How to integrate IT security in a company, or: The five pillars of IT security

(https://unsplash.com/photos/tRxA9tpnbKM)

Let’s face it:

Every company’s IT infrastructure can and will be the target of hacking. It is not a question of if it will happen, it is a question of when and how.

There are far too many threat actors out there, starting with automatic bots that scan every IP address and port, trying to find general vulnerabilities. These attacks may not even be targeted directly at you; hitting your company might be collateral damage. The best – or worst – example is the hacking of the Uniklinik Düsseldorf (UKD) in September 2020 – a hacking case with deadly consequences that was aimed at another target altogether.

Apart from automatic bots, there are several persons and groups with many different kinds of malicious intent. From the thrill or fun of breaking into a network, to the usage of computing power to mine digital currencies like Bitcoins, to direct financial gain (e. g. data theft or ransom), to espionage, to crippling or destroying competitors with denial of service attacks (DoS), up to nation state actors with political agendas – everything is possible.

Some say there are only two kinds of companies: Companies that have been hacked – and companies that don’t know that they have been hacked.

The threat is real.

And since nearly every company today depends on a working and interconnected IT infrastructure, one would expect that everyone takes the necessary steps towards security, right?

But that is obviously not the case, as we must see in our daily work.

Why are companies not preparing?

Most managers would agree, when asked, that IT security is highly important. But in contrast to that, a lot of companies don’t have the measures needed to respond to an attack, or even detect it at all.

The probably most important reason: money. IT security costs a lot of money. For a large medium-sized company with an upper four-digit amount of employees, yearly costs will easily exceed one million euros. A fully equipped Security Operation Center (SOC) needs at least 9 to 12 people 24/7, and that is not the end of it .

There are other costs for which a company is willing to pay much more than that. Why is IT security oftentimes neglected? Why do IT departments not implement the necessary means to be prepared?

I am sure that it is not a technical problem. The solutions, the answers to threats, exist.

It is mostly a management problem

First of all: A lot of managers don’t really understand the severity of the threat. They simply don’t have the technical experience. So they stick to platitudes they repeat without really believing in them.
Or they do understand, but do not want to accept the usability implications which IT security often brings, if not astutely applied. Having to use a complex password with multi-factor authentication (MFA) is much harder than just typing “1234” or “admin123” to log into a device.

This behaviour is dangerous

A successful adversary attack on a company’s environment can be very expensive. The cost of a major data breach can easily sum up to a 6, 7 or even 8-digit figure. Not counting in the possible fines from violating GDPR or other regulations.
The attack can even cripple the IT infrastructure to the extent of taking the company completely out of business. Just ask yourself – right now while you’re reading: How long can your business processes continue only supported by paper?

(https://unsplash.com/photos/dYEuFB8KQJk)

In extreme cases, the impact of an attack can even literally kill someone, as mentioned above. No one in a company wants to deal with law enforcement and courts. You must do something.

But IT security cannot simply be added to an existing infrastructure. It’s not a product you can just buy and install. “Please make all the features first, we can add security later”, isn’t going to work. Not at all.

The five pillars of IT security

Instead, IT security must be integrated into an organization to be effective. It cannot just be an additive.

Good IT security must consist at least of these five elements:

Visibility

(https://unsplash.com/photos/rP163xbayY4)

A company must be able to detect and trace an inflight or ongoing attack. That means, the complete technical infrastructure must be attached to a sensory system. Oftentimes, this means having software agents running on every laptop, desktop computer, server, firewall, router, switch, and all the other components that make up your network. Each system must be able to detect abnormal behaviour and report everything that is going on. Interestingly enough, Windows 10 has lots of it already built in. But most of the switches are set to “off”. Maybe because of compatibility issues, I don’t know.

All log files, events and reportings should then be consolidated in a system that is called a SIEM (Security Information and Event Management). A SIEM can correlate logs and detect further abnormal behaviour that would go undetected when only observing a single machine.

You can imagine, a SIEM requires a lot of storage. Collecting the log files of every computer and storing them for days or weeks sums to multiple Terabytes. But it’s worth it.

