What’s Lost in All the Buzz: 10 Cyber Essentials You Need before Machine Learning

IT security vendors often promote tempting cutting-edge technologies that claim to solve most of your cybersecurity issues. It is easy to get sucked in by buzzwords like UEBA (user and entity behavior analytics), AI (artificial intelligence), machine learning and advanced analytics, but a deeper look often reveals a harsh reality. Blind faith in vendors’ magic bullets takes you nowhere.

For example, suppose you had a bare minimum of security controls and then decided to invest in a machine learning solution to move you from zero to the highest level of security, as sometimes promised by marketers. You will need months if not years to feed it with loads of raw data and teach it to distinguish malicious behavior from normal — and it still won’t be able to address all the gaps in your security posture. That doesn’t sound like an efficient or cost-effective security project, right?

There is nothing bad about technological progress, but it is wise to start with fundamental controls and processes rather than tools, no matter how futuristic they are. IT security is about going from the simple to the complex.

A good place to start is Cyber Essentials, published by the UK National Cyber Security Centre. It is a set of basic technical controls designed to help organizations defend against common online security threats. They are achievable with fairly little effort and at low cost. Here are the five controls:

#1. Implement firewalls for a secure internet connection.

A firewall is a cornerstone of any network security strategy. The first line of defense, it creates a buffer zone between your IT network and external networks. A properly configured firewall should allow your users access to all the resources they need while keeping external attackers and malicious programs from getting into your network. In addition, firewalls ensure that sensitive resources (labs, production lines, etc.) do not have internet access unless necessary, so they cannot be discovered and attacked from the outside.

#2. Maintain secure configurations on your devices and software.

If you rely on the default settings for your devices and software, be ready to be breached. You should not rely on anything default under any circumstances. All default settings are known to attackers and therefore can be more easily compromised. Specific best practices include disabling guest accounts, removing unnecessary administrative accounts, and implementing strong password policies for all devices and user accounts. Also, consider multi-factor authentication for your most powerful user accounts.

#3. Control who has access to data and services.

Enforce a least-privilege model by ensuring that users have only the privileges they need to perform their jobs. Moreover, ensure that administrative accounts are used only for performing administrative tasks; admins should use their standard business accounts to perform general work and browse the web. By keeping privileges and access rights under control, you will reduce the risk to your assets if an account gets misused or compromised.

#4. Protect yourself from viruses and malware.

To prevent users from installing and running applications that might contain malware, use the following techniques:

  • Whitelisting — Create a list of trusted applications that are the only ones that can run on corporate devices.
  • Sandboxing — Isolate applications from critical systems and programs.
  • Deploying antivirus and antimalware software — Be notified when suspicious files are downloaded or processes are launched on your computers, and block them from being downloaded or run in the first place. Like firewalls, these applications are effective only if configured correctly.

#5. Keep software and devices up to date.

Attackers often exploit known vulnerabilities very rapidly, as in the case of the Equifax cybersecurity breach in 2017 that compromised the sensitive data of more than 145 million people, so it is essential to stay on top of patching. Be sure to verify the source and integrity of every update and then test it carefully in a non-production environment, exposing it to as many usage scenarios as possible, before deploying it in production.

In addition to these five controls from Cyber Essentials, I also recommend these five best practices:

#6. Implement and maintain internal network segmentation.

You cannot be certain that an attacker or malware won’t get through your perimeter. Therefore, you should consider splitting your network into segments. By separating groups of systems and applications from each other and limiting communication across the segments, you make it more difficult for an attacker to move throughout the entire network or for a malicious insider to access all of your critical data.

#7. Back up your systems regularly.

Like unicorns and Santa Claus, 100% security is a fairy tale. Security breaches do happen, and data gets lost, tampered, stolen, encrypted and erased. To mitigate the damage, you should back up all your data. The golden backup rule is 3-2-1, which means saving at least three copies of the data: two that are local but on different mediums and at least one that is offsite. Plus, you should regularly test your backups to validate that data can be recovered. That way, you make sure that even if you experience an incident, your data remains usable.

#8. Know your data like the back of your hand.

You cannot protect what you do not know about, so it is wise to discover and classify the sensitive data in your organization on a regular basis. With this insight, you will be able to reduce the amount of sensitive data you have to monitor and secure, and be able to focus your security efforts on protecting your most valuable assets. Additionally, ongoing discovery will enable you to detect any sensitive data that surfaces outside of secure locations and any potentially harmful files that appear on your file shares, such as executables, installers and scripts. You should also audit the activity happening around your sensitive data.

#9. Conduct regular risk analysis.

Regularly analyzing your IT risks can help you significantly improve your cyber resilience and make other layers of your security more scalable and effective. However, the 2018 Netwrix IT Risks Report found that only 33% of organizations re-evaluate their IT risks at least once a year, which leaves the rest vulnerable to ever-growing threats. One reason that organizations recklessly neglect this process is that they think it is very complex, but you can start with a basic risk assessment that involves only eight steps:

  1. Find all valuable assets across the organization (e.g., servers, websites, software) and add the data discovery results from tip #8.
  2. Identify the potential consequences if a given asset were compromised (e.g., litigation, business downtime, data loss).
  3. Identify threats to your assets (e.g., natural disasters, system failure, accidental or malicious human actions) and estimate the likelihood of their occurrence (high, medium, low).
  4. Identify vulnerabilities (e.g., old equipment, unpatched software) and assess the likelihood of their exploitation (high, medium, low).
  5. Assess risk — the potential that a given threat will exploit a particular vulnerability (very high, high, medium, low, very low) — and estimate how much it will cost you.
  6. Create a risk management plan with all data you have collected.
  7. Create a strategy for IT infrastructure enhancements to mitigate the most acute vulnerabilities.
  8. Define a mitigation process for each vulnerability in case it is exploited.

Regular IT risk assessment is the best way to stay on top of the threats your organization faces and minimize your risk exposure.

#10. Monitor the IT environment and user activity.

 To be able to detect anomalous behavior and deviations from your security policies before they result in a security breach, you need to know what is going on across your IT infrastructure. The project of enhancing visibility into your environment can be divided into three stages:

  • First, you look after the activity of the most critical accounts (e.g. administrators, C-level business users).
  • Next, you create alerts for critical events and conduct regular change and access audit.
  • When your processes are mature enough, you can think about more complex technologies, such as machine learning or UEBA. They will help you spot deviations from normal activity and suspicious or critical changes. With this information at hand, you will be able to detect and respond to security issues faster, thus reducing the risks of operational disruptions and data compromise.

This list is not exhaustive. For example, you might want to also implement vulnerability management and security training sessions for employees. My key point is that there is no single technology or product that will solve all of your cybersecurity challenges, no matter how high-tech it is. The best way to improve your cybersecurity posture is to start with proven basic techniques and then move toward more complex solutions gradually.