An enterprise’s security posture refers to the overall status of your cybersecurity readiness.
With tens of thousands of assets in your enterprise and each susceptible to a myriad of attack vectors, there are practically unlimited permutations and combinations in which your organization can be breached. With the sharp increase in attack surface size, cybersecurity teams have a lot of complexity to deal with: vulnerability management, security controls, detecting attacks, incidence response, recovery, compliance, reporting and much more. So how can Infosec teams wrap their arms around these challenges and protect their organizations?
The first line of defense against the adversary is a good security posture. This guide on security posture will cover:
- What is security posture?
- 3 key steps to assess your security posture
- How to improve your security posture
What is security posture?
Your security posture is a measure of:
- The level of visibility you have into your asset inventory and attack surface
- The controls and processes you have in place to protect your enterprise from cyber-attacks
- Your ability to detect and contain attacks
- Your ability to react to and recover from security events
- The level of automation in your security program
A conceptual picture of the various elements of your security posture is shown in Fig 1.
Inventory of IT Assets
You can’t protect what you don’t know about. At the center of your security posture is an accurate inventory of all your assets. This includes all on-prem, cloud, mobile, and 3rd party assets; managed or unmanaged assets; applications and infrastructure, catalogued based on geographic location, and whether they are Internet facing (Perimeter assets) or not (Core assets).
It is also very important to understand the business criticality of each asset, as this is an important component of calculating breach risk. You need to be able to express the expected business impact of a breached asset in Dollars terms (or in Euros, Pounds, Yen, ).
Security Controls and Effectiveness
Surrounding this central core is an enumeration of the cybersecurity controls that you have deployed. Some controls, such as firewalls and endpoint are deployed with a goal of preventing attacks. Others, such as intrusion detection systems (IDSes) and SIEMs are involved in detecting attacks that get past your protective controls. Additional tools and processes are needed for response and recovery from such attacks.
It is important to not just be able to enumerate your controls, but also have an understanding of the effectiveness of each control in reducing your cyber risk.
Attack Vectors
The next ring lists the various attack vectors. Attack vectors are the methods that adversaries use to breach or infiltrate your network. Attack vectors take many different forms, ranging from malware and ransomware, to man-in-the-middle attacks, compromised credentials, and phishing. Some attack vectors target weaknesses in your security and overall infrastructure, others target the human users that have access to your network.
And keep in mind that risk extends beyond unpatched software vulnerabilities (CVEs). Your ability to monitor your assets in risk areas such as unpatched software, password issues, misconfigurations, encryption issues, phishing, web and ransomware, denial of service attacks and many others is the mainstay of your security posture.
The stronger and more resilient your security posture, the lower your cyber risk and greater your cyber-resilience.
Therefore, understanding the full scope of your security posture and correctly prioritizing areas of relevant risk is essential to protecting your organization against breaches.
Attack Surface
The combination of your asset inventory and attack vectors makes up your attack surface. Your attack surface is represented by all of the ways by which an attacker can attempt to gain unauthorized to any of your assets using any breach method.
Automation of Security Posture
A critical aspect of your security posture is the degree of automation. Attackers are constantly probing your defenses using automated techniques. 100s of new vulnerabilities are disclosed every month. It is not enough to simply be able to list your inventory, fix your vulnerabilities and review your controls from time to time. You will need to automate security posture management in order to stay ahead of the adversary.
Improving Security Posture
In order to understand and optimize your security posture, you need to:
- Analyze your current security posture
- Identify possible gaps (Security posture assessment)
- Take action to eliminate those gaps (Security posture transformation)
How to assess security posture
Security posture assessment is the first step in understanding where you are in your cybersecurity maturity journey and your cyber breach risk. You want to be able to answer the following questions:
- How secure is the organization?
- Do we have the right cybersecurity strategy?
- How good are our security controls?
- Can we accurately measure breach risk and cyber-resilience?
- How vulnerable are we to potential breaches and attacks?
- How effective is our vulnerability management program?
- How can we scorecard and benchmark different risk owners in the organization?
- What is the best way to discuss the organization’s security posture with the board of directors?
3 keys steps in security posture assessment
Let’s explore how you assess security posture in 3 steps:
- Get an accurate IT asset Inventory
- Map your attack surface
- Understand your cyber risk
Step 1. Get an accurate IT asset Inventory
The first step in security posture assessment is getting a comprehensive inventory of all your assets.
An asset is any device, application, service, or cloud instance that has access to your enterprise network or data.
