A refresher on the most pressing subjects in the current Cisco security landscape.
Or read on below...
It seems like every week we hear stories of organisations becoming a victim of a brand-new type of cyber-attack. Their data has been compromised, their customers are angry, and hefty fines are coming their way. Such news can be scary, especially if you work in IT! That’s why we put together this refresher on the most pressing subjects in the current security landscape, especially created for companies that work with Cisco.
At the end of each section, you’ll find suggestions on how you could improve the way your organisation does things security-wise. When things get more complicated, check the section “How your partner can help”, where we’ve listed suggestions that will help you improve the security of Cisco products and services more professionally.
As the paradigm shifts to hybrid working, controlling the spread of non-approved software (so-called shadow IT) and services widens. It’s human nature for people to use products they subjectively feel are making them more efficient, more pleasant to use or just the old ‘this is what I know.’ Regardless of their reasoning, the issue of unauthorised software continues to be an issue. When users are spread out and start blending consumer software into the workplace, security policies start breaking.
A common use case is someone using a messaging app like WhatsApp, iMessage or Facebook to casually communicate with a colleague socially to avoid getting into trouble on the corporate platform. It then transitions to talking about work which is where the risk is starting to seep in. Eventually, it might even get to a point where sensitive information and even files are being transferred. We can carry this example towards people using personal email, external file-sharing services and such but the pattern is similar.
Managing that flow of communication outside the organisation is near impossible. So, what can you do?
What you can start doing today:
Speak to your users | An active communication flow between the security team and the user base gives you a lay of the land.
Start mapping out the ‘why?’ | What are the reasons users are flocking to these services instead of using the ones provided?
Balance security with privacy | No one wants to get into trouble for speaking casually to another colleague. Work with your HR and compliance teams to find a healthy balance for your data retention policies.
Review your security products | How well are you really able to track where sensitive data is accessed? Are you able to drill down to a specific file and determine its travel path, who it was shared with, when, and how many times?
How a Cisco partner can help:
Facilitating communication between the security team and the user base as this is less intimidating for both parties and will lead to more honest discussions
Reviewing your current DLP (data loss prevention) stack and implementation
Stress testing your DLP process and providing optimisation and remediation guidelines
Building a roadmap towards an approach of balanced security and privacy
Software & hardware mapping
There are more software options available in the market than hardware. This can give the impression that perhaps the hardware-based solutions are dinosaurs waiting to go extinct. The answer is ambiguous; it depends. What we do know is that, in the meantime, we better understand how to secure both.
Let’s take a look at a Next-Gen Firewall appliance versus a Next-Gen Firewall virtual edition. It’s tempting to think the Virtual edition is cheaper to run, even at the same price per GB of throughput. But often, this is where things get muddy. What VM platform are you using and what are the costs of licensing a host on that platform? Is the networking side of the VM estate optimally set up so data flow isn’t compromised before it hits the Firewall for review? Are you able to provide enough dedicated resources (CPU/memory/storage) and what’s the cost of that? How reliable are the High Availability and failover aspects of your virtual estate? In large organisations, role defining becomes another point of consideration. Often the systems team that manages the VM estate are separate from the Network Security operations teams which manage the firewalls and other such devices. This can create the complexity in communication we see all too often.
What you can start doing today:
Map out all your underlying costs on the virtual platform including VM licences, support contract, CPU, Memory, Storage
Confirm your data flow structure or low-level design doesn’t compromise security by letting the data be exposed before it gets to the virtual firewall
Review previous incidents or planned tests to confirm how well your failover performs to an adequate level
Define a strict test criteria to ensure that your firewall security cannot be bypassed in the virtual estate
Review the appliance and support cost and compare it with the full bundle pricing
Assess the team structure of the organisation is it better suited for separation of such services or are co-dependencies fine
How a Cisco partner can help:
Independently reviewing your environment to help determine which route provides the best path forward. Physical, virtual, and more common recently; both
Mapping out your physical and virtual data paths so you can determine where to place the service
Reviewing your business and compliance needs to ensure the product and licences meet those goals
Training the team on the new platform to ensure it’s integrated properly into the existing platform for data exchange
Multi Vendor Management
Security is well beyond the simplicity of just needing a firewall and antivirus/malware platform and calling it done. The amount and more importantly, the type of threats here and coming out is vast with no end in sight. It’s reasonable to assume that not a single vendor has all the answers (despite their great PowerPoint presentation!)Inevitably, you’ll end up with multiple vendors. This is great as you can often find well-done products specific to your industry and use cases.
The challenge starts becoming: how much of a product to consume? Often security products have a lot of overlap as every vendor wants to cover a wider range. Quite often, you’ll have other products that do similar functions. It’s really up to you to determine where to limit the usage of one product versus another.
It’s tempting to let multiple products do the same thing, so you get more data points. While this is helpful to an extent, you walk yourself into another rabbit hole; correlation. How and importantly, who is going to review the same type of logs from multiple systems to determine which one is more right or wrong? You can easily get into a cycle of analysis paralysis instead of making timely decisions on a security thread in play.
