Building Your Cybersecurity Posture

Security leaders need to drive enterprises to use the data they have to protect digital assets. By using cybersecurity posture management tools and processes, enterprises can protect, prevent, and and defend against risks to the enterprise.

A cybersecurity posture is a collection of people, process's, and technologies that monitor an enterprise’s cyber assets to prevent, protect, and defend against cyber threats.?Cybersecurity posture management uses data from your clouds, applications, SaaS products, IAM, and audit logs to make data driven security decisions and measure risk.?When an emergency arrises it is imperative to be able to respond quickly with the correct tools and skills in the right location to minimize any impact to your customers and business continuity.?Of course the prevention and preparation for a breach is far less expensive to an enterprise than playing wait and see. To paraphrase Benjamin Franklin, 'an ounce of prevention is worth a pound of protection.'

CISO’s have multiple business units, platforms, applications, and employees that are making small decisions on a daily basis. These decisions expose us to potential cyber threats.?If enterprises have the intention to deliver value and services to the customer while providing a safe and modern working environment for employees to drive shareholder value, then every enterprise needs to have a centralized method of detecting, monitoring, and remediating threats as an organization.?A good security posture is both centralized and decentralized.?The counterintuitive approach leverages the skills of subject matter experts at all levels, limits the scope of ingress points, and protects all assets in the cloud estate.?

Akin to governments having centralized emergency response and defense services, enterprises need to provide cyber protection, emergency training, and remediation processes to its employees.?While large organizations often favor decentralized approaches to IT so that decisions can be made closer to the customer, these strategies do not entirely work when deploying successful cybersecurity prevention and defense.?A solid cybersecurity posture requires a firm understanding of all people, processes, and technologies across all lines of business.?

At the same time that protection and prevention controls are centralized, risk decisions and remediation are decentralized to the engineers and application owners that are subject matter experts in the business application.?Decentralizing risk requires removing the friction of security process’s by?automating DevSecOps deployments, threat detection, and application monitoring.?

I will attempt to describe the major cyber postures that an enterprise needs to be able to account for and exercise on a regular basis.?But before we dive into our cybersecurity posture, we need to talk about what we are monitoring

Core Cyber Assets

The core of Cybersecurity posture management is monitoring your companies assets to prevent nefarious actors from being able to exploit misconfigurations and vulnerabilities.?These assets includes every person, process, and technology asset that is connected to the internet. Each of these types of assets need to be inventoried and monitored.?

Some specific assets types you should think about are your enterprise clouds, on-premise devices, applications, user identities, access?controls, user devices, and data.?

People assets

The most important asset of any enterprise are the people.?When you identify and categorize your people assets, I see four categories that need accounted for:?

1. Knowing your customers, partners, and employees - Enterprises need to know and be able to identify people that use your systems.?
2. Managing access to individual assets?- Once identity is established, identities need to only have access to the assets they need to use
3. Logging and auditing their access - All access authentications and authorizations need to be logged and monitored for suspicious behavior
4. Reviewing access levels routinely - Privileged access needs to be reviewed in?????order to identify and correct changes in duties and access needs.?

Process Assets

Just as important as the people involved in systems, enterprises need to document, store, and improve operational processes within the enterprise.?These processes are what help us identify vulnerabilities, maintain business continuity, and know what to measure to increate operational productivity.?

1. Customer processes and experiences - knowing the customer journey and the key interactions are the root of understanding what you need to measure to protect your customers identities and assets.?
2. Operational processes - knowing and documenting the operational and engineering processes in your enterprise helps identify vulnerabilities and points of failure in your value streams.
3. Policies and Standards - organizational guardrails and patterns for operating securely

Technology assets

Our technology assets are the functional items that people use to automate and the processes we have defined.?The the technical assets allow enterprises to manifest process patterns into reality to support our customers and people assets.?There are many different types of technology assets, but I see these major categories

