7 Steps to Keep Cybersecurity Systems from Drifting
Years ago, American writer and futurist Alvin Toffler described technology as “the great growling engine of change.” This is as true today as it ever was: enterprise IT infrastructures are growing and interconnecting rapidly, spanning on-premises data centers, disparate workforces and, in many cases, multiple clouds.
Technology Change Brings Inevitable Drift
The application and infrastructure components within these enterprise technology environments need to be adjusted regularly to better support internal users and enable product improvements. As ad-hoc updates are made, technology systems can slowly start to move apart — especially when changes aren’t documented consistently — sometimes leading to system failures and costly outages. Similar issues arise frequently in cloud and DevOps environments, in which change is constant. Piecemeal configurations and updates can create problems and over time, drive up technical debt — the implied cost of future re-work to fix issues that weren’t addressed at the start.
This phenomenon — known as “drift” in tech circles — is common and can happen to even the most well-meaning practitioners. To help keep systems aligned, configuration management tools are often used to automate change management tasks.
Is Your Security Stack Drifting Apart?
Cybersecurity is one functional area that isn’t often associated with drift. Yet the systems built to protect digital enterprise networks can also slip off kilter. Left unchecked, this can negatively impact system performance and expose organizations to risk.
A typical enterprise deploys about 45 different tools as part of its “cybersecurity stack,” with each solution playing a role in defending the organization’s IT environment. Of course, this “stack” isn’t a physical stack at all. Instead, it’s a complex web of layered security controls that, increasingly, are delivered as a service and extend beyond the network perimeter to encircle individual users and their devices.
As these security stacks evolve to keep pace with internal change, hybrid workforce requirements and emerging cyber threats, system changes — albeit necessary — can drive inconsistencies, dissonance and drift.
While they all should look familiar, it’s important to revisit security fundamentals periodically, making sure protections you’ve put into place cover everything — including your security deployments themselves.
7 Best Practices for Minimizing Drift and Protecting Your Cybersecurity Solutions
1. Whenever possible, reduce the number of privileged accounts and/or the extent of their privileges to reduce the attack surface. Clearly define how sysadmins and other highly privileged users, as well as applications, should access security systems via privileged accounts — and under what conditions. Following this foundational practice of least privilege security applies to everything in your IT environment, including your cybersecurity solutions. If your team relies on configuration management tools to help keep drift at bay, remember that privileged access to them should be managed, monitored and controlled following the principle of least privilege.
2. Enforce multi-factor authentication (MFA) for accessing your security deployments for all users, including product administrators, to help mitigate common credential theft techniques such as keystroke logging and plaintext password harvesting.
3. Many cybersecurity infrastructure components are highly sensitive and should be treated as Tier 0 assets. As part of this, tightly restrict access to component servers. Start by following Microsoft’s best-practices for mitigating pass-the-hash attacks and other credential theft.
4. Establish a “normal” baseline for system activity. Take advantage of analytics to model baseline behaviors and benchmark risk levels. This will help speed the detection of anomalies and indicators of compromise (IOCs), such as a privileged user who suddenly accesses credentials at an unusual time of day or from an unusual location, demonstrates excessive usage or follows other abnormal trends.
5. To detect problems early, it is also essential to monitor and review the logs generated by both the security solutions and the infrastructure on which they run. The most effective approaches will apply analytics to enable automatic response to high-severity incidents — blocking in-progress attacks on critical systems and reducing the impact of any issue, whether security or operational.
6. The use of insecure protocols can easily render other security controls invalid. To reduce the risk of eavesdropping and other network-based attacks, use encrypted and authenticated protocols for all communications such as LDAPS and TLS.
7. Even with extensive controls and best practices in place, security system outages may occur. Having a documented disaster recovery plan is a must. The plan should specifically take your security deployments into account and be tested yearly (at minimum) to see how quickly your organization can recover data and restore operations. Remember that practice makes perfect.
While not a comprehensive list, these recommendations reflect our CyberArk team’s experience in helping customers implement industry best practices, drawing on deep experience as a Trusted Advisor to organizations around the world.
Looking for a place to start? Consider conducting a Red Team adversary simulation to identify places where drift could be putting you at risk.
As long as the great growling engine that is technology keeps changing, so must security. As your organization matures its cybersecurity strategy this year, start out strong by making sure the tools within your security stack are protected. This will help validate that the controls you’ve already implemented have not drifted and are working as expected to thwart threat actors and protect what matters most.