What you can start doing today:
Define clear cases of ‘what you’re trying to protect?’ and ‘from whom?’ then start your search for market products
Map out your current security platforms and their sprawl as this will help you set boundaries on which product and team are responsible for each
Ensure that key logs from multiple systems are being aggregated into a single platform for better forensics
Have an annual review of all your security products and ensure they’re still viable for the business or need to consolidated or expanded
How a Cisco partner can help:
Reviewing your current platforms, licences, subscriptions and use cases
Building out a security map that role defines the different products
Providing guidance where certain products can be consolidated to reduce complexity without compromising security
Doing a security penetration test to ensure the products meant to protect are part of the business are set up currently and performing as expected under stress
Reviewing the company security policy and compliance goals to ensure they align with the platforms
Optimising the log collection methods from various products allowing for action to be taken quickly and with more confidence
Products & services consolidation
The single most common and often alarming item we come across is organisations with lots of security tools and not a lot of people. In one scenario it ends up being a favourite child syndrome with the others being left with minimal attention. Whatever information comes out of that well-liked product is acted against and others are left in observation mode or just used rarely. Then you have the jack of all trades scenario. To provide equal attention, each product gets dabbled with, but none get optimised for usage. However, because they’re all ‘working’ we must be more secure, right?
What ends up happening is that over time, the security landscape widens, and more tools are bought to help cover new ground. Quite often, the number of tools added isn’t complemented by the number of people needed to make use of them. This puts a lot of strain on the engineer(s) to try and keep up. Each tool has its own setup, UI, the information provided, formats and what it considers to be a risk. That’s before you get into having to upgrade, support and deal with quirks and bugs of each tool. It’s not a solvable problem, yet it’s a manageable one.
What you can start doing today:
Assess the experience of the team managing your security with these products | How much training did they get? Was it a one-time training or an ongoing learning plan so they keep using and optimising the tools?
Ask the team which products they rely on the most and why | For the products not used often, determine the reasons. Is it due to an overlapping product that does the same thing? Or is there a lack of comfort?
Build a matrix of the products and people and start assigning tiers of responsibility | Example: engineer 1 is an expert at firewalls and tier 2 endpoint security
Review your roadmap | Look for opportunities to collapse multiple standalone products into a single suite
Speak to vendors about their data aggregation from multiple products | This would speed up the time to act which frees up the engineering time
How a Cisco partner can help:
Reviewing your current technologies and capabilities
Helping you and your team build out training and education tracks
Examining your architecture in a vendor-agnostic fashion and recommending opportunities for consolidation of products and services
Reviewing how on-premise security products do or don’t compliment the Cloud strategy
Optimising the current dashboards and aggregate data for easier consumption
Developing a roadmap focused on the business goals and upcoming threat vectors rather than just adding more products without deprecating others
Cloud licensing conundrum
An ongoing conversation across organisations is the question of protecting the data in the Cloud. Since the cloud providers do *not* provide security for the products and only for the underlying platform (which you can’t access anyhow), it’s up to the company to develop the solution. Amongst those security concerns, a key sticking point becomes Data Loss Prevention, DLP. In other words:
How do I make sure my data stays mine?
How can I stop sensitive data from leaving the cloud platform?
How can I track such data in detail so I can trace any mishaps?
As with most things in security, there is no such thing as perfection, so we must focus on identifying what it is we are trying to project first. If your controls are too tight, you run the risk of shadow IT issues and people taking the path of least resistance. Depending on how geographically spread out your organisation is, you have to start considering how to differentiate between data moving across various cloud platforms you operate in, on premise environments and trusted relationships with B2B entities. While that starts to seem impossible, in reality, we can start looking at things in digestible pieces, so they are easier to address.
What you can start doing today:
Map out your datasets and assign a risk factor to them
Identify the scenarios that could result in sensitive data leakage | Could a user take a picture of something important on their screen and send it to someone via WhatsApp on their phone? Are they more inclined to open a web browser and use non-company email to do it? In that scenario, the first is hard to prevent but the second one has vetted industry solutions that can be explored
Test how well your current DLP manages data transfers from one cloud service to another that are both under your control | Is it multi cloud aware? Does it correlate with on-premise? Where does it stop tracking the transfer of data?
How a Cisco partner can help:
Red teaming the DLP policy as an internal employee and external malicious actor | The majority of the leaks happen due to employee negligence or bad habits formed out of convenience. Focusing purely on external parties as threats doesn’t do much to strengthen the DLP policy. Other tools are better suited for that
Reviewing the existing DLP tools and policies to ensure they cover the use identified cases | While the tools might be great on premise, focus on how well do they scale across multiple clouds
Streamlining the log review process from multiple collection points | The speed in which you can respond to a security threat is key to limiting the risk. How well all your systems talk to each other and aggregate that information is crucial
Mapping out DLP tools in use and ring-fencing the reach of each product | Overlapping products in security is common and this often leads to too much information. Limiting the scope of a product to its best attributes reduces the noises and makes supporting the tool a lot easier for the internal team or MSP
Book a chat
There's a lot that you can do to improve the way your organisation does things security-wise. But the higher the technical complexity, the more critical it becomes to align with a vendor that can stitch the different components together and correlate the data between them.
Want to discuss your security challenges with one of our Cisco consultants? Reach out! Schedule a chat below.
.png)