1. Applications (edge and core)?Applications come in all shape and sizes. They are deployed into many different environments, each with it's own risks.
2. Cloud assets - Cloud assets are what people assume is all cybersecurity needs to monitor, but in reality it’s just the edge.?The cloud security is typically made up of the cloud subscriptions that your enterprise own’s.?It’s often difficult to “Find them all!”?It is none the less the starting point for most cybersecurity asset inventories. In addition to uncovering your assets, managing new subscriptions and adding them to you asset inventory will need to be added to your corporate provisioning policies and enforced by compliance teams in their reviews.
3. SaaS assets - As we move to the cloud, more and more services we use are from 3rd parties and hosted by them. These assets are have unique needs to be monitored due to their shared nature.
4. On premise devices and networks - On-premise devices such as servers and computer also need to be part of your cybersecurity strategy.?Making sure patches are applies and access roles are monitored is no easy feat.?These holes are often the gateway into the corporate systems as we expect the devices to be protected.
5. User Devices - User devices make up a majority of communication tools that we use today.?We use laptops and mobile phones on the go to stay connect to our teams and customers.?These devices are often where we store the keys and password to corporate systems.?Aside from keeping operation systems up to date and security patches applied we need to be certain that we connect to trustworthy wireless networks, we don’t open malicious emails or click on malicious links, and we don’t just flat out lose the device.?Monitoring this unruly group is something that should keep you up at night.??
6. Data storage - Data could be a subset of cloud, on-prem, or a SaaS service, but data is perhaps our most valuable asset and deserves individual consideration.?Customer data, employee data, corporate data, financial transactions and many more types reside in our stores.?Data is what drive’s sales, decisions, and essentially your corporation.?Protecting that data is a both highly important and even regulated based on residency. This growing complex set of requirements on data, how it’s categorized, how it’s encrypted, and what country or region it is stored in provides a technical challenge ripe for opportunists to take advantage of.?

Where do we start

We start with our assets. This is usually a large undertaking.?There is most likely multiple centralized locations for different asset types.?Often, the political challenge of developing a centralized asset management system is stopped dead here.?It’s not necessary to have all the assets in a single system, but it is important to be able to access the systems and monitor the assets within.?We move to determining what threats apply and identify who is monitoring with what tools.?

Once we know our assets, now we can start building a security posture.?There are a variety of security and cybersecurity frameworks that can be used to determine the capability, maturity level, and gaps within the organization.?Doing a NIST security assessment is certainly a necessary first step.?The outcome of identifying our less mature or nonexistent capabilities will vary depending on the enterprise, the product market, and the geolocation.?As part of the assessment, a collection of initiatives is built out, but how do we organize 128 capabilities in a corporation.?How big is your cyber security department going to be??How are those capabilities going to be divided up?

Who should be involved

Determining a Cybersecurity posture involves security, risk, compliance teams, and business units.?They need to come together to build out a framework of cyber threats, who is responsible to monitor and remediate, who is responsible to protect, and judge for the business if the risk meets the standards.?As this progresses, many more individuals will need to be activated to determine specific processes, however to get started with the high level threats, these teams should be enough.?

Types of Cybersecurity Posture Management

After you understand your assets, then its off to determine how you want to continuously monitor the risk each type of asset.?These 6 postures align with the technologies you need to protect.?Each technology needs governance, policies, and guardrails to help your people appropriately act within defined standards.?

1. Cloud Security Posture Management
2. Application Security Posture Management
3. Data Security Posture Management
4. Identity Access Management Posture Management
5. Network Security Posture Management?
6. Device Security Posture Management

Each of the 6 cybersecurity postures are important enough to deserve its own post…

Articles in my series “Building Your Cybersecurity Posture”

Article 1 -?13 Asset types to Build Your Cybersecurity Around

Article 2 -?6 Categories of Cybersecurity Posture

Article 3 -?Posture One: The Three Streams of a Cloud Security Posture

Article 4 -?Posture Two: Application Security Posture Management

Article 5 -?Posture Three: Data Security Posture

Article 6 - Posture Four: The Three Focus’s Enterprises Need for Their Identity Access Management Posture

Coming soon

Article 7 - Posture Five: Network Security Posture

Article 8 - Posture Six: Device Security Posture

Article 9 - The Future of Securing Your Assets in a Decentralized Cloud