As a cybersecurity leader, I frequently get asked by business owners about how to build a cybersecurity tool stack that can combat current and future threats to a business. Choosing the right tech stack is hard, balancing budget pressures against your needs to get the best bang for your buck.
As a business owner myself, I understand the frustration. The constantly evolving complexity of cyber attacks, combined with the wide range of sophisticated technology solutions out there can sometimes be daunting. A report by Aberdeen and Cyber adAPT found that a typical six-layer enterprise tech stack — comprised of networking, storage, physical servers, as well as virtualisation, management, and application layers — requires CISOs to grapple with no less than 1.6 billion versions of tech installations for 336 products, provided by 57 vendors.
So, which tools do you choose and which ones to avoid? And where you even begin?
The first step: Building a cybersecurity strategy
I cannot stress this enough.
Without a clear cybersecurity strategy in place first, no matter what process or tech stack you put in place, it will be either a) inadequate b) out of date quickly or c) both. The reason for this is simple: how can you decide what tools you need to fix an issue if you don’t know the issue you are fixing and how you plan to fix it?
I mentioned in a previous post that 44% of executives worldwide said they don’t have an information security strategy in place. This is very troubling, not only from a security standpoint but also from a governance point of view.
Now more than ever, senior executives are responsible for de-risking the organisation against cyber attacks, amongst other business risks. Organisations cannot afford to function in silos and cybercriminals don’t discriminate, pointing to a need for a more cohesive, overarching governance framework in organisations of all sizes.
One of the reasons to develop a cybersecurity risk management framework is to guide you in decision making for software & hardware purchases and implementations - and this includes for evaluating the tools in your security stack.
In Tenable’s 2016 Cybersecurity Frameworks And Foundational Security Controls Survey Of IT Security Professionals, 95% of respondents with a framework in place have seen benefits, including greater effectiveness of security operations, contractual compliance, maturity and the ability to more effectively present security readiness to business leadership.
Design a cybersecurity tech stack that reflects your business risk profile
Once you’ve got your cybersecurity risk management framework in place, you can begin looking at the different areas of cyber risk to analyse which tools you’ll need. Picking cybersecurity tools generally means addressing these five key areas with differing degrees of focus:
- Physical security to include Identity Access Management and Role Based Access Control
- Intrusion Prevention, Detection and Mitigation
- Data Loss/Leakage Prevention
- Incidence Response
- Forensic, eDiscovery and Litigation
(via Tecnuf)
These areas correspond with the five functions of the widely-accepted American National Institute of Standards and Technology’s (NIST) framework for managing cybersecurity risk (identify, detect, protect, respond, and recover from threats). Companies can use the NIST framework to gain a better understanding of what capabilities they need to have. They should ask themselves two key questions when crafting their security tech stack:
- What are my needs in each of these categories?
- How do I select the right products to address what I need?
I recommend companies take a strategic approach in determining how to balance their security spend across all of these five areas and build a security stack that is in accordance with their business profile. For instance, companies that have very valuable intellectual property to protect may be more interested in breach and encryption and similar kinds of security mechanisms. On the other hand, those firms that offer online services need to focus much more on DDoS protection to ensure their online business is up and running at all times and their revenue isn’t impacted. Basically, you need to prioritise your business assets and craft a cybersecurity tool stack that is structured around these different types of systems.
Adopt a multi-layered approach to your cybersecurity tech stack
The notion of a “security stack” to address these areas supports the proposition that security must be an integrated set of services. Experts agree that when building your cybersecurity tech stack, a multi-layered approach is required. It’s sometimes referred to as a ‘defence in depth’ approach, designed to defend a system against attacks using several different methods, in the event that if one fails, the others will stop the threat. In essence, it’s a layering tactic that was originally conceived by the NSA (National Security Agency) as a comprehensive approach to information and electronic security.
Defence in depth means considering physical, technical and administrative controls to combat cyberattacks. Adopting this approach means developing a security tech stack that contains more than one of the below layers of security:
- Endpoint or Antivirus software
- Cloud Email Security or Advanced Threat Protection
- Authentication and password security
- Archiving
- Biometrics
- Data-centric security
- Email Continuity and DRPs
- Encryption
- Firewalls (hardware or software)
- Hashing passwords
- Intrusion detection systems (IDS)
- Logging and auditing
- Multi-factor authentication
- Vulnerability scanners
- Timed access control
- Internet Security Awareness Training
- Virtual private network (VPN)
- Sandboxing, and
- Intrusion Protection Systems (IPS)
The former Minister Assisting the Australian Prime Minister for Cybersecurity, Dan Tehan, summed the concept of ‘defence in depth’ up when talking about the importance of adopting a multi-layered strategy to defeat cybercriminals:
"When it comes to cybersecurity, being prepared isn't just having a wall that will block and protect from attacks. Instead, being prepared means minimising risk... No police force can guarantee that they will eradicate crime completely. But we can make it a lot harder if the windows aren't open, the doors are locked, and there is a strong cop on the beat."
Let’s put this approach in the context of email security for example. While most firms will have native security from Google or Microsoft, since we know that 9 out of ten attacks start with an email, it’s prudent to employ an additional layer of cloud email security with a solution like MailGuard which is a specialist at stopping advanced, zero-day threats.
Echoing the message, the Microsoft IT Showcase explains that “Although phishing tricks and tactics never cease, awareness and antiphishing technologies go a long way in thwarting them. No one solution can stop all phishing campaigns. However, EOP and Office 365 ATP—part of the Microsoft Office 365 threat protection stack—help organizations defend against the volume and sophisticated nature of today’s email-based phishing attacks.”
Adopting such a multi-layered approach to combat email phishing scams has become all the more critical precisely because of their all-too-common occurrence. Andrew Conway, General Manager Microsoft 365 Security says that “About 80 to 90 percent of the data breaches that my team sees go the phishing route.”
It’s also advice the experts put into practice, and don’t just take my word for it - in a survey of 500 leading Microsoft partners in 2018, of those that were using a third-party cloud email solution to complement Office 365, 1 in 5 chose MailGuard. More than twice as many as that chose our major rivals.
A collaborative approach is needed
If you go back to the NIST framework for building your cybersecurity tech stack I’ve described above, you’ll realise it can point you to the right direction of what’s needed from your tools and processes. Having comprehensive and more importantly, multiple measures in place at each of those five areas will help prevent cybersecurity incidents in your workplace. Don’t just focus solely on one particular area, with an excellent and top-notch stack of commercial software products for protection, but think carefully about what you will implement at the other areas, and also how these tools will talk to and collaborate with one another.
The truth is, there is no absolute guarantee the tools you adopt will work ALL the time. Vulnerabilities will always be present, and you can count on the fact that cybercriminals will exploit them to their benefit. Our security stacks will never completely be perfect – whatever vendors produce today will be defeated tomorrow. The best proactive response to such a constantly-changing security threat is a comprehensive security stack with multiple tools that complement each other in order to minimise the risks of cyberattacks as much as possible.
The sentiment can be succinctly summarised in the comments of Brad Smith, Microsoft’s President and Chief Legal Officer when he says that no one vendor or solution will ever be enough to secure your organisation:
“We are so far away from declaring victory. There is so much more work to do. It has become clear that cybersecurity is a shared responsibility.”
Get the facts
Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.
Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets. If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.
I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.
You can download my e-book for free, here.
“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal.
... ... ...
Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity and Blockchain; I'm active on LinkedIn and Twitter.
I’d really value your input and comments so please join the conversation.
