Keys to Working Smarter Not Harder in Cybersecurity Part 5 of 5

Welcome to the last in the series - part 5 of a discussion about working smarter not harder in cybersecurity. We'll look at:

  • How to tackle the huge tasks with bite-sized chunks and baby steps 
  • What to do instead of trying to defend everything despite competing priorities

Baby Steps and less is more 

It’s been said that a long journey begins with a single step.  It’s also been said that to eat a large steak, you have to do it one bite at a time.  Remember the movie “What About Bob?”  Baby steps folks.  Small incremental progress in important things like low-hanging fruit is key.  

A “Less is More” philosophy should be a basis of a better approach in cybersecurity.  Also, “try softer” rather than “try harder” is another important strategy.  Trying too hard usually ends up backfiring and causes too much friction.  All of these things are behavioral patterns on the human and process side of things.  

For example, why try to implement 30 items in a STIG checklist when the attack tool like Mimikatz, used in most attacks, may only require a couple configuration changes to disrupt 80% of these attacks?  

If one closes just those items, one could disrupt a major step in the attack chain of most attacks.  Sure, they can be re-enabled, but such steps must be layered rather than single solutions.  Yet how many have not even made the simple change of some anti-Mimikatz policies?  

If one does this against say 3 attack tools, to result in 5 STIG items versus 30 – this becomes a highly focused line-of-effort and is much better than trying to focus on too many items across 1000 endpoints.

It’s better to avoid diminished returns via worst-case theories and “hard work” applied to everything, thereby diluting the most critical areas and key resources.   Focus on what matters most.  Start by looking at what is actually used in attacks, and work from there.  That involves cyber threat intelligence.

Bite-sized Chunks

This approach breaks cybersecurity projects and tasks into more palatable bite-sized chunks.  Benefits can be gained sooner than expected.  Consider the same with security baselines.  

Applying full baselines to all assets takes too long and focuses on too much.  It also requires too many resources that most don’t have.  It's like replacing and entire door versus applying oil to specific places.  Both achieve the same result, but one requires a lot of hard work and heavy lifting, while the other just requires some quick but precise adjustment and focus, less time, cost and resources.

Saying “apply a full STIG or CIS baseline configuration” or “patch everything” is not realistic for all assets.  Use more selective groups and focused assets - break this down.  For example:

  • Full or select STIG for Internet-facing assets (all high and select medium for example)
  • Full or select STIG for domain controllers 
  • Strong anti-exploit, DEP, ASLR, AV, EDR, Firewall and Browser security for user endpoints
  • All others assets / servers and controls - based on risk-group, firewalled / segmented VLANs

In trying to defend everything….

Remember, prevention-based configuration baselines are probably hundreds of pages long for each asset.  Such an approach is not realistic in today’s busier-than-ever environments.   STIGs have improved over the years and some of this is not nearly as bad as it used to be.  However, a risk-based approach is still needed. 

There is a better way, and one way is to follow a concept called “precision engagement” aka “laser focus” on the most important things rather than on everything.  I will talk about precision engagement in cybersecurity, in a future article.  Stay tuned for more.  

In trying to be too thorough and trying to defend everything, we may end up defending nothing, as one Prussian military strategist warned about a few hundreds years ago.   The principle of "Precision Engagement for Cyber Defense" is important in this regard.

Summary of 12 Key Cybersecurity Takeaways from this 3-part series:

  • Understand the nature of cyber and how it differs - to know how to defend
  • Cybersecurity is a wicked problem that must be dealt with carefully
  • Prevention-based security has failed us - focus on detection, hunt, response
  • Build an adaptable, agile capability - because things change quickly in cyber
  • Don’t try to defend everything - or you could end up defending nothing
  • Work smarter not harder - this is most critical in cybersecurity
  • Perfectionism and thoroughness can drag down a good cyber defense
  • Laser-focus is key – "do the right things", not just "do things right"
  • Speed and precision are crucial while focusing on the right things
  • Avoid diminished returns - know when to move on
  • Baby steps and small incremental progress is key
  • Keep things short, simple and precise (not just concise)

I hope you gained some valuable insights from this 5-part series on Keys to Working Smarter Not Harder in Cybersecurity.  

Subscribe and stay tuned for more!

#Cybersecurity #LessIsMore #Infosec #WickedProblems - CYBER Y'ALL! - @CyberYall

Comments

Post a Comment

Popular posts from this blog

Slay the Log4Shell Dragon TEAM 2 - Hunt and Detect Attacks Playbook

Image
Slay the Log4Shell Dragon Playbook TEAM 2 – Hunt and Respond Playbook Struggling with how to tackle the Log4J / Log4Shell Dragon and low on resources? First, as I've said before, start with my “ RAPID LOG4SHELL RESPONSE 1-PAGE CHECKLIST ” to begin immediate actions to tackle this issue.  In that 1-pager, I provide concise guidance to get started quickly.   However, for medium and larger sized companies, this approach might not be enough , although it is a great and immediate start.   Simply patching alone will likely not meet the expectations in the case of the Log4J / Log4Shell vulnerabilities, if there is a breach.  A more comprehensive approach is required to reduce risk.  I’ve therefore put this playbook together to help go above and beyond just a patching-based approach and hope it proves useful.   My goal was to provide something that would help ensure a high enough level of due diligence for risk reduction of this issue.   In this article I’ll provide a TEAM 2 PLAYBOOK o
Read more

Slay the Log4Shell Dragon TEAM 1 - Protect and Detect Vulns Playbook

Image
Slay the Log4Shell Dragon Part 2A - TEAM 1 -  Immediate Protection and Detection Struggling with how to tackle the Log4J / Log4Shell Dragon and low on resources? First, start with my “ RAPID LOG4SHELL RESPONSE 1-PAGER - 8 STEP CHECKLIST ” to begin immediate actions to tackle this issue.  In that 1-pager, I provide concise guidance to get started quickly.  However, for medium and larger sized companies, this approach might not be enough, although it is a great and immediate start.   Simply patching alone will likely not meet the expectations in the case of the Log4J / Log4Shell vulnerabilities, if there is a breach.  A more comprehensive approach is required to reduce risk.  I’ve therefore put this playbook together to help go above and beyond just a patching-based approach and hope it proves useful.   My goal was to provide something that would help ensure a high enough level of due diligence for risk reduction of this issue.   In this article I’ll provide a TEAM 1 PLAYBOOK of recomm
Read more