous amount of storage. It also can’t detect malicious activity in real time.
Behavior-based security analytics can be used to identify anomalous activity associated with privileged users and assets in real time, and alert on risky transactions before data is exfiltrated or corrupted. This approach can also detect if privileged accounts have been compromised by outsiders, since their lateral movement (as they search for sensitive data and assets) will be atypical.
Implement Risk-Based Controls
While disparate security applications may perform analytics on their siloed data, they provide an incomplete view of risk. For example, PAM technology may say user Monroe is a high-risk user. The identity governance and administration system may rate him as medium risk. And, the SIEM may see him as low risk. Which platform will provide the right answer? Only by aggregating these disparate data feeds to achieve a holistic view of a user (or entity) across all applications and systems can risk-prioritized intelligence be gathered. With a reliable risk score, automated actions like requesting a second authentication factor for high-risk users and activity can be automated.
Remove Friction with Risk-Based Authentication
Everyone hates passwords, and most of us use the same one or a version of it for virtually everything. While this is definitely not a best security practice, it’s difficult to change user behavior. The focus instead should be on mitigating risk. For example, when a low-risk user accesses low-risk assets, they should be allowed to authenticate without friction (i.e. no password). On the other hand, high-risk users accessing high-risk assets should be challenged with strong authentication – MFA, pin code, etc. The risk score dictates the control.
Execute Continuous Mitigation
Risk is not something we can stop. From an information security perspective, “risk is never over.” Risk also isn’t a yes or no, or something that can be turned on or off. All we can do is put strategies and tactics in place to reduce it. There will never be, unfortunately, a point in time where we can reliably say “we are risk free.” A continuous risk mitigation strategy is necessary since there will always be attackers looking for new ways to breach security defenses.
Acknowledge Time Is Not on Your Side
Implementing a risk-based security management program requires the right mix of people, processes and technology, and will take time. Right now, criminals and malicious insiders are executing cyber attacks at machine speed. The gradual roll out of these best practices will provide incremental benefits until a complete framework is in place.