Of course, you also need people that watch these systems around the clock. In a Security Operations Center (SOC) this is normally called SOC Level I and consists of at least three shifts of trained personnel that monitor the alerting systems and do first investigations.

Investigation

(https://unsplash.com/photos/d9ILr-dbEdg)

In case of a finding, someone must assess the situation. A SOC normally sees much more false alerts than real ones. The “false positives” must be identified and closed. This is called triage.

If the SOC detects a real attack, they switch to incident response mode. That means analyzing and understanding the behaviour of the attacker and taking action against them.

This is called SOC Level II. It requires a lot of security knowledge combined with deep insights into the company’s IT systems. A SOC needs to know which systems are critical and which aren’t, what can be turned off easily and what must be protected at all costs. For that, a SOC needs a BIA (Business Impact Analysis) ready at hand.

Fulfillment

(https://unsplash.com/photos/IuLgi9PWETU)

One could think, SOC I and SOC II seem to be sufficient organizational groups for an incident. But every SOC can only be as effective as its plans are actionable by the IT department. If the SOC orders to cut the organization from the internet, there must be other people who can execute that order, know all access points, and switch them off. If the SOC needs, for example, critical information about the usage of a system or an image from a computer to investigate, the service fulfillment must be able to deliver quickly.

Without a functioning service desk a SOC can do nothing. A company needs a working ticket system, prioritization rules and trained personnel available to execute the tasks.

Governance

(https://unsplash.com/photos/Oalh2MojUuk)

Personally, I don’t like that word a lot. So let’s rephrase it: IT security must have a prominent place within the company – and not only within the IT department. A Chief Information Security Officer (CISO) must be installed, having lots of experience and an equal lot of power to decide and act. A CISO cannot always ask the board for approval – in case of an attack, there might be no time for that.

Additionally there must be security rules of how to protect the company. Which systems shall be configured how? What communication protocols do we need and what protocols shall be blocked? Into which segments will the network be divided? Does an employee in accounting need to access Powershell on a Windows system at all?

It is very important that a company does not simply install IT security as a “department of NO”. It’s not meant to be a gatekeeper who simply denies (insecure) solutions. Instead, a company needs to have an appropriate consulting team that helps everyone in IT (management, development, network and operations …) with their tasks. IT security departments and consultants are enablers – helping colleagues and projects to improve.

Finally, awareness for IT security is crucial. Every single employee must know the risks of phishing emails and how to detect them. Humans are still and will probably remain the single weakest link in the chain. A company needs to invest in them as well.

Threat hunting

(https://unsplash.com/photos/SYTO3xs06fU)

So, with the above in place – you are able to detect abnormalities, you actively investigate and take remediation action, you have guidelines and rules in place to comply with – it’s hunting season!

Time to establish an IT security threat hunting team! This team is often called SOC Level III. A SOC III looks actively and without current evidence for vulnerabilities and undetected threats. The goal is to constantly improve detection and mitigation, for example by testing established playbook strategies.

They perform, for example, penetration tests on the outside facing infrastructure, scan the internal network for wrongly configured machines or investigate access rights to find ways for lateral movement – paths that adversaries like to follow. A threat hunting team assumes the role of an adversary or malicious hacker to find weak spots before real hackers do.

IT security is an organizational issue

Every organization has to deal with the five elements mentioned above in one way or the other. No institution can afford to let IT security remain a non-critical aspect. It is business critical and it cannot just be added to an otherwise unchanged system. Instead, it must be woven into it.

Yes, it does cost a lot of money. But IT security is here “to protect and serve”. Having an alert SOC and an agile fulfillment organization can make the difference. They may prevent the hacking right at the beginning, instead of having hackers walking freely through your network, stealing data to put it on sale on the darknet and encrypting your servers to extort a ransom.

The earlier an organization begins establishing IT security, the more ahead of possible hackers they can be. In the end, it could save a lot of money.

In IT security incident response it’s like in classical business:
TIME IS MONEY.