Strategic Security: A CISO's Guide to Prioritizing and Optimizing Cybersecurity Initiatives

Most businesses are facing a challenging economic environment in 2023. They are likely to continue to be cautious about spending and hiring in the coming months. CISO budgets are being cut, security team morale is low, and security professionals are worried about losing their jobs. This is a challenging time for the security industry, and it is important for CISOs to take steps to protect their teams and their organizations.

• Revenue forecast correction on the downside - A survey by PwC found that 75% of CEOs expect their company’s revenue to grow more slowly in 2023 than they previously forecast. This is the bleakest revenue outlook since the survey began in 2010.
• CEO confidence - CEO confidence has fallen sharply in recent months. The Conference Board's survey showed that CEO confidence is at its lowest since the beginning of the COVID-19 crisis.
• CFO confidence - CFO confidence has also fallen sharply in recent months. Deloitte's survey showed CFO confidence to be at its most dire level since the 2008 economic downturn.
• CISO budgets - PwC's survey found that 58% of CISOs had their budgets reduced in 2023. This is the most drastic level of budget cuts since the 2008 financial crisis.
• Layoffs - A survey by Cybersecurity Ventures found that 30% of security professionals are worried about losing their job in 2023. This is the highest level of job insecurity since the survey began in 2016.

The business and technology landscape in 2023 is challenging but not insurmountable. By taking steps to mitigate the risks, businesses can position themselves for success in the years to come. Below are a few examples that CISOs and Risk Leaders can use to prioritize and/or re-prioritize line items on their budgets and resources in the current challenging economic and market scenario. The below diagram provides a summary of a few initiatives with the recommended prioritization and reprioritization in the current economy and market:

Prioritize

Direct Financial Impacts

In a challenging economic environment, it is important for businesses to prioritize security risks that have the potential to have a direct financial impact. This could include risks like customer contract violations, regulatory fines, and insurance coverage. By prioritizing these risks, businesses can focus their security resources on the areas most likely to protect their bottom line. Below is a short description of a few of such direct financial risks:

Customer Contract Violations

Customer contract violations can occur when a business fails to meet its obligations under a contract with a customer. This could include failing to deliver a product or service on time, failing to meet quality standards, or failing to protect customer data. Customer contract violations can lead to lawsuits, fines, and lost revenue.

Regulatory Fines

Regulatory fines are financial penalties imposed by government agencies for violations of regulations. Businesses can suffer substantial financial penalties and damage to their reputation through regulatory fines. For example, in 2019, Facebook was fined $5 billion by the Federal Trade Commission for violating the Children's Online Privacy Protection Act.

Insurance Coverage

Insurance coverage can help to mitigate the financial impact of security incidents. For example, businesses can purchase cyber insurance to protect themselves from the financial losses associated with data breaches. Cyber insurance can cover the costs of investigating a data breach, notifying affected customers, and repairing or replacing damaged data.

Crisis Management

Crisis management is planning for and responding to crisis scenarios. Crisis management can help organizations minimize a crisis's impact and protect their reputation. It means having a plan in place to respond as-a-business to security incidents quickly and effectively.

 Below are two examples of cyber crisis management, one illustrating poor handling and the other showcasing effective handling in recent years:

Example of Poor Cyber Crisis Management:

SolarWinds Cyberattack (2020): In 2020, a massive cyberattack targeted the SolarWinds Orion platform, affecting many government agencies and private companies worldwide. The attackers compromised the software update mechanism and used it to distribute malicious code. The response to the incident has been criticized for several reasons:

• Late detection: The cyberattack went unnoticed for months, allowing the attackers to access sensitive data and systems.
• Insufficient communication: Affected customers, including government agencies and businesses, were not promptly notified of the breach, leading to confusion and delays in response.
• Ongoing vulnerabilities: Months after the attack, some affected organizations were still discovering compromised systems, raising concerns about the effectiveness of the remediation efforts.

Example of Effective Cyber Crisis Management:

FireEye Cybersecurity Breach (2020): FireEye, a leading cybersecurity firm, experienced a breach in 2020, where sophisticated attackers stole the company's Red Team assessment tools. The firm's response to the breach was praised for its transparency and speed:

• Prompt disclosure: FireEye publicly announced the breach soon after its discovery, alerting the customers and the cybersecurity community to the threat.
• Detailed information: The company provided comprehensive information about the breach, including the scope, the nature of the stolen tools, and the suspected threat actor.
• Collaboration with authorities: FireEye promptly engaged with the FBI and other relevant authorities to investigate the breach and share information on the incident.
• Mitigation efforts: FireEye published countermeasures to help organizations defend against potential misuse of the stolen tools, actively contributing to the broader cybersecurity community's protection.

