The Three Stages of Security Hygiene: Framework

In the second installment of our three-part series, Tanium CSO David Damato explores how to use risk-based frameworks to build a mature and sustainable cybersecurity program.

When building a cybersecurity program, many organizations focus only on prevention. In theory this sounds great. But, in my experience, focusing only on prevention actually increases your chances for a major breach, as any attacker able to bypass initial preventative controls is left completely unchecked.

As a result, if you’re not using a cybersecurity framework to address a range of security hygiene activities, you’re asking for trouble.

In part one of this series, I discussed how understanding the state of your current environment could help you identify gaps in critical security controls. Doing so results in quick wins to improve security hygiene through your existing investments. The next step is to broadly address cybersecurity activities, including all areas of security hygiene, by adopting a leading cybersecurity framework.

Using a framework offers many advantages, including:

• Ensuring your activities are balanced across relevant security activities, not only prevention or detection;
• Providing a flexible structure which can grow and adapt with any organization;
• Easing your ability to address various legal and regulatory requirements; and
• Helping to define a common language so you can better communicate with peers who use similar frameworks.

There are many frameworks from which to choose. The most popular examples include the NIST Cybersecurity Framework (CSF), ISO 27001, and COBIT.

Using a cybersecurity framework to broadly address hygiene

The leading cybersecurity frameworks address a broad range of activities that define an information security program. This includes basic security hygiene, such as maintaining an inventory of systems and software and patching systems in a timely manner.

To implement a cybersecurity framework, most organizations will perform a gap assessment, risk assessment, and implementation plan. A gap assessment is used to map the current state of information security controls with a defined framework. If you’ve already performed a gap analysis against the CIS Critical Security Controls or SANS Top 20, you’ll find some of the work has been completed. The result is an understanding of the current state of your information security program, in addition to major weaknesses or gaps with the defined framework. The next step is to perform a risk assessment to determine the likelihood and impact of a specific security event. The risk assessment results determine how an organization defines its target state. With a completed gap analysis and risk assessment, an implementation plan defines how an organization plans to move from its current state to a target state aligned with the defined risk profile.

The three primary components to any implementation plan are people, processes, and technology. You will need the right people and skills to meet your target state. Well-documented and practiced processes will ensure activities are repeatable and risk informed. But technology really brings it all together by integrating people and supporting processes through automation of important tasks, driving more efficient operations, and allowing your team to scale.

Investing in the right technologies for your cybersecurity framework

When making new security investments, most organizations struggle with prioritizing needs and selecting the right technologies to address those needs.

You can prioritize security investments by considering the following two attributes of a specific need: risk and dependencies. Prioritize high-risk needs first, as determined by the risk assessment performed. However, like most organizations, you’re likely to have many “High” risks. To prioritize among “High” risks, organizations should consider dependent or prerequisite requirements.

A dependency is similar to a hierarchy of needs and describes the capabilities required for successful execution of other, higher level, capabilities. For example, suppose your asset management database and threat hunting program are ineffective, which presents a significant risk to your business. In this case, you can’t develop a successful threat hunting program until your security team understands the assets they are defending.

The second challenge faced by many decision makers is how to select the right technologies to address required capabilities within a given framework. Beyond testing requirements as part of a POC, decision makers should align existing and proposed technologies with each capability within the selected framework. You will find some solutions address many components of a framework, while others may only satisfy a single activity. Your aim should be to invest in the smallest number of solutions which address the most needs and will position you to achieve the target capabilities required.

Why do I place such emphasis on limiting the number of solutions? It’s simple: purchasing too many solutions is expensive and introduces complexity, especially when your tools have considerable overlap in features and functionality. Complexity increases risk by expanding the attack surface, burdens your staff, compounds support costs, and creates silos of data that require integration.

How our customers use Tanium to address cybersecurity frameworks and improve security hygiene

Our customers use Tanium to address many of the requirements in leading frameworks, even beyond activities generally considered part of security hygiene. Overall, Tanium addresses capabilities required in all five functions identified in the NIST Framework Core and ISO 27001. Tanium can help organizations align with major components of leading cybersecurity frameworks, as the following examples illustrate:

• A major financial institution used Tanium Discover to significantly increase the accuracy of its asset and software inventory.
• An entertainment company used Tanium Comply to improve endpoint security by identifying and remediating vulnerabilities and variations with defined security baseline configurations standards.
• A large health insurer used Tanium Core to identify domain accounts with inappropriate privileges on workstations and servers, reducing the potential for lateral movement by attackers.
• A major retailer used Tanium Detect and Tanium Trace to speed up the ability to investigate and remediate incidents, allowing responders to go from detecting to fixing an event in less than an hour.
• A government agency used Tanium Patch to identify and rapidly patch tens of thousands of vulnerabilities across a global network.

Building a sustainable and mature cybersecurity program requires alignment with an industry-leading framework. Tanium, with an expanding portfolio of products, helps customers address many of the activities defined by cybersecurity frameworks while reducing the complexities and cost of supporting multiple solutions.

Hopefully you’ve already begun your journey by using the steps outlined in part one of this series, and are weighing the guidance on aligning investments with a cybersecurity framework to address security hygiene. My next post will explore how to continuously monitor the effectiveness of ongoing hygiene activities, using meaningful and measurable performance indicators.

---

About the Author: As Chief Security Officer, David Damato provides strategic product direction over module development for the Tanium Platform and manages the company’s internal security program. David brings a wealth of security expertise to Tanium, spanning incident response and forensics, vulnerability assessments, security program development, security operations, and network and security architecture. Prior to Tanium, David most recently served as Managing Director at Mandiant, a FireEye company, where his team led incident response and post-breach remediation efforts at over 100 Fortune 500 companies. At Mandiant, David was also instrumental in developing new incident response services capabilities and establishing consulting offices both domestically and internationally. Prior to Mandiant, David led security consulting teams at PwC as part of its Washington Federal Practice and held IT roles at Raytheon focused on the management of internal and government networks. David frequently shares his expertise and insights at industry events and with the media.