Data Loading...

5513 FEYE Grow into Risk ebook vFinal Digital Flipbook PDF

5513 FEYE Grow into Risk ebook vFinal Digital


117 Views
60 Downloads
FLIP PDF 3.75MB

DOWNLOAD FLIP

REPORT DMCA

5 Ways Business Growth Inadvertently Leads to More Security Risk MIDSIZE BUSINESS EDITION

EBOOK | 5 WAYS BUSINESS GROWTH INADVERTENTLY LEADS TO MORE SECURITY RISK

All business growth comes with risks.

Make sure security is not one of them. Whatever the business growth strategy— market expansion, acquisition, diversification, new market penetration—changes will happen in the IT environment. Everything from adding new tools, to merging business systems, to sharing data with new partners and customers requires thoughtful planning and coordination. However, in the pursuit of supporting growth, midsize businesses can inadvertently create more cyber security risks. Even despite seemingly careful preparation. We asked FireEye security systems engineers to share their observations of how midsize organizations unintentionally compromise their security posture to support growth initiatives. They offered five major observations, along with advice to mitigate resultant risk.

2

3

EBOOK | 5 WAYS BUSINESS GROWTH INADVERTENTLY LEADS TO MORE SECURITY RISK

1

Cloud Migration Requires a Security Plan

Cloud solutions seem like appealing answers to many business demands. And for the most part, they are. The cloud has matured, making it a more viable solution than ever to lower costs, handle disaster recovery and support the need to scale computing and storage resources quickly. But while security is an integral part of cloud platforms, it doesn’t make security problem or responsibility free. Customers must still ensure the security of their data, OS and applications, and users accessing services through the cloud are points of vulnerability. In fact, Gartner predicts that 95% of cloud security issues by 2022 will be the result of customer errors.1

HOW TO PROTECT YOUR ORGANIZATION

• Reduce the scope of privileges assigned to users and services and limit where privileged accounts can be used • Read the FireEye Approach to Effective Cloud Security white paper

F IR EE YE E X P E RTS S E E Businesses don’t realize the extent of their security responsibility Cloud providers protect their infrastructure and the solutions needed to run their cloud services. Businesses are responsible for the rest, from the maintenance of operating systems and applications to authentication, encryption and security awareness. That responsibility is not broadly understood, leaving gaps in security. Security settings are not well configured Poorly configured authentication, sloppy key management and unsecured APIs are just a few of the ways cyber criminals infiltrate cloud infrastructures. Once in, they hijack applications and move undetected through the cloud, obtaining credentials and exfiltrating valuable data. Monitoring is less than ideal Moving to cloud solutions requires security teams to monitor additional logs, such as authentication and authorization, object storage read and write, policy configuration and application—all across multiple cloud platforms. This additional monitoring further stretches already thin security teams, resulting in less effective threat detection.

1 Gartner (March 27, 2018). Is the Cloud Secure? www.gartner.com/smarterwithgartner/is-the-cloud-secure/

15% of FireEye Mandiant incident responses involve public cloud assets.

4

EBOOK | 5 WAYS BUSINESS GROWTH INADVERTENTLY LEADS TO MORE SECURITY RISK

2

Risk Must be Effectively Assessed and Managed During an Acquisition

Acquisitions are an attractive way to rapidly expand into new markets or territories, add new solution offerings and gain new skillsets and talent. All acquisitions are also inherently risky for midsize companies. Unlike larger enterprises that can rebound more easily from a troubled acquisition, midsize businesses don’t have that financial luxury. Proactive due diligence is essential, and they must thoroughly manage the transition following the transaction. Cyber security, while increasingly important during due diligence, still suffers from lack of understanding about its role and value to the process.