This proactive and transparent approach helped FireEye maintain its reputation and credibility despite the breach, demonstrating the importance of effective cyber crisis management.

Rationalize Security Tools using Open-Source

In a time of budget constraints, it is important for businesses to rationalize their security toolset and only use the tools that are essential for their needs. Open-source security tools can be a cost-effective way to meet these needs.

• Open-source security tools are just as effective as commercial security tools. Many are free to use; when not, you can use them to show key use cases for your business case/ROI.
• Open-source security tools are developed and maintained by a community of developers, constantly being updated and improved.
• Open-source security tools are often more transparent than commercial security tools, so businesses can better understand how they work.

The below table includes only a fraction of the open-source tools to choose from:

If you are a business that is looking to improve your security posture without breaking the bank, then you should use open-source security tools. A wide variety of open-source security tools are available, and you can find the tools that fit your needs.

Training

In a time of budget constraints, it is often more cost-effective to focus on training employees on good security practices. This can be done through a variety of methods, such as online training, alternative training providers, and joining local and remote peer communities.

By training employees on good security practices, businesses can help to prevent security incidents. This can save businesses money in the long run by avoiding the direct costs of incident response but also costs associated with resource replacement and training. This will also positively impact employee morale and help improve employee retention.

Remember, training the employees costs much lower than several other initiatives, for example, an independent NIST CSF assessment.

Purple Team

Purple teaming is a collaborative approach to security that involves bringing together security professionals from different teams within an organization. This can help to improve communication and coordination, and it can lead to more effective security solutions.

For example, a purple team could help re-prioritize critical and high vulnerabilities within a scope to identify which of these are easy to exploit. Providing businesses with a data-driven mechanism to prioritize limited resources for remediation efforts.

By prioritizing purple teaming, businesses can improve their security posture, including:

• Improved communication and coordination between security professionals from different teams
• More effective security solutions
• A more secure supply chain
• A stronger reputation

MFA and Secret Management

Without meaningful multi-factor authentication (MFA), there is no reason to pursue secret management or any other initiative. I am writing this article in 2023 and assume you already have MFA.

Secret Management is the practice of securely storing and managing credential data, like passwords and encryption keys. There are various ways to implement secret management, with varying levels of maturity. Some of the most common types of secret management solutions include:

• Password managers: Password managers are a type of secret management solution that allows users to store and manage their passwords in a secure manner. Password managers typically encrypt passwords and store them in the cloud, making them accessible from any device.
• Key vaults: Key vaults are a type of secret management solution that is designed to store and manage cryptographic keys. Key vaults typically use hardware security modules (HSMs) to protect keys from unauthorized access.
• Secret servers: Secret servers are a type of secret management solution that is designed to store and manage sensitive data, such as passwords, encryption keys, and API tokens. Secret servers typically use encryption and access control to protect data from unauthorized access.

Your organization's best secret management solution will depend on your organization's specific needs and requirements. The table is used to summarize a few pros and cons of each type of secret management solution:

By prioritizing secret management, businesses can improve their security posture in several ways, including:

• Protecting sensitive data from unauthorized access
• Reducing the risk of data breaches
• Improving the security of systems and applications
• Protecting the organization from identity theft

 This is an essential part of any security program, as it helps to protect organizations from unauthorized access to their systems and data.

Open-Source Canary

Open-source canaries are small, self-contained programs that detect malicious activity on a network, database, and DNS. You can also create dummy accounts such as security-admin and customer-data-admin. When used by anyone, it can send auto-alert. They are a cost-effective way to collect threat intelligence and can be as effective as threat intelligence from a third-party vendor.

Open-source canaries can detect a variety of malicious activity, including:

• Port Scans:

Tool: Honeyd (https://github.com/DataSoft/Honeyd) Five steps for implementation:

1. Install Honeyd and create configuration files for virtual Honeypot hosts.
2. Configure services to run on virtual hosts, imitating open ports and services of real systems.
3. Set up network routing to direct traffic to Honeyd honeypots.
4. Monitor Honeyd logs for port scanning activities and unexpected connections to the virtual hosts.
5. Analyze logs and alerts to identify threat actors and their techniques and update security defenses accordingly.

• Denial-of-service (DoS) attacks:

Tool: Snort (https://www.snort.org/) Five steps for implementation:

1. Install Snort and create network interfaces for traffic monitoring.
2. Configure Snort rules to detect common DoS attack patterns, such as SYN flood, ICMP flood, and UDP flood.
3. Implement rate-limiting and traffic-shaping policies to mitigate the impact of detected DoS attacks.
4. Monitor Snort logs and alerts for potential DoS attacks and false positives.
5. Adjust Snort rules and mitigation strategies based on the analysis of detected DoS attacks to improve the defense.

