Business Archives - ChooseTCS

Posts

Detect – The Third Function of CSF

Continuing our series of the NIST CyberSecurity Framework (CSF), we now come to the Detect function. The Detect function is the simplest and most straightforward function within the CyberSecurity Framework. The work of this function is to create an Information Security Continuous Monitoring (ISCM) program. The NIST 800-137 publication is helpful for explaining the best process for creating and executing an ISCM for your organization.

Here are the six steps to building an effective ISCM as outlined in that document:

1. Define the ISCM strategy

A proper ISCM starts with the leaders of the organization. If the leaders do not take security seriously, it’s likely that no one else in the organization will see it as important either. What does it look like for leaders to take security seriously? The best way is for leaders to inform and shape the narrative of what information is important to the organization, what levels of risk they deem acceptable and unacceptable, and to engage with management and IT to develop appropriate risk governance policies and procedures to protect the organization.

Simply put, the leaders define the key performance indicators (KPIs) for security, along with the policies and procedures necessary to ensure the best outcomes possible with relation to those performance indicators. Naturally, the leaders will leverage input of from the rest of the organization to help them in this strategic process, but the responsibility of defining these key security performance indicators and governance policies falls on the leadership itself.

Here is a helpful diagram from NIST 800-137 illustrating how the entire organization should be involved in this process:

Figure 2-1. Organizational-wide ISCM from NIST 800-137

It’s important for the leaders of the organization to view the ISCM as an ever-evolving approach to securing the organization. Subordinates (Tier 2 and Tier 3) should regularly report back relevant data to the leaders (Tier 1) of the organization, so that policies and procedures can be updated for better efficiency, accuracy, and effectiveness. The security posture of the organization, thus, should improve continuously over time.

2. Establish your ISCM program

Once the leaders of the organization define the ISCM program, managers (Tier 2) of the organization should leverage tools to automate the data collection and sort data into digestible formats for review. The aim here is to develop the mechanisms by which data will be collected (automatically and/or manually) and how often that data will be reported back to the leaders of the organization. The leaders should maintain some sort of dashboard to actively monitor the key security performance indicators, so they are aware when security-related events are occurring within the organization.

Once managers establish the tools and mechanisms for monitoring and maintaining security KPIs, then they should define the metrics for how often IT will monitor and assess the data, how often that data gets updated to the leadership of the organization, and how often the mechanisms will be reviewed for best results. Finally, checklists for IT should be created to ensure that IT is following the policies and procedures defined by leadership.

3. Implement the ISCM program

Implementation simply is executing the plan and program established in Steps 1 and 2. This should be performed in a checklist format that is consistent with the strategic policies and procedures defined by organizational leadership. The IT representative should sign and date the checklist to inform management who performed the work and when. This provides assurance and accountability for implementation.

4. Analyze and Report the findings of your program

The first data collection serves as a security baseline for where the organization is currently. Comparisons back to the baseline over time can indicate when abnormal activity or changes are occurring within the organization. Gradually, the baseline can grow to become more informative.

As abnormalities appear in the reporting and analysis process, those findings are submitted to authorities according to the defined policies and procedures for them to make decisions regarding the risks associated with that abnormality. Early on in this process, there can be a lot of noise generated; but as the reporting and analysis window grows, IT can identify abnormalities with greater accuracy.

5. Respond to those findings

Knowing how to respond to security events is more of an art than a science, because every environment is different. Every organization, even within the same industry, has a different approach and perspective on risk tolerance and mitigation. The policies and procedures created in the strategic phase of the ISCM will guide IT on how to respond appropriately to security events.

There will be times when a security event exposes a weakness overlooked in the initial strategic planning process. This should be expected. Technology is ever-changing. Hardly ever is the first attempt perfect. There is not a perfect approach to security, so when a weakness is detected, avoid the temptation to point fingers and assign blame. Then, proceed to step 6.

6. Review and Update your ISCM strategy and program

As stated above, going through the exercises of analyzing and reporting will inevitably expose weaknesses in your ISCM. The important point here is that the organization is growing and maturing with relation to its security posture and awareness. What are new ways to detect abnormalities which would be more efficient? What new ways has IT discovered to monitor for security-related abnormalities? What new policies and procedures could be adopted to mitigate the associated risk of this new weakness? These questions, and ones like them, can help you refine your ISCM over time.