F IR EE YE E X P E RTS S E E An existing breach becomes the new owner’s problem Business systems and IT infrastructure are often integrated as part of the acquisition transition. Without knowing that the newly acquired business had already been breached, remediation becomes an unexpected cost. It also raises the question: what was the breach able to do? Any stolen or missing intellectual property and sensitive data makes the acquisition less valuable. Shared procedures take too long to establish The newly formed organization needs to quickly set up security rules and procedures. Left unaddressed, these concerns create uncertainty about what to do in the event of a threat and who’s responsible. Vulnerability goes up. And because transitions can be lengthy, lack of clear guidance exacerbates the situation. New teams lack oversight and proactive management Not everyone is happy about an acquisition. Fear of losing a job or concerns about roles changing can lead to a decline in performance or worst case, a malicious action. Internal phishing compromises user accounts When organizations merge, it’s a natural tendency for users to receive emails from each other’s organization. Attackers using phishing techniques exploit this trust. The recipient is more likely to enable macros, open attachments and click on URLs with less suspicion.

HOW TO PROTECT YOUR ORGANIZATION

• Include language in the Letter of Intent that enables cyber security due diligence, such as network monitoring • Perform a Mergers and Acquisitions Risk Assessment during the due diligence phase • Read Benefits of Cyber Security Diligence in Mergers and Acquisition • Disallow the automatic forwarding of email outside the organizations or regularly audit the forwarding rules on the acquired organization’s mail servers for internal phishing attacks

78% of dealmakers surveyed say cyber security is not analyzed in great depth or specifically quantified as part of the merger and acquisition due diligence process.2 2 Freshfields Bruckhaus Deringer (July 2014). Cyber Security in M&A.

5

EBOOK | 5 WAYS BUSINESS GROWTH INADVERTENTLY LEADS TO MORE SECURITY RISK

3

Security Talent Recruitment Must be Appropriate to the Task

Two things tend to occur when businesses grow: more employees are added and new technologies are adopted.

HOW TO PROTECT YOUR ORGANIZATION

Cyber security needs to respond in a similar fashion. But whereas technology can scale to support the needs, it’s not as easy to scale personnel. Even if that were possible, simply adding headcount doesn’t always work. As organizations fill their security personnel gaps, they are often left with teams that have never experienced a multifaceted attack or significant breach.

• Learn about the hardest roles to fill and how you can address them • Listen to podcast: Addressing the Security Skills Shortage With Expertise On Demand

F IR EE YE E X P E RTS S E E Incorrect hires create more work and costs Everyone wants a superstar on their team. Unfortunately, superstars don’t shine so brightly when their skills don’t match the security strategy of the business. This issue isn’t always immediately obvious and takes time to manifest. By then, an organization can be heading down a wrong path based on the tools recommended and implemented by the new hire because trust was given too soon or the employee did not understand the strategy. Security roles are not clearly and crisply defined Some security activities are critical to a business. Others might seem that way, but really aren’t. Adding a team member to focus on an area that would be more cost-effectively outsourced is an inefficient use of resources. Hiring fills headcount, not needs As the business expands around them, security leaders feel the need to also grow their headcount. Hiring a person to fill a single focus takes away from the limited resources available that could be used in other ways to handle more security needs.

Reduce hiring, managing and training costs The shortage of cyber security professionals is in the millions, making it hard for organizations to get the help they need. Expertise On Demand changes that with an annual subscription that extends security capabilities through flexible access to a wide range of security expertise.

6

EBOOK | 5 WAYS BUSINESS GROWTH INADVERTENTLY LEADS TO MORE SECURITY RISK

4

Tools can Hurt a Business as much as They Help

Growing a business requires new tools and more of them. In the rush to respond to new demands and market conditions, cyber security teams are put in the position to protect more applications and monitor more activity.

HOW TO PROTECT YOUR ORGANIZATION

Eventually, security teams have too much to monitor, and too little time to complete all the necessary tasks.

• Integrate security tools into a single console for improved visibility

F IR EE YE E X P E RTS S E E

• Watch Connecting the Dots: The Importance of an Integrated Security Solution

Improperly secured business tools magnify threat risks Users need the right tools to perform their jobs in the office and outside it. Without a plan to securely employ and monitor these tools, the risk of exposure is high. The irony is that these tools, added to improve business operations and profitability, can actually become very costly due to a breach.

