Over the last twelve months, we have been focusing on getting Softcat's customers to think beyond the breach and adopt security strategies that enable them to get continual security benefit rather than short term threat protection. This approach was neatly summed up by a customer, who was listening to a talk I was giving about security architecture, as "you're not saying anything new, just best practice defence-in-depth techniques". Now I'm not sure if the comment was meant to imply that I wasn't offering much value to the audience, however I choose to take it as a compliment! For far too long the vendor security community has been guilty of layering more and more security solutions onto our networks, endpoints, servers and cloud in a bid to stop the dreaded breach. Yet how much of that has actually translated into real world benefit for organisations that purchase it? Now I should say that I am not implying that all security tools are useless; far from it, however I do believe that customers should address security not only by applying tools but also (and first and foremost) applying security within the system rather than to it.
WannaCry is a great example of this. It affected over 300,000 endpoints and disrupted a huge number of people across the world including ATM systems in India, the healthcare system in the UK, and the rail network in Germany. One of the key pieces of data that came out of the WannaCry attack is that organisations are not doing the basics to protect themselves. I am still quite troubled by the sentiment that came from the security community that all of these organisations deserved to be compromised as they hadn't applied the patch that ultimately would have stopped WannaCry taking hold. I cannot argue with this position as they are academically correct, however what does frustrate me is that nearly six months on we have not done more to help organisations fix these security fundamentals. Where was the outpouring of supporting sharing the tools, processes or just our experiences? Organisations have used it to sell their wares as a point in time solution, rather than demonstrating how a given technology fits into a security strategy and helps a customer on an ongoing basis.
Remember the old adage about the two guys being attacked by a lion? One of them stops to put on his trainers; the other tells him that even with the trainers on, he won't outrun the lion. His reply is 'I don't have to outrun the lion – I only have to outrun you!'. Vulnerability management is really just a race in which you hope that you have patched your systems before someone else takes advantage of the published vulnerability. Even in some of the most mature organisations I speak to critical patches are, at best, deployed within three days after in-depth testing by dedicated teams, something that most customers do not have the luxury of. They are still playing the same cat and mouse game as everyone else all be it with more resources.
Now it is easy to moan about the state of things as evidenced by the 450 words above; the harder part is to implement a solution. The great thing about this is that the solution has already been figured out, and has been for a number of years. Control frameworks are a very effective method of benchmarking your organisation's ability to cover the "basics". The centre for internet security (CIS) advises organisations to review twenty control areas and goes as far as to say that taking care of the first five will defend against 85% of typical cyber attacks. To support our customers Softcat are offering a free assessment against the first five areas to see how well your organisation has implemented these controls. We will also provide guidance on the tools and processes your organisation can use to improve your baseline security. Now of course, some of these tools will be commercial offerings but we will highlight all free options that are available to customers and explain why you would choose to pay for a commercial option. We don't think we can be fairer that that! To get you started, we are planning to run a number of webinars to show how these tools can be used to help in real world scenarios.
Our first one of these webinars is scheduled for Wednesday 8th November in which we will show how you can use system logging information and a SIEM tool to prove you had or haven't been impacted by malware. This is in response to the feedback we had from customers who were sending engineers across the UK or spending hours looking for traces of malware across the network.
If you would like to take advantage of the free control area review, discuss how you can make long term Cyber Security investments or provide feedback please contact your account manager or fill in the form below.
We would love to hear any comments you have about this article!