To conclude my three-part series on security planning, I chatted with Sean Michael Kerner, a highly regarded security reporter for eWeek (and a former colleague).
Sean had some interesting things to say about preparing for the year ahead—and good security practices in general. There are always going to be new security solutions to address the latest threats that Kerner says are worth looking at, but he emphasizes the need to take care of the basics first.
“Let’s talk about patching. It sounds trivial, but it’s really important,” he says. “Week after week there are infections and breaches that could have been prevented by the most recent patch to address known vulnerabilities in the browser or with say Flash. People think they’re up to date, but often they’re not. You need to be diligent and check. It’s very much like disease prevention, I compare it to proper hygiene.”
Kerner routinely audits his own systems even though a lot of software is supposed to update automatically because “it doesn’t always work.”
He also suggests companies consider the new breed of automatic patching and control systems designed to be a patch-management solution you can drop in at the gateway or network level and enforce as security-as-a-service in, for example, a branch office.
Without conceding he totally believes it, Kerner is willing to posit there may be some validity to the saying that there are two kinds of companies—those who have been breached and those that don’t know they’ve been breached.
“Let’s say that’s true, or let’s at least assume there’s a good chance you will be breached whatever preventative measures you have in place,” says Kerner. “The most important thing then is your time to detection and remediation, because that’s the difference between something manageable versus something far more serious.”
In the mainstream media coverage of security breaches, the impression is often given that it was like a physical break in—as if thieves came in overnight and robbed the company. In fact, as Kerner points out, breaches typically happen over weeks and months. It can start with a bad actor poking around to find a vulnerability and eventually getting privileged access to certain systems. Time goes by as he or she snoops around to see what’s available and starts ripping off information on a small but later larger scale, unnoticed until it’s too late.
“Remediation is key,” says Kerner. “If you’re organization is on the ball, they’ll see someone has access that shouldn’t. If you can catch the bad guy in the first day or two and stop it, you’ve dodged a major bullet. So yes, that could be a case of a company that’s been breached, but it will never get written about because there was no serious impact.”
How Many Security Products do You Need?
Kerner questions the widely reported stat that enterprises use 30 or more distinct security products.
“I have no doubt companies use multiple tools,” he said, “but I think it’s overstated. When they survey these folks in IT they might ask what vendors they use, but that doesn’t mean they’re all used concurrently.”
Regardless, he emphasizes it’s not a question of less or more security products, but how you manage them.
He says organizations must have a dashboard or “central choke point” to see where all the data flows.” Regardless of how many security products you have, he says what’s more important is how well they work together.
That’s good advice for any time of the year.