What is Enterprise Security?
Enterprise security is the process by which an organization protects its information assets (data, servers, workstations, storage, networking, applications, etc.) from infringement of confidentiality, integrity, or availability. It includes policies and procedures which provide guidance on the who, what, why, and how to implement the protection mechanism for an organization’s information assets.
A risk management program is a key tool in the execution of activities to implement protections through the identification of assets, threats to the assets, where vulnerabilities exist, and controls or protections that can be implemented to mitigate identified risks. The enterprise continually changes, so the effectiveness of the risk mitigation efforts and the overall enterprise security program must be continually assessed for effectiveness and improvement.
Why is Enterprise Security (& Cyber Security) Important?
Well, this question seems obvious, but it is surprising how many enterprises out there either have weak or ineffective security programs or none at all. In today’s cyber environment, an effective enterprise security program is imperative in order to protect the computing infrastructure upon which the enterprise is built.
Effective enterprise security programs enable the mission of the enterprise, not hinder it. Without an effective security program, enterprises leave themselves exposed and vulnerable to the malicious intent of countless numbers of bad actors and organized crime.
What 5 Things Should Be Completed Now?
Implementing an effective enterprise security program takes time, focus, and resources. If your organization does not have an effective enterprise security program, getting started can seem overwhelming.
Use your understanding of what data, systems, and infrastructure are critical to your business and where you are most vulnerable. Then develop a plan to implement, assess, and manage the controls put in place.
All internal controls are not created equal, so it is important to focus first on those controls that are relatively straightforward to implement and provide significant gains in protecting and securing your enterprise.
Based on the Center for Internet Security 20 Critical Security Controls, the list below focuses on core principles of enterprise security and will put your enterprise on the right path to a more secure environment.
1) Define your boundary
In order to protect your enterprise, you must have a solid understanding of your boundary. The enterprise security boundary consists of all information assets (e.g. servers, workstations, cloud services) that support the mission of the enterprise through information processing and storage operations. It includes information assets that the enterprise controls as well as external services that are leveraged in support of the enterprise.
Before cloud computing became mainstream, defining the boundary used to be fairly straightforward — it consisted of the computing assets on-premise to the organization and/or at a colocation data center. With the seemingly ubiquitous adoption of cloud services, the enterprise cybersecurity boundary no longer is defined by geographic locations but must be extended to include leveraged cloud services.
For example, an organization may have information assets on premise at their corporate location but also leverage AWS or Azure for additional compute resources and storage. We’ve read about how AWS S3 buckets have been publicly exposed on the internet and as a result, organizations have suffered a data breach.
There is a shared responsibility model with the use of cloud services, and it is the responsibility of the enterprise that is using cloud services to implement protections and controls to ensure the cloud services being used do not leave them vulnerable to attack or a breach. As a result, these external services need to be included within an organization’s boundary in order to ensure that controls are properly implemented.
Once the boundary is defined, then an inventory of the compute assets must be defined because that which is not defined cannot be protected (see point #3 below). Enterprises must understand which assets are persistent on their network and which are transient (e.g. laptops of sales staff) and may not be as current for security updates as those devices that are persistent on the network.
Using active or passive discovery tools will help organizations develop their inventory and have an understanding of the scope of the effort to protect each asset on the network. Unfamiliar devices should be investigated quickly and either removed from the network, quarantined, or approved for use (and the inventory should be updated). Developing an inventory of hardware assets (to include virtual hardware) will support the efforts of step #2.
2) Define your software environment
Defining your software environment goes hand-in-hand with defining your boundary and identifying the hardware devices (including virtual devices). For this effort, identify all software that is running on every platform within your boundary.
Using a software inventory tool will be extremely helpful in completing this task and understanding what software the enterprise is using to support its business functions. You will likely find considerable amounts of software running in your environment that was previously unknown and does not support the business function of your organization.
The business need for the software should be substantiated, or the software should be removed from your environment. Keep all software versions up to date as this reduces your vulnerability to attack based on unpatched software.
The approved software inventory should also be correlated with the approved hardware inventory. This will help in developing approved baselines and ensure that software licensing is in check as well.
