This week we heard from Bill Bradley, Product Marketing Manager at Rapid7, about the far reaching implications of security controls. Each organization (SANS and the Australian Signals Directorate to name a couple) that highlights recommended controls promotes a slightly different twist on the weighting and criticality of controls. We looked at which controls across each organization with recommendations are the most important and effective risk reduction tools, and how professionals in different industries should prioritize them. Read on to learn the top 3 takeaways from, "Simplify Controls: How to Align Security Controls to Reduce Risk to Your Business":
1. Patch, Patch, Patch – Implementing automated patching tools and processes is important for helping to minimize forgetfulness and ensure that your security program is rigorous and constantly looking for machines that need updating. Vulnerabilities are discovered continually. It's important to know what is out there, and which ones may impact your environment. Develop an inventory of what's in your production system so that you can classify the risk of different vulnerabilities and determine their severity within your environment. Any risk can have a different level of relevance to your organization depending on how your business is designed and where your security priorities lie.
2. Deploy, Segment & Conquer – When deploying devices onto your network, make sure you have a detailed understanding of how they will fit in, and configure devices so they can be modified and updated over time to have a small vulnerability footprint on the network. Speaking of networks - it's highly recommended for security professionals to implement network segmentation. Segmentation helps limit what an attacker can do if they've successfully gotten past your security measures. Breaking up the network into different logical segments ensures that the attacker will have much more difficulty moving through your network, and this will make your organization a much less attractive target.
- Some deployment best practices: take inventory of your assets, identify target systems, categorize installed software, determine critical gaps, and more. It's important that when you're planning and implementing controls that you have short and long term goals for maintenance and tracking. View the full webcast for more details.
3. Communicate with Users and Management – Educating users on why and how the controls you have in place benefits the organization is important for keeping everyone on the same page and understanding of how you are working to protect any and all sensitive data tied to the company. If everyone is aligned about business and security priorities, and management is able to see metrics and tangible successes based on your controls, you may even be able to get increased budget to implement more and even better controls over time.
For the in-depth look at security controls best practices, including how different industries should prioritize them: watch the full webcast now.