Here is another helpful illustration from NIST 800-137 for how this process should look:

Illustration 3-1. ISCM Process from NIST 800-137

Conclusion:

Creating and performing an ISCM is something like learning any new skill. It will take a while before you become adept at identifying security risks within your organization and mitigating them to an acceptable level. At first, it can feel awkward, and it’s easy simply to procrastinate. The important thing is that you start and stick with it. Over time, you will grow and become more adept.

Sometimes, it’s helpful to have someone assist you in these exercises. That’s where TCS can help. We support and manage security for various regulated industries (health, finance, defense, local government, and beyond). We use that collective experience to create a unique, client-focused approach to security. TCS can work with you to grow your security posture over time by road-mapping solutions on a scheduled timetable and performing routine security assessments both to demonstrate your past growth and effectively plan for better security where weaknesses are identified. Contact us today, if you would like to know more about how TCS can assist your organization with its cybersecurity needs.

Note: This article was written from resources found at the following site: https://www.nist.gov/cyberframework/detect

February 9, 2022/by m.a.collins

The Five Flaws of the Break-Fix Approach to IT

Some business owners view their IT infrastructure like they do their plumbing or HVAC maintenance – they prefer only to pay to fix problems as they manifest. There’s nothing wrong with plumbing or HVAC companies. They are some of our best customers. However, the comparison is severely flawed, mainly because plumbing and HVAC systems are generally static infrastructures, and they aren’t the object of attacks from without (yet). The old break-fix approach to managing IT is on life support, mainly because of five inherent flaws.

Break-fix approaches to IT inherently lead to a giant ball of band-aids.

Whenever a tech is dispatched to resolve a problem for a client in a break-fix arrangement, that tech is there to find the quickest remedy possible. The tech knows that too much time spent will result in a complaint from the customer. Thus, the tech proceeds to take the shortest route possible to restore functionality. This band-aid approach only addresses the symptoms manifested, while it ignores the underlying root cause. The conundrum for both the tech and the customer is that the customer doesn’t want to pay the tech for the time it would take to diagnose root causes, and the tech feels pressured to get in and out as quickly as possible. Over time, this leads to an inefficient and cumbersome wad of band-aids that usually has to be completely overhauled to overcome.

Break-fix approaches to IT misalign missional objectives.

The band-aid approach leads nicely into the next flaw. Have you ever wondered if an auto mechanic has your best interest in mind? Again, there are many great auto shops out there, but sometimes you can’t help but wonder if you’re being taken advantage of in some scenarios. The break-fix arrangement creates competing incentives against the provider and the customer. The computer shop only gets paid when there are problems to be solved. The customer is literally incentivizing computer problems. Conversely, in a contract arrangement, the service provider is rewarded for operational efficiency and penalized by customer downtime. In that kind of arrangement, both the provider and customer have completely aligned incentives and objectives. You both become a team who works together to do everything possible to eliminate issues entirely.

Break-fix approaches to IT cost more in the long run.

When the organizational objectives and incentives are aligned, the natural result is more efficiency and less downtime. If the service provider is competent at all, you will see a marked improvement in IT operations. When problems are addressed in a contract arrangement, finding the root cause and eliminating it is the primary incentive for the service provider. Being proactive and working to eliminate problems before they create downtime or other inefficiencies is top priority. These proactive and thorough approaches to IT management enable you to come out ahead in the long run. Furthermore, you have a built-in consultant who can help you navigate your technological hurdles and leverage technology as a force multiplier for your organization.

Break-fix approaches to IT severely handicap your ability to recover from a disaster.

Most companies discover they have a backup problem when faced with an occasion requiring them to rely on it. Imagine having your critical data encrypted from ransomware, and learning that your backup data was encrypted along with it. Imagine a drive failing, and discovering your last successful backup was from months or even years ago. Unmanaged backups create these scenarios, and they are completely preventable using modern backup and recovery technologies. While the goal is always never to need the backup, when you do need it, you REALLY need it. Make sure you have a managed backup solution in place. Gambling with company data is a losing proposition.

Break-fix approaches to IT are nearly impossible to budget accurately.

