Security shape-up: 2019 probably won't be the year, but I hope it is

Will organizations finally get their security 'in shape' this year?

This is a contributed article by James Plouffe, Strategic Technologist at MobileIron

As we wind down this year and begin preparing for the next, we find ourselves surrounded by tradition. One is the ubiquity of "Security Predictions for 2019" think pieces just like this one. Though unlikely to avert any disasters, I strive in these missives to thread the needle of having something new and interesting to say while [hopefully] imparting some credible wisdom that will help us better defend ourselves in the year ahead. With any luck, my predictions will-- in hindsight-- appear thoughtful, if not prophetic. I am, however, prone to melancholy during the holidays and I don't find much cause for optimism in the cyber security world. Not because the threats are more daunting or that adversaries are stronger or more capable but because of another tradition, a two-sided coin of sorts that is as popular as it is unlikely to be followed through: New Year's Resolutions.

You see, as we concoct our New Year's Resolutions, we think about how we want to do or be better than last year. Our indulgence at holiday celebrations-- often overflowing with food and sweets-- leads many of us to decide that we want to be in better physical shape in the new year. It occurs to me that there are many parallels between security and physical fitness, not the least of which being a disconnect between what we know we ought to do and what we actually do. So my sole prediction, bleak though it may seem, is that this will not be the year we get in shape.

Before dismissing this as the prognostication of a humbug, please understand that I know we, as practitioners, have the best of intentions. But,  just as the work of truly getting in better physical shape can be somewhat tedious and the results slow to materialize, so too many of the strategies and tasks that would significantly improve our security posture are not glamorous, nor are their results always immediately obvious. What's more, in Infosec as in exercise, it's easy to get distracted. To paraphrase the American comedian Patton Oswalt, a treadmill just doesn't usually have the same appeal as pretzels and Scotch. In an industry awash with new technology and new buzzwords, we seek silver bullets for security in much the same way that we can be drawn to the latest diet fads, even while knowing that the results are neither likely to match the marketing nor be particularly long-lived.

Curiously, though, we seem to forget that we don't have to be perfect to be better. Indeed, when the headlines are littered with breaches ranging from British Airways to the City of Atlanta to Facebook to Maersk to Marriott to the NHS we might feel a sense of resignation. After all: there-- but for grace or good luck-- go you or go I. But we also must remember that fortune favors the prepared. Our goal, then, needn't be a massive transformation but instead steady improvement. Though we know that 20 to 30 minutes of moderate exercise five times a week won't give you the physique of Idris Elba or Charlie Hunnam, it still results in measurably better health. So what are some of things we could and should be doing? Consider the following as a sort of Infosec couch-to-5k program:

  1. Improve your coverage of one (or more) of the CIS Top 20 Critical Controls. There are many frameworks, processes, and tools for evaluating and mitigating cyber security risk but few as straightforward and unambiguous as the Top 20. To the extent that any one scheme can effectively measure your security health while simultaneously providing "preventative care", this is it. And by focusing your efforts on implementing and expanding your use, you'll find that you have a better overall understanding of your environment which-- in turn-- makes you a better defender.
  2. Work to shorten your patch windows. It doesn't matter how long it takes you, it's too long and-- despite what the Rolling Stones song says-- time is not on your side. This doesn't mean that your initial goal needs to be 100% coverage on the first pass (though of course that's ideal), it means you should determine how well your current patch deployment regimen is working and set a goal to improve it. Once you meet that goal, set a new one and keep on going. When incremental improvements start to become increasingly difficult, you'll likely have a programme that will be the envy of your peers in other organizations.
  3. Start [really] segmenting your network. This is, of course, a familiar refrain but when we stop to consider how heavily attackers rely on lateral movement and how many hundreds of millions of pounds/ euros/ dollars of damage could have been averted during the outbreak of malware like WannaCry and NotPetya, the ROI becomes painfully obvious.

These recommendations may variously seem too uninteresting or too daunting. They won't cure all your ills, but they could be the foundation for meaningful improvement if we just put the work in. I want nothing this holiday season like I want to be proven wrong so I hope that as you look toward next year, you will try to find time in your schedules and your budgets to undertake some of these simple changes. May your 2019 be safe and uneventful and may we all be in a little better shape at this time next year.