By: Alex Shanteau, Security Engineer, MAD Security | March 28, 2019

A never-ending war is being waged between malicious actors and cybersecurity specialists. In order to stand their ground, defenders must constantly develop new and innovative ways to protect their networks. Purchasing a new security solution can often turn the tide of battle in the defender’s favor, but there are many considerations before blindly buying into the latest and greatest technology.

One challenge in particular is understanding the amount of resources needed to properly research and implement new technologies or features.  Small and midsize businesses, such as community banks and credit unions, often underestimate the time, effort, and expertise needed to properly implement new technologies. The often-lengthy transition period actually can decrease your organization’s security posture, introducing additional attack vectors and causing compliance issues.

For a simple example think about a firewall upgrade project.  For many years this meant, at an extremely simple level, you block bad traffic and allow good traffic.  Now you want to implement the newest next generation firewall (NGFW) technology, which comes with additional feature such as Intrusion Detection System, Identity Awareness, VPN, and other complimentary functions.  From a complexity standpoint you have just gone from managing basic rules controlling access to managing multiple complex functions that can introduce vulnerabilities if not fully researched and expertly implemented in your environment.

When implemented correctly, these features will of course increase your overall security posture.  When we conduct firewall health checks, however, we find that these new features have often been configured improperly.  In the case of using a NGFW as a VPN, for example, an incorrectly implemented VPN can unwittingly allow split tunneling, which increases attack surface and is out of compliance with compliance frameworks. From a security standpoint this could allow employees to bypass basic security controls associated with your network and endanger sensitive information.  Another example would be an Application Awareness feature, which requires a comprehensive understanding of what is allowed within your environment.  Applications such as Skype, Dropbox, and FTP may all have legitimate business purposes, but they can also be used for nefariously to siphon proprietary data.

Another trend we have seen recently is the transition to cloud services such as Office 365, Azure, and AWS.  These solutions offer many benefits over traditional on-premise technology.  Across the board, they tend to offer a large amount of customization and benefits.  However, without proper implementation there can be catastrophic repercussions.  There have been a number of recent cases involving unsecured AWS buckets, including issues suffered by the Pentagon[i].  There are a many considerations when transitioning to the cloud, from multi-factor authentication to the correct and appropriate level of logging.  How these environments are monitored also should be taken into consideration since they are no longer on site as they traditionally have been.  Some considerations include:

    • Do you have the capability and expertise to monitor the new environment?
    • How do you secure the new environment?
    • Does your current SIEM have the capability to ingest logs from the cloud?
    • Do you have to implement another new technology to even be able to monitor, correlate, and report on cloud activities?
    • Is the new technology able to meet compliance requirements?
    • How are users impacted?

All of these questions need to be considered when transitioning to a cloud-based architecture and factored in as part of a comprehensive cybersecurity program.

There are a number of reasons why a company may run into issues with new implementations of technology. One of the most common reasons is staffing, especially for smaller businesses. There are several ways that companies can fill the gap of not having a dedicated staff that is able to research and implement new technology. The first is fairly obvious: task someone already employed with figuring it out! While the trend we have seen is changing, currently this is the most common approaches.  One major downside is that this piles more work on a likely already swamped IT staff.  From my experience, IT staffs are generally focused on operations and maintenance, and are frequently poorly suited for project management. Additionally, in the world of IT and security we always tend to specialize.  Whether it’s Linux, Windows, help desk, physical, or any other number of subfields, it is difficult to be both broad and deep with knowledge.  The staff you task with implementation may not have the experience required to understand and correctly configure new solutions. Organizations also tend to grossly underestimate the total cost for doing this work in-house, as they incorrectly calculate their existing labor as free and also overestimate the capability to complete the work on time.

One potential fix to the issue with implementation is hiring staff with the correct expertise to implement, configure, and manage the new technology. For many organizations this can seem like the best solution to the staffing challenge, but it comes with a few downsides. Experienced security professionals are expensive and can be extremely hard to recruit and retain. There is a well-documented shortage of cybersecurity personnel within the U.S., and SMBs run the risk of losing talent through turnover.

The last solution is contracting the work out to a firm that specializes in securely implementing new technologies. This comes with a number of benefits, including the fact that they are now contractually obligated to ensure you are protected, tend to be cheaper than keeping a full-time staff, and have the expertise necessary to accomplish security requirements.  This is not to say that contracting is a panacea.  Subcontracting out security work comes with risks as well, the biggest one being that you hire a company that overpromises and under-delivers. This is why it is extremely important to vet any companies that offer implementation and security services before allowing them access to your infrastructure as an incompetent company can wreak havoc on your security posture.

As you attempt to increase your security posture and build a successful cybersecurity program, be aware of the risks that come with implementing new technologies. Whatever way you decide to manage new technologies, always keep the potential pitfalls in mind and take a risk-based approach for your organization.  Don’t shy away from new technology, but also don’t blindly implement the latest and greatest.

If you’re in the midst of a technology implementation and want to know more about managing those changes, as well as how to build a winning cybersecurity program, check out our webinar below featuring our COO, Cliff Neve. This webinar discusses how financial institutions can build and maintain a successful cybersecurity governance, risk, and compliance program, as well as what to consider in a managed security services provider. Check out the recording of our webinar below:

Webinar: How Financial Institutions can Build a Winning Cybersecurity Program
February 28, 2019

Download the recording:

 

 

If you have concerns or questions about anything security related, please feel free to reach out to us!

[i] (https://www.bbc.com/news/technology-42166004

 

 

Alex Shanteau
Alex Shanteau is a Senior Security Consultant with MAD Security. He has experience in the information technology and cybersecurity domains and has worked extensively performing technical and GRC assessments as well as supporting MAD Security’s Managed Security Services across multiple industries. Other highlights include writing and delivering training for the US Coast Guard, network modeling and evaluation, and presentations on a variety of topics relating to cybersecurity.