• Implement automation in your security environment

For security tools, more doesn’t always mean safer As cyber threats continue to proliferate and expand, so does the arsenal of tools to protect against attackers. But most security solutions solve only narrow problems, resulting in businesses deploying an unbearable amount of technologies to monitor. Thinly stretched security teams can’t adequately cover them all, so the security posture isn’t as strong as it’s hoped to be.

Effective implementation of security automation reduced the average cost of a breach by 35%.3 3 Ponemon Institute (2018). 2018 Cost of a Data Breach Study: Global Overview.

Simplify from alert to fix FireEye Helix integrates more than 300 security tools with intelligence and behavior analytics to simply and improve security operations.

7

EBOOK | 5 WAYS BUSINESS GROWTH INADVERTENTLY LEADS TO MORE SECURITY RISK

5

Security Strategy and Practices must Evolve along with the Business

A growing business must evolve its processes to thrive. So must a security team. What worked previously isn’t a template for success going forward.

HOW TO PROTECT YOUR ORGANIZATION

Business as usual might be acceptable to some organizations—until a breach occurs. This can then lead to many unproductive behaviors, such as regretful thinking and shifting blame.

• Maintain all updates on software and hardware

F IR EE YE E X P E RTS S E E

• Eliminate applications that are no longer vendorsupported

Additional technology may actually make problems worse Some security leaders may default to technology as the fix for every problem, but this is not a comprehensive approach. Also, if there are issues with how security appliances are configured, an organization may have expanded its range of vulnerabilities.

• Read How to Build a Stronger Security Program—Evaluation and Evolution

Security practices do not undergo true stress testing What used to work might not have been working at all. It might have been more about luck. For example, some businesses go with cheapest pen test bidder or set test parameters in their favor to ensure they pass. They can report that they passed the test to executives, but the vulnerability level is really unknown.

• Anticipate reactions to newly implemented countermeasures following an incident

Security doesn’t keep pace with business agility Speed is a competitive advantage in the increasingly digital world. As businesses turn to IaaS and DevOps strategies, security teams that can’t keep up with demands get bypassed in the name of supporting the business. This means servers and workloads come online without ensuring effective security is in place.

• Conduct a Mandiant Security Program Assessment

• Conduct tabletop exercises to evaluate your organization’s ability to execute your cyber incident response plan. Exercises must include stakeholders from across your company to bridge gaps between the information security team and those in compliance, legal and privacy matters.

Incident tickets are closed too quickly Hasty eradication measures don’t identify or remove backdoors and other remote access methods deployed during a breach. The attacker maintains access and the organization loses all visibility into the threat activity.

Have the best in the business on standby A no-cost retainer gives organizations access to FireEye Mandiant incident response experts, which means the team is available, but no charges are incurred unless the team is needed.

EBOOK | 5 WAYS BUSINESS GROWTH INADVERTENTLY LEADS TO MORE SECURITY RISK

Grow Your Business, Not Your Risk If any of these eyewitness accounts feel a little too familiar, talk to our team today. We’ll be the partner you need to assess risks and protect your organization as it grows. www.fireeye.com/solutions/small-and-midsize-business.html

To learn more about FireEye, visit: www.FireEye.com FireEye, Inc.

About FireEye, Inc.

601 McCarthy Blvd. Milpitas, CA 95035 408.321.6300/877.FIREEYE (347.3393) [email protected]

FireEye is the intelligence-led security company. Working as a seamless, scalable extension of customer security operations, FireEye offers a single platform that blends innovative security technologies, nationstate grade threat intelligence, and world-renowned Mandiant® consulting. With this approach, FireEye eliminates the complexity and burden of cyber security for organizations struggling to prepare for, prevent and respond to cyber attacks.

©2019 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.

8