Once an approved software list is identified, implement a whitelisting capability to only allow approved software to run. Many organizations write scripts to automate tasks and perform important business functions. These scripts should be included in the whitelisting effort.
3) Harden the assets within your boundary
Once step #2 is complete, then you can proceed with hardening each operating system and application within your environment. This effort should target the software running on every workstation, laptop, server (physical or virtual), and network device within the boundary of the enterprise.
Secure configuration guides for most well-known operating systems, applications, databases, network devices have been developed by organizations like the Center for Internet Security. The government has also developed hardening guides such as the Security Technical Implementation Guides (STIG) to assist in hardening operating systems, applications, databases, etc.
Due to the potential negative impact on performance or operations, not every parameter of every hardening guide can be implemented. Implement all that can be and document the rationale for not implementing those that negatively impact your systems.
Once these hardening parameters have been defined and implemented, this becomes your configuration baseline. All instances of the approved software must be configured in accordance with the approved configuration baseline.
It is common for subsequent instances (or previously hardened configurations) to drift from the approved baseline. Therefore, configuration monitoring tools should be employed to detect drift from the approved configuration baseline. When drift from the approved baseline is discovered, steps should be immediately taken to bring the software back in alignment with the approved configuration.
4) Implement a vulnerability management and remediation program
No software is perfect. It is commonplace for vulnerabilities to be identified in software platforms. The question is whether or not you know if you are running vulnerable software in your environment and what you are going to do about it.
Time is of the essence — the goal is to reduce the time between the identification of the vulnerability and the application of patches that correct the vulnerability.
Deploy vulnerability scanners in your environment that scan from an external and internal perspective. Once vulnerabilities are identified, develop a plan of action to address the critical findings first and deploy patches as soon as possible.
It is not unusual for a patch to cause issues after it is installed, so ensure that each patch is tested before deploying it to production. This naturally will increase the time between identification of the vulnerability and the application of the patch in the production environment, but it is time well worth it so as to not negatively impact the production environment with a patch that breaks critical functionality supporting business processes.
Where possible, such as with laptops and workstations, deploy patches automatically.
5) Review the use of administrative access across the enterprise
The final step in the first phase of implementing enterprise cybersecurity best practices is to review the use of administrative access across your enterprise. Administrative access into the network is an attacker’s goal, so it is important that administrative access is limited on all applications and devices to only those that require it for their job functions.
Take an inventory of the accounts with administrative access within your enterprise and then determine if access is warranted. If not, remove access immediately. Those with administrative privileges should only use their administrative account when performing administrative tasks, else, an account without administrative privileges should be used.
Implement multi-factor authentication (MFA) on all administrative accounts where possible.
Once a base capability is in place to support these five controls, then expand the effectiveness of the control by implementing a monitoring program to ensure the controls continue to operate effectively.
Also, implement a measurement program to assist in ensuring the control is implemented across the entire enterprise and not just a couple of departments, network segments (as applicable), applications, etc. There is much more to accomplish with regard to implementing controls across your enterprise.
Remember the following principles when implementing controls:
- Controls should align with policy
- Communicate the implementation of controls across the enterprise
- Implement the control and monitor the operating effectiveness
- Measure the roll-out of the control to ensure it is implemented across the entire organization (e.g. what percentage of the enterprise has been inventoried for hardware and software)
Having an effective and well maintained enterprise security program is a must in today’s world. Bad actors continually scan the internet looking for vulnerable targets, so having an effective enterprise security program is crucial to building a defensive posture that makes the bar high enough that those with malicious intent move on to a softer target.
Work with an enterprise security company and implement controls to address the greatest risks in your enterprise first, then work in phases to build out a control structure that encompasses the entire enterprise.
Related blog posts:
- How Is Your (Cyber) Hygiene?
- Considering Risk to Mitigate Cyber Security Threats to Online Business Applications
- Reporting on an Entity’s Cybersecurity Risk Management Program and Controls (SOC for Cybersecurity)
- Establishing an Effective Internal Control Environment
- Can You Assess & Manage Your Organizational Risk?
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations and HITRUST assessments. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.