• Malicious file downloads:

Tool: OpenCanary (https://github.com/thinkst/opencanary) Five steps for implementation:

1. Install OpenCanary and configure multiple services, such as FTP, HTTP, and SMB, to host fake files.
2. Create realistic fake files or documents with enticing names that appeal to attackers and place them on configured services.
3. Set up email alerts in OpenCanary to notify the security team of unauthorized file access or download.
4. Monitor OpenCanary logs to track attacker IPs, timestamps, and accessed files.
5. Use the collected information to investigate attacker techniques, update security policies, and raise user awareness.

• Malware infections:

Tool: Cuckoo Sandbox (https://cuckoosandbox.org/) Five steps for implementation:

1. Install Cuckoo Sandbox and set up one or more virtual machine environments to serve as malware analysis sandboxes.
2. Configure Cuckoo to automatically analyze suspicious files or URLs, either manually submitted or collected from various sources (e.g., email attachments).
3. Review the generated behavioral reports to identify potential malware infections, including process execution, network communication, and file modifications.
4. Integrate Cuckoo Sandbox with other security tools, such as YARA and VirusTotal, to enhance the detection and classification of malware samples.
5. Use the insights from Cuckoo Sandbox to improve security defenses, such as updating antivirus signatures, blocking malicious IPs, and patching vulnerable software.

In summary, open-source canaries can be a valuable tool for detecting malicious activities by acting as decoys or honeypots. These canaries can be configured to detect port scans, denial-of-service attacks, malicious file downloads, and malware infections, providing early warnings and valuable threat intelligence to help protect an organization's systems and data.

All teams have a fixed number of resources, and almost all security teams are feeling the strain in some form. CISOs should identify and rank needs that can't be ignored in the current market. There is plenty of work and tasks to be done; remember that. CISOs should concentrate their efforts on lessening the workload of security teams by avoiding unnecessary tasks right now.

Evaluate for reprioritization

Zero Trust

Zero trust is a security model that assumes no user or device can be trusted by default. All-access to resources must be verified, regardless of whether the user is inside or outside the organization's network and endpoint. Zero trust is a complex and expensive model to implement, as it requires organizations to invest in new technologies and processes. In a challenging economic environment, businesses may want to prioritize secret management over zero trust. Secret management securely stores and manages credential data, such as passwords, tokens, and encryption keys. This will also act as a sound foundation for businesses to grow and mature their Zero Trust program in the future.

Note:

If you are government-funded or a contractor that provides services to Government and/or Public sector agencies, please review your contractual obligations and related laws to determine the relevance and impact of Executive Order M-22-09 for your organization. The same is true for organizations with GLBA and FFIEC requirements OR are part of the nation's critical infrastructure, systemic risks, and strategic supply chains.

Third-Party Risk Management

Third-party risk management is an important part of any security program. However, it can be a complex and time-consuming process. It involves identifying and assessing the risks associated with third-party vendors and then developing and implementing controls to mitigate those risks. This can be a daunting task for organizations with limited resources. In a challenging economic environment, businesses may need to prioritize purple teaming before third-party risk management.

Some companies are required by a regulation or law to assess their third parties, such as SOX, PCI-DSS, HIPAA, FFIEC, FISMA, DFARS, and ICD 205/1.

To evaluate the scale and success of your TPRM program, refer to the following five questions:

• Has the vendor disclosed any data or security breach in the last 24 months?
• Have you received any notification from your security service provider of any known security breach, such as account takeovers that affect your vendors?
• Have you performed any technical security, performance, and recovery testing of your system's interface, API calls, and users that have access to your environment? If yes, is it older than 12 months?
• Have you enabled SSO and/or MFA for the accounts consuming and providing services?
• Has the vendor gone through an independent SOC 2 or equivalent attestation in the last six months?

Threat Intelligence

Threat intelligence is information about potential threats to an organization's information systems and data. It can help to identify and mitigate risks and to improve the organization's security posture.

Threat intelligence can be collected from a variety of sources, including:

• Third-party vendors
• Government agencies
• Open-source sources

Threat intelligence is valuable for identifying and mitigating security risks. However, purchasing threat intelligence from a third-party vendor can be expensive. As an alternative, consider deploying Open-source canaries that can be just as effective as threat intelligence from a third-party vendor.

Zero trust, Third-Party Risk Management, and Threat Intelligence are valuable security models but not the only important security measure.  You should apply an abundance mindset in a growing economy or a company. Conversely, you must reduce the workload in a contracting economy and uncertain market. The initiatives you prioritize and/or reprioritize must be driven by your organization's Direct Financial Impact, Crisis Management, and Technology Rationalization goals.