We’ve been highlighting a number of the talks at Gartner’s security conference last month, including on the value of shifting right with security, risk-prioritized vulnerability guidance, and the principles of continuous security.
In this recap, we’ll profile Neil MacDonald’s presentation on the Top 10 Security Projects you should undertake this year. He led off the talk acknowledging we’re never “done” in security, and that it’s futile to try to build perfect security.
Neil also noted these 10 projects should follow getting all your security basics right – endpoint, patch management, SIEMs, and perimeter security to name a few. To build this list of 10 projects, Neil and the security team focused on what was accomplishable within the year, in terms of budget and people, and where you had options for supporting technology to help complete the project. They also prioritized projects with high business impact together with a high reduction in risk.
So let’s dig in!
#1 – Privileged Account Management
Neil noted that every organization out there has root access, administrative, and highly empowered accounts that make attractive targets for attackers. Tackling this project involves both making the access harder and performing behavior monitoring to detect unusual access.
#2 – CARTA-inspired Vulnerability Management
Neil referenced Gartner’s CARTA model (Continuous Adaptive Risk and Trust Assessment – we blogged on this topic a couple of weeks ago) and highlighted that, despite an ever increasing number of vulnerabilities being discovered, the number being exploited has remained constant. So his take-away is that you can’t keep up with patching against all those new vulnerabilities, so prioritize which ones you address.
This topic is near and dear to our hearts here at StackRox. Not all vulnerabilities are created equal – there’s a lot more context you need to apply to determine what needs to be addressed immediately. That’s why we built our multi-factor risk profiling capability. The dev team simply can’t address every found vulnerability, but when you combine in where the container with that vulnerability is running, what type of app it’s supporting, whether it’s Internet facing, and other factors – then you can determine the critical fixes to prioritize.
#3 – Active Anti Phishing
Neil stressed the need for technical controls, end-user training, and process redesign to succeed at this project. He cited the fraudulent email, supposedly from the CEO to the CFO, requesting an immediate wire transfer (a controller I know very nearly fell for this one while her company was changing banks, nearly missed payroll because funds were sitting in the wrong account, and had been legitimately asked to move funds between accounts – only an uncharacteristic email sign-off from her supposed CEO tipped her off to the second request being a scam). Along with next-gen technology, Neil highlighted the need for on-going training to make users an effective part of thwarting these attacks.