igor - Fotolia

Get started Bring yourself up to speed with our introductory content.

Security that works: Three must-have enterprise security fundamentals

In his debut 'Security that Works' column for SearchSecurity, Eric Cole of the SANS Institute challenges infosec pros to grade themselves on the three fundamental aspects of any successful enterprise security program.

Every hour of every day, an organization is compromised. Data breaches continue to make headlines with stories that highlight the mistakes organizations made when implementing their security. These articles continuously focus on what organizations are doing wrong. After reading several of these pieces, it is easy to lose hope as it seems that no matter what organizations do and how much money they spend, there is little that can be done to protect critical information.  

The good news: All hope is not gone. There are numerous tactics that can be used to protect and defend a business. In fact, many organizations are implementing effective security technologies and policies that work today; we just aren't hearing about them.

That is the reason for this column, to raise awareness of security methods that work. Every month I will provide specific techniques for improving information security that an organization can implement to reduce the overall risk of a compromise. Here are some of the security concepts I will discuss in future columns:

  • Crypto-free zones
  • Application isolation
  • Effective security metrics
  • Scaling application white listing

While these concepts may seem to have little in common, they offer surprising value and yet remain underused in enterprises today. That's a trend this column aspires to change.

Grade yourself on security fundamentals

For this first column, let's look at one of the secrets to success in implementing scalable security systems. Even though security practitioners have long said there is no silver bullet when it comes to information security, organizations continue to look for a quick and easy path to effective security. For example, when next-generation firewalls were developed, organizations quickly deployed them thinking they would defend against all advanced persistent threats. While next-gen firewalls can add an effective layer of defense, they must be designed and configured properly. Despite the industry hype, they cannot by themselves stop all attacks.

In reality, there is no quick fix when it comes to security. Security must be built correctly, which means having a proper foundation. One reason many organizations suffer detrimental breaches is because they didn't build the proper core needed for effective security. An organization can spend millions of dollars on security, but without key technologies in place, it will lose. Therefore, rather than continuing to invest additional money in security, organizations must first assess their security postures.

Here is the moment of truth. Take out a pencil and give your organization a grade in each of the following three areas:

  • Asset inventory
  • Configuration management
  • Change control

If you are fully implementing the item within your organization, give yourself an A; if you are partially doing this, give yourself a B-/C+; and if you are not effectively doing this, give yourself an F. If you score below a B in any of the areas, STOP.

About 'Security that Works'

In his exclusive monthly column for SearchSecurity, Dr. Eric Cole will present underused technologies, techniques and tactics to improve enterprise information security. If you have questions for Eric or suggestions for future columns, contact him via email at editor@searchsecurity.com.

Make these items a top priority on your security roadmap. Why are these three areas fundamentally important to enterprise security? If an organization does not understand what is on its network, how it is configured, and when and why changes happen, no matter what else it does, it will lose. If you look across all major breaches, you will notice that there is always a fundamental failure in these three areas.

If your organization does not have robust ways to control and manage assets, and it is not on your security roadmap, you should re-evaluate your roadmap to make sure it is focused on the correct areas. Three questions will help you verify whether your security is aligned with the business. Before you spend a dollar of your budget or an hour of your time on anything in the name of security, you should always answer the following questions:

  1. What is the risk?
  2. Is it the highest priority risk?
  3. Is it the most cost effective way of reducing risk?

If you cannot answer these three questions, then you are not focused on the proper areas in security. These questions are also a great way to verify whether your security roadmap is aligned with your organization.

Here's your homework assignment: Take your current security roadmap and the projects that you are doing to improve security, and put them on a spreadsheet. Add three columns to the spreadsheet, aligning them with the three above questions. Can you answer these questions for every item on your roadmap? If you can, congratulations; you are managing these enterprise security fundamentals very much like organizations that are winning. However, if you cannot answer these questions, be forewarned: There might be a breach in your future.

About the author
Eric Cole, Ph.D., is an industry-recognized security expert with more than 20 years of hands-on experience. Dr. Cole is the founder and an executive leader at Secure Anchor Consulting where he provides leading-edge cyber security consulting services, expert witness work, and leads research and development initiatives to advance the state-of-the-art in information systems security. Dr. Cole was the lone inductee into the InfoSec European Hall of Fame in 2014. He is actively involved with the SANS Technology Institute (STI) and is a SANS faculty senior fellow and course author who teaches, works with students, and develops and maintains courseware.

Next Steps

In this video presentation, Mike Chapple provides an introduction to enterprise endpoint security fundamentals.

Jeremiah Grossman offers advice on the fundamentals of application security.

This was last published in August 2014

Dig Deeper on Information security policies, procedures and guidelines

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Which security controls do you consider fundamental to a successful enterprise information security program?