You need an accurate and up to date count of all hardware, software, and network elements in your enterprise. However, just being aware of an asset isn’t sufficient. You also need to know detailed information about each asset which can help you understand the risk associated with the asset. This involves:
- Categorizing assets by type of asset, sub-type, role, Internet-facing or not, and location
- In-depth information like software and hardware details, status of open ports, user accounts, roles, and services linked to that asset
- Determining the business criticality of each asset
- Ensuring that all assets are running properly licensed and updated software while adhering to overall security policy
- Continuously monitoring them to get a real time picture of their risk profile
- Creating triggered actions whenever an asset deviates from enterprise security policy
- Deciding which assets should be decommissioned if no longer updated or being used
Getting an accurate asset inventory is foundational to your security posture. The ability to track and audit your inventory is a baseline requirement for most security standards, including the CIS Top 20, HIPAA, and PCI. Having an accurate, up-to-date asset inventory also ensures your company can keep track of the type and age of hardware in use. By keeping track of this information, you are more easily able to identify technology gaps and refresh cycles. As systems begin to age, and are no longer supported by the manufacturer, they present a security risk to your organization as a whole. Unsupported software that no longer receives updates from the manufacturer brings the risk of not being monitored for new vulnerabilities and implementation of patches.
Step 2. Map your attack surface
The second step in security posture assessment is mapping your attack surface. Your attack surface is represented by all of the points on your network where an adversary can attempt to gain entry to your information systems.
The x-y plot in Fig 2 below represents your attack surface. In a typical breach, the adversary uses some point on this attack surface to compromise an (Internet facing) asset. Other points are then used to move laterally across the enterprise to some valuable asset, compromise that asset, and then exfiltrate data or do some damage.
For a medium to large sized enterprise, the attack surface can be gigantic. Hundreds of thousands of assets potentially targeted by hundreds of attack vectors can mean that your attack surface is made up of tens of millions to hundreds of billions of data points that must be monitored at all times.
3. Understanding cyber risk
the final step in security posture assessment is understanding your cyber risk. Cyber risk has an inverse relationship with your security posture. As your security posture becomes stronger, your cyber risk decreases.
Mathematically, risk is defined as the probability of a loss event (likelihood) multiplied by the magnitude of loss resulting from that loss event (impact). Cyber risk is the probability of exposure or potential loss resulting from a cyberattack or data breach.
An accurate cyber risk calculation needs to consider 5 factors as show in Fig 3.
For each point of the attack surface, we must consider:
- The severity of a known vulnerability relevant to the asset. E.g., CVSS score of an open CVE on the asset
- Threat level. Is the attack method currently being exploited in the wild by attackers.
- Exposure/usage to the vulnerability. Based on where the asset is deployed and used, vulnerabilities are exploitable or not.
- Risk-negating effect of any security controls in place
- Business criticality of the asset.
This calculation needs to be performed for all points of the attack surface. This result in an accurate picture of where your cyber-risk is and helps you prioritize risk mitigation actions while avoiding busy work fixing low risk issues.
5 steps to improve your security posture
To improve your security posture, you need to:
- Automate real-time inventory for all your enterprise assets
- Define your risk ownership hierarchy and assign owners.
- Continuously monitor assets for vulnerabilities across a broad range of attack vectors like unpatched software, phishing, misconfigurations, password issues etc., evaluate these vulnerabilities based on risk, and dispatch to owners for supervised automatic mitigation.
- Continuously review gaps in your security controls and make appropriate changes
- Define metrics and target SLAs for visibility, resolution of vulnerabilities and risk issues, and security control effectiveness; and continually measure and track them
Risk Ownership
Step 2 above is key to improving security posture. It is critical that you define and actively manage your risk ownership org chart. Most risk mitigation tasks need to be executed or approved by individuals who are not part of the Infosec organization. It is important to provide actionable dashboards and reports to each risk owner that contain information about the security issues that they own, associated risk and risk mitigation options.
With a well-understood risk ownership hierarchy, you will also be able to compare and scorecard owners and drive them to do their part in maintaining a good security posture.
Continuous fine-tuning to improve security posture
Once your organization gains visibility into security posture, your security program governance will need to set and periodically adjust security posture goals. Your will need to continuously monitor your attack surface in the context of the ever-evolving cyber threat landscape and make sure you have (mostly) automated processes in place for maintaining good cybersecurity posture.
Intelecis platform helps you automate and improve your cybersecurity posture. Intelecis continuously monitors your attack surface across all asset types and attack vectors, analyzes this information to predict likely breach scenarios, prioritizes security issues based on business risk and drives appropriate mitigation steps to address issues
Conclusion
Security posture is an organization’s overall cybersecurity strength and resilience in relation to cyber-threats. The complexity and variety of modern cyber-attacks makes analyzing and improving security posture quite challenging. As organizations move away from last generation security strategies and fragmented solutions, they are transitioning to an automated architecture for managing security posture that can protect against a fast-changing threat landscape.