Saryu Nayyar | security.toolbox.com »
In the current business environment, organizations are doing everything in their power to avoid being breached. Yet, hackers get past security defenses and steal proprietary data since security solutions are less-than-foolproof. Saryu Nayyar, CEO of Gurucul provides an overview of five major, overlooked security gaps and how to tackle them to emerge in fighting form post-pandemic.
While every organization is different, when it comes to IT security there are generally five ubiquitous gaps shared by all companies. To understand these, consider the following basic truths.
- First, no security solution is 100% effective all the time.
- Second, new threats are constantly emerging.
- Third, not all security gaps are obvious and as such are easy to overlook.
And finally, it’s important to recognize how security gaps originate. As a result, virtually every organization is faced with processing far too many alerts and lacks the context required for automation to be effective.
1. The Unknowns
The first major gap is what we call the unknown unknowns, or you don’t know what you don’t know. Even with the right processes and tools in place, it’s not uncommon for threats to slip through the cracks. The challenge in addressing this gap is being able to identify the devices, people, and relationships between them as well as permissions that already exist but may not be apparent.
Work environments are in a constant state of evolution. The rise of mobile work, especially due to the COVID-19 crisis, has changed how people access IT resources and how they expect to get things done. Securing mobile devices can be a challenge, especially when the security team doesn’t even have much in-depth control of employee devices and may not even be entirely sure what they’re using. Personal devices are another challenge, especially when people are accessing VPN connections into the corporate network from home systems.
Meanwhile, the use of IoT devices has been proliferating in many organizations. Even with minimal computing resources, they are attractive targets since they often are plagued with security vulnerabilities which are rarely patched and often ignored.
In addition, people can also fall into that unknown category. For example, how do we know the risks an insider poses to the organization? Are they preparing to leave for some reason? Have they used their privileges to access sensitive information not needed for their job? What about insiders who are actively trying to harm the organization? Internal threats can be hard to identify and harder to contain. External threats can be equally vexing, like a contractor or temporary worker that’s funneling information to a competitor.
2. Extracting Actionable Intelligence from Multiple Data
These usually provide different information in a variety of formats and assign distinct priorities. Consolidating and correlating this information can be a real challenge. Additionally, it can be hard to recognize which information and context are important and just how to correlate it all. Did the system flag physical card access to the server room when that user is simultaneously active on their VPN? Usually, the answer is no. Instead, security analysts need to understand how each tool prioritizes the information they’re providing, which leads us to the next major gap.
3. Prioritizing Investigations and Remediation Actions
Most organizations struggle with this since they lack a coherent view of threats and are unable to easily identify subtle correlations between risk indicators. Especially since each security application can assign a different priority to the same kind of event. While an experienced analyst will learn to recognize what’s most important in their environment, they still have to sort through the different priority levels they’re seeing. Lastly, each security product has a different way of presenting data. Sometimes when they are very similar, this can make things even more confusing. Two graphs may look the same but are reflecting on different priorities.
4. Privileged Access
The fourth gap, privileged access, is difficult to manage and is often abused. Granting excessive permissions and inherited profiles are the main culprits here. It’s a common practice to provision new users with the same privileges as existing users out of convenience, and it’s equally common to not revert permissions when someone moves into a new role. For example, consider the implications when someone is provisioned based on one of their peers’ permissions, and that colleague has changed roles three times while maintaining all of their inherited access privileges.
Dormant user accounts pose another significant risk. While deprovisioning accounts when an employee leaves the organization is a known best practice, sometimes it just doesn’t happen or gets put off because the departure is only supposed to be temporary.
5. Third-Party Access
The final gap is third party access, which can easily go unrecognized. We’re all familiar with high profile breaches that were made possible when an attacker compromised the credentials of an outside vendor with access to the organization’s network. With so many third parties having access to an organization’s IT infrastructure via integrations with on-premises and SaaS applications, it can be difficult to identify threats originating from trusted external users, let alone mitigate them.
While there is no silver bullet that can fill all the gaps, applying analytics to existing security data sources can go a long way towards exposing unknowns and mitigating the gaps. Ingesting intelligence from an organization’s existing security infrastructure can help provide a more complete picture of risks. Meanwhile, unifying disparate data sources and normalizing their outputs enables broad analysis that can tease out subtle relationships and signs of compromise that otherwise wouldn’t be apparent.
About the Author
Saryu Nayyar is CEO of Gurucul, a provider of unified security and risk analytics technology. She is a recognized expert in information security, identity and access management, and security risk management. Prior to founding Gurucul, Saryu was a founding member of Vaau, an enterprise role-management start-up acquired by Sun Microsystems. She has held leadership roles in product strategy for security products at Oracle and Sun Microsystems. Saryu also spent several years in senior positions at the IT security practice of Ernst & Young.