The break-fix model of IT support naturally ebbs and flows. Even when you have a couple of years of history to help budget, you are one severe event away from blowing that line item. A drive dies in a server or critical workstation, and you have an unplanned expense. How can you effectively budget for IT support when you are one successful cyber-attack or one critical device failure away from a ton of unexpected remediation time? Some of that can be assuaged by planned upgrades, but cyber-attacks and other threats to today’s businesses by nature are unplanned events.

The Obsolescence of Break-Fix

It’s time that we put the death knell into the break-fix approach to IT support. It hasn’t served businesses well. It has proven to create IT dysfunction. It has misaligned the objectives and incentives toward efficiency and operational integrity. It costs more in the long run, and it is nearly impossible to budget accurately. We’ve moved on from the TRS-80s, the Pentium chipsets, and on-premise email servers – it’s time to move on from the break-fix model for IT support.

December 14, 2021/by m.a.collins

Uncategorized

Should You Go with the Cheapest MSP Proposal?

Not All MSPs are Created Equal!

Just like many other things in life, all MSPs aren’t created equal. The reality is that even if you were to find two MSPs who are using the same technologies and toolsets, they can be vastly different in degrees of how they use them, how they interact with their clients, how they control the precision of implementation, how security-minded they are in implementation, etc. As unlikely as it is to find two MSPs with identical technologies and toolsets, it’s still easy to comprehend the truth of how different they could be.

Back when I started my IT career as a network administrator, one of my bosses told me a story I would never forget to this day. He said that he met the best sales person he had ever met in a motorcycle shop. While there to buy a motorcycle helmet, a sales clerk offered to assist him. He asked the sales clerk what the difference was between a $100 helmet and a $500 helmet. The sales clerk simply responded, “Do you have a $100 head or a $500 head?” I can remember my boss laughing as he said the point was so well-made, that he walked out of the store buying one of the more expensive ones. Why would he pay more for what looks like the same thing? Because, although it wasn’t readily obvious to the naked eye, the more expensive helmet offered better protection to a vital part of his body. The same is true as it relates to IT security and MSP pricing. The right tools and the right personnel to use them properly come at a cost; and cutting corners on either could spell disaster for your business.

Three Realities That Impact MSP Pricing

The first reality regarding MSP pricing is that as business IT environments are getting more complex while, simultaneously, attack vectors are increasing in complexity, security-related IT costs are naturally going to increase proportionately. Simply put, more tools and more tech specialization are required today to implement, monitor, and employ effectively than it did yesterday.

The second reality regarding MSP pricing is sustainability. Business owners know how much of a headache switching MSP vendors can be. Choosing an unsustainable MSP due to cut-rate pricing could cost you in the long run by requiring you to make an unplanned MSP change due to that MSPs poor business practices.

The final reality when it comes to MSP pricing is every good MSP should be seeking to improve process, adopt new security technologies, and improve service delivery. Continuous improvement is itself a costly venture both in time, resources, and money. You want to choose an MSP that is committed to continuous improvement, because who wants an MSP using 10-year old technology? Or who would want an MSP approaching security the same way they did 5 years ago? We see how fast technology is evolving around us, so wouldn’t it make sense that an MSP would need to be constantly working not only to learn new technologies but also adapt proper security protocols for them?

Just Because It’s Working, Doesn’t Mean It’s Right!

A number of years ago, we were taking over a client from another MSP. After a couple of weeks of onboarding, we performed a permissions audit to determine why everyone in the company had access to files and folders even when they weren’t members of the associated permissions group. During the audit, we discovered a major problem! In order to resolve a permissions issue, the previous MSP had added the everyone group to the domain admins group. This effectively giving all the users complete administrative access to everything on every server. We worked with the customer to migrate them to a least-privilege permissions policy for all users. This situation gave birth to one of our company mantras: Just because it’s working doesn’t mean it’s right! This customer didn’t realize they were one disgruntled worker away from complete disaster. Add to that the inept backup application they were using at the time, they were on the brink of existential disaster and were blissfully unaware.

Qualifications are Important!

Just because you have an M.D. doesn’t mean you are qualified to perform brain surgeries. In the same way, just because you know a little bit about networking doesn’t mean you are qualified to manage a company’s cyber security. It’s essential that you take into consideration the complete picture when deciding between MSPs, instead of making price the primary deciding factor.

Contact TCS today for more information on our unique approach to managing your IT infrastructure efficiently and securely, while also remaining committed to a culture of empathy and continuous improvement!

December 8, 2021/by m.a.collins