Cybersecurity is top of mind for every business leader today, but this huge, interconnected, often nebulous topic can be difficult to navigate without expert guidance. Protecting an organization from the ever-increasing threat of cyberattacks is a multi-layered process that requires steady hands at the tiller.
My team at Taos has deep experience working side-by-side with clients to provide this expertise. In this new series of blog posts, we’ll be covering some of the best practices we recommend to our clients in building and maintaining a robust security posture.
2: Process Monitoring: “You Get What You Inspect”
A good foundation is the basis of a strong security strategy. For the second installment in this series, the next back-to-basics best practice I recommend to our clients in building and maintaining a robust security posture is Process Monitoring. If you implement a procedure as part of your security strategy but you’re not actively making sure people follow it, then the resources put into designing and implementing that procedure will be wasted. As we used to say in the military, “you get what you inspect”.
What is process monitoring?
“The purpose of monitoring is to determine whether a treatment, service, or program is functioning as it was intended.” 1
Process monitoring looks at the systems and processes that have been put into place as part of your security strategy to ensure they’re being followed and effective. Some examples of process monitoring:
- Annual reviews of architecture and policies
- Reviewing ticket data to make sure processes are followed
- Automated dashboard reporting
- Risk assessments and threat assessments
Process monitoring is a validation of working systems and aims to take care of problems before they become problems. Yearly architectural reviews, for instance, allow you to dig into how old the technology is, whether policies are still effective, and if any updates are needed.
However, truly effective process monitoring isn’t just placing a checkmark on a clipboard. Methodically gathering and assessing data from process monitoring creates meaningful information to guide security posture decisions, such as what existing processes are being rendered ineffective by changes to the threat landscape. Something as simple as monitoring and observing a spike in phishing tickets can give you the ability to catch an unfolding security threat in real time.
Risks of not monitoring processes
Good intentions have to be followed by actions. If someone isn’t monitoring systems and processes that have been put into place as part of strong security strategy, then your risk level goes up. At the most basic level, processes and systems falling into disuse results in the risk of wasted investments. But other sources of risk can lead to outcomes that get your organization a Wall Street Journal headline for the wrong reasons.
Architecture risks, like storing private information in unencrypted clear text, can lead to embarrassing data hacks. Another example is that best practice processes can rapidly become ineffective due to technology changes – such as everybody suddenly working from home has a VPN (good!) but they didn’t stop using split tunnels and now you can’t monitor the traffic and protect the laptop (bad!). A regular architecture review process would flag both of these problems and help to prevent costly breaches.
Some risks are caused by common mistakes, such as engineers taking shortcuts and reusing code with known bugs that embed vulnerabilities in the system, creating cascading risks for catastrophic cyberattacks. A vulnerability management processwith follow-through to make sure any fixes are permanent, such as removing bad code from the repository or marking it “do not use”, would help protect from this.
Malicious actors can take advantage of any gaps like these in the system, but what if you’re not actively following a log monitoring process? You risk not knowing when a hacker has breached your system and that you’ve been compromised.
The biggest problem with process monitoring? Management buy-in
The failure of adequate process monitoring is almost always a leadership failure. Executive teams want security and often think it’s about the latest and greatest technology, but they don’t understand what processes need to be put in place to utilize and maximize that technology. You can design an expensive, elaborate security procedure, but if you don’t verify it’s working over time, then you won’t know if it’s having any affect on your security posture.
“Gartner has found that organizations that measure and target security-control-related activities also drive continual improvement in their overall security environment. As a result, they are better-protected, react better to incidents and are subject to lower risk.” 2
Security is not only about “protecting the company from threats” but also about managing the risk to a company. Leadership teams need to buy into the security strategy, invest in team skilling and hours, and commit to the continual processes of maintaining a robust security posture.
Interestingly enough, one benefit of process monitoring is it gives you the ability to report up and help leadership to understand the value of these investments.
“An increasing focus on business value has translated into infrastructure and operations (I&O) leaders discussing contextualized information — a clear shift from mere visibility to action-oriented data-driven insights. Monitoring is evolving into a process that offers insight into digital business applications, speeds innovation and enhances customer experience.” 3
Metrics collected regularly from manual, automated, and annual reviews and assessments are valuable assets that can be relayed to the executive leadership team as hard data to drive investments and focus for security initiatives going forward. Not only does this kind of regular inspection enforce the application of a security strategy, it also establishes its effectiveness. This is vital information for risk management, which is a key benefit of a strong security strategy.
How to create effective process monitoring
Top down support. Process monitoring often gets folded inside of risk monitoring or bucketed into security, when it really extends across many departments and functions. Because of this, a major factor in creating effective process monitoring is that leadership has to relay support for initiatives down their reporting chains. A security leader or partner can create strategies and implement processes and policies, but other departments need to be receptive and responsive to what that leader prescribes.
Look for the blind spots. Certain process monitoring systems are often overlooked or avoided. Log reviews, individual work reviews and approvals, and spotchecking are all examples of monitoring that can fall by the wayside but are important bellwethers of quality control.
Plan for the human factor. Most failures happen through the people side. You tell someone to monitor something and they don’t, or they get overloaded and start skipping steps or cutting corners. Put process monitoring for people into place through assessments such as ticket reviews, notes, and follow-up items for changes or suggestions. To create consistent change, incentives for good performance and consequences for poor performance need to be meaningful. Finally, in our webinar “Preparing for an Attack: 4 Steps to Building a Cyber-Resilient Organization”, we talked about a key feature of cyber resilient organizations is training. Make sure your team’s skills and understanding of processes are up to date.
Automate. Manual reviews of every security event is time-consuming and mistakes are highly possible. Inexperience may lead to missing a threat pattern, such as a hacker exploring the environment for vulnerabilities, a virus spreading, or an employee exfiltrating data. Remove the human failure factor as much as possible by automating your process monitoring. However, keep in mind that manual reviews of new automation are sometimes skipped, but trusting automation implicitly right away is a recipe for disaster. New automated processes can overload by sending too many alerts at the beginning and need to be finetuned to make sure the system is reporting real events. Conversely, they might not be monitoring enough and real security events are being missed.
Plan for continuity. Processes fail with turnover, which is another human factor problem. To prepare for this (and save time and money), document your processes well. Without good documentation, you won’t know what processes need to be maintained or how to train new employees.
Get the right expertise. Who on the team should be in charge of all this process monitoring? It depends on the industry, the size of the company, and the business and regulatory requirements. If you’re a small start-up software company, this could be handled by your staff security professional. If you’re a large, regulated healthcare company, then you need a set of individuals internally and externally to handle process monitoring and assessments. But no matter the size of your team, make sure you have the support of a strong external partner like Taos for advisory services and process validation.
(2) Kranawetter, Michael, “How to Develop Key Control Indicators to Improve Security Risk Monitoring”, https://www.gartner.com/document/4000165?ref=solrAll&refval=302312790, April 5, 2021
(3) Byrne, Padraig, and Pankaj Prasad, “Hype Cycle for Monitoring, Observability and Cloud Operations, 2021” https://www.gartner.com/interactive/hc/4003681?ref=solrAll&refval=302312790, July 16, 2021