I attended RSA on behalf of our medium business, and took away some key points worth sharing with others responsible for securing their small/medium business. While the five-day conference was deep and wide, this summary is kept purposefully short for the busy IT leader.
- Keep it simple
- Don't overbuy technology too soon
- Address the greatest risk
- Decide on a management model
Keep it simple
SMBs (along with K12, and non-profits) are uniquely challenged by a lack of budget and dedicated infosecurity personnel. Cisco cited such organizations in a keynote speech about the so-called information security poverty line. Organizations falling below the line are unable to secure themselves in even the most basic fashion.
What should they do to make the most of their limited resources?
Chief information security officer Allan Alford, who is a good LinkedIn follow, presented on the NIST CSF (cybersecurity framework) and how more attention needs to be paid to the Identify and Protect phases.
Within Alford’s presentation was a quick checklist of what he referred to as “minimally viable security.” While it's OK for an org to have a less than complete tech stack, these are the tools and tech *all* organizations need to meet the (current) infosec poverty line.
- email protection
- Endpoint protection
- Multifactor Authentication
- Patch management
Customers of Microsoft’s stack use solutions for all four of these aspects, including Defender for Office 365, Defender for Endpoint, Azure Active Directory, and Intune.
Don’t Overbuy Tech too soon
In that same vein, SMBs shouldn’t blindly follow the latest fads, even if it solves a real risk. The show floor at RSA was bustling with vendors touting niche aspects of Cloud Security Posture Management, API security, and other products to address a corner case.
It's okay to less mature than the NIST model, as long as you cover minimally viable security. SIEM/SOAR/STIX/TAXII, UEBA, etc. are advanced tech. While useful, leaping ahead to such technologies without addressing minimally required security leaves an organization out of sync.
To back that up, Chief Security Officer Sounil Yu Presented his Cyber Defense matrix, which is a periodic table of sorts that helps organizations choose and place products that cover specific security solutions sets. Creating a roadmap of which category to buy / implement over a period of time was one use of the matrix (shown below from Yu’s book).
Address the Greatest Risk
Ransomware was the predominant theme at RSA. There were several sessions outlining entry points and the speed at which adversaries can encrypt networks with ransomware. While small businesses have less ability to protect or detect against initial compromise, they still need to protect their crown jewels. There's a consensus among the community that:
- The only way to know an adversary has been truly eradicated is to rebuild the environment (including Active Directory), else the back doors that they have set up can allow them access again later
- States may stop allowing organizations to pay ransom
- Cyber insurance providers must be alerted of the incident prior to any negotiations with adversaries
There was no consensus as to whether or not the Ukrainian conflict has lessened the volume of reported ransomware attacks. Aon (the global insurer) said the volume was similar but the ransom demands were smaller.
Decide on a Management Model
Who is best suited to manage the greatest risks? Apparently, it’s Managed Defense and Response vendors, who made up a sizable portion of the show floor. For organizations without the trained infosec personnel to keep eyes on glass, there are many options for partners or technology vendors to help them. The options range from Magic Quadrant leaders Crowdstrike and Microsoft’s new Security Experts, and partners like BlueVoyant and Enabling’s own managed security services team.
Deciding on the tools and the personnel to run them are hand in hand decisions these days.
I’d recommend RSA to some security-focused SMB CIOs and all CISOs, who will find there a terrific set of resources and networking opportunities.