Much of the current cybersecurity conversation focuses on the obvious, but if the "beef" isn’t there, then what's the point?
Those of a ‘certain’ age certainly remember this famous tagline, but those who don’t let me paint a quick picture.
Three elderly ladies are in a generic fast-food restaurant, and they get a hamburger. The food that is delivered looks promising – a big, soft, glistening bun that looks huge. But no meat. No ‘burger’ in the burger. She opens the burger to find a teeny, tiny dot of ‘beef’ in the middle with a single pickle slice and a small piece of cheese.
This causes one of the ladies to shout, ‘Where’s the beef!?!’
In subsequent ads, they even got on the phone (yes, it had a long, coiled cord and was attached to the wall) and started asking for managers, supervisors, and owners to find the beef. Yes, it was a silly way to sell burgers, but the question still lingers – ‘Where’s The Beef?’
The same question applies to cybersecurity.
So much of the current cybersecurity conversation focuses on the obvious – patch regularly, control access, and apply MFA. These are all important, but can result in unexpected gaps in your security program.
Focusing on the perfect bun, the right thickness of onion, and the perfect crisp pickle is all part of the experience, but if the beef isn’t there, what is the point?
The ‘beef’ in cybersecurity is found in these three areas:
Do you know what is on your network? EVERYTHING? How about the IoT devices? Printers? Did someone plug in an internet connected alarm clock yesterday without telling you? And most importantly – how do you know?
On a network, everything happens through the network. IT, OT, IoT – it’s all connected. And sometimes it’s connected to areas without organizations even realizing it’s connected. As good as network teams are, they are still just human. They can make mistakes. How can you verify that the activity on your network is authorized, expected, and understood? Are those powershell commands expected or malicious? How about those remote procedure commands? Or that RDP request?
Visibility also helps validate the effectiveness of controls. Is there any AI use within your environment? How sure are you? How much data does netflow really provide from your firewall?
Even more importantly, if you don’t know EVERYTHING connected to your network, how can you protect it? There is a reason why the Center for Internet Security has identified Inventory and Control of Enterprise Hardware and Software as the first place to start in their Critical Security Controls1.
Reviewing your preparation for an incident is another crucial step in managing your cybersecurity program and for reducing errors during an incident.
Sometimes, preservation of evidence, capturing logs, and network isolation are more important than simply ‘cleaning up’ from the incident. These steps can help identify the overall scope of an issue, the initial access method, and the accessed data. Reviewing all of the steps necessary to preserve this evidence helps reduce future risks of attack.
If your help desk receives an alert that someone clicked on a phishing email, how confident are you that they will take the appropriate steps to manage the incident?
Is there more than an admonishment to ‘not do that again’? Maybe a change of user password? Do you verify the computer isn’t compromised? Do you isolate it from the network? Reboot it? Wipe it? What are standard best practices for Incident Response – at ALL incident tiers? How familiar is your team with the process?
These are questions that should be asked constantly by IT and Security staff.
The final area providing the ‘meat’ of your cybersecurity program is Threat knowledge.
Security operations require active threat identification because retroactive alerts are only as good as the intelligence that created them. New or novel approaches can bypass these alerts, requiring active hunting by an experienced human hunter.
Are those PowerShell commands expected or malicious? How about those remote procedure commands? Or that RDP request? Is it ok for one computer to perform these actions and not another? How do you identify those scenarios? Do you know the most critical threats to your network? Is it edge devices? User vulnerabilities? Third-party access?
Is your team actively hunting for threats from all possible directions – internal traffic, external traffic, vendor compromises? How familiar is your team with the latest tactics, techniques, and procedures associated with new ransomware groups? How confident are you that these would be identified within your organization before a security event becomes a full-blown incident?
Controlling the ‘major’ threat vectors is important – surface management, user education, and credential protection – but if this is where your cybersecurity program ends, you could be missing the most important part of network security – the beef.
This is why monitoring your network for ALL activity, regularly reviewing response activities, and matching known threats to vulnerable activities is so important.
To see what we see on a network, request a demonstration of PacketWatch in action.
Todd Welfelt has an Information Technology career spanning more than 25 years. He has turned his extensive experience with hands-on management and maintenance of computer systems into practical assessment and implementation of security tools to meet the needs of compliance frameworks, as well as provide real-world risk reduction.