Industry Insights with Adam Mansour

Endpoint Security

The 3 Essentials of Proactive Preparedness in Cybersecurity

Adam Mansour of ActZero Outlines the Strategy to Harden, Reduce Threat Surfaces
The 3 Essentials of Proactive Preparedness in Cybersecurity

Cybersecurity often feels like a never-ending battle, as new threats emerge almost as quickly as resource-stretched security teams can quash them. It seems that just as one vulnerability is patched, another one appears. And lately these threats are often deeply buried in the software supply chain, making them increasingly hard to find.

See Also: AI-Driven Strategies for Effective Cyber Incident Recovery

That’s why it’s crucial that your cybersecurity practice adopts a strategy focused on proactive preparedness and takes actions - in advance of an attack - that harden and reduce the threat surfaces that hackers exploit.

If you're simply reacting to security threats, you've already lost the battle. Being proactive with your cybersecurity might seem obvious - and, as such, easy - but if it was, would we see such a litany of news stories surrounding high-profile breaches?

3 Essentials of Proactive Preparedness

Still, it's not impossible to be proactive, even when resources are tight. You must consider three key areas to reinforce defenses and achieve a more proactive posture. Sadly, these are the same areas many midsized enterprises struggle with, especially given the amount of time - and bodies - an IT team in such a company can dedicate to security.

Endpoint Hardening

Strengthening your security doesn’t stop at the borders of your own network. Today, access from the edge and cloud must also be hardened to maintain a proactive defense.

Even if you don’t implement additional endpoint security tools, you should at least use the ones freely available. Here are some actions you can take:

  • Take advantage of the Software Restriction Policy on the company desktops and laptops. Almost every piece of malware needs an executable or script, so it's essential to lock down the ability for unknown software to run.
  • Use the OS's built-in antivirus software. Will paid AV solutions recognize slightly more attacks and therefore be a better defense? Yes. But are Microsoft Defender or Gatekeeper better than nothing at all? That’s a resounding yes.
  • Nearly every computer has an inherent endpoint firewall. Configure it and allow only who and what is necessary to access the machine. Also, strictly limit applications going out to counter malicious applications attempting to "phone home" or exfiltrate data.
  • Institute group restriction policies to control privileged access. Don't give any single account wide-scale access to all machines. After all, attackers can only access based on the credentials they’ve stolen, so restrict that access to only what a user or application needs to perform their job.

Cloud Security

On the cloud side, institute identity protection, single sign-on and multifactor authentication with context-based Zero Trust policies.

MFA applies in the cloud for sure, but really everywhere you can. Passwords get leaked. Zero Trust is more important now than ever, given the software supply chain attacks, such as SolarWinds, Exchange-HAFNIUM, Kaseya (see: 6 Steps to Secure Your IT Supply Chain) and the most recent Okta breach - which shouldn’t dissuade you from the pursuit of SSO, irony notwithstanding.

Collecting and analyzing cloud logs and monitoring for malicious - or at least abnormal - behavior are also key, though more expertise is required the further down the rabbit hole you go.

Lastly, you should harden to best practice levels. I contributed to a guide for that too, focused on M365 and Azure. For more general cloud hardening, CIS benchmarks should be put in place yearly.

Vulnerability Scanning and Remediation

Digital transformation is great, but with every new application or piece of software comes a growing list of vulnerabilities that bad actors can exploit. Everyone knows that scanning for and patching these ever-increasing vulnerabilities is paramount, but it poses significant challenges, especially for budget-strapped small and midsized businesses.

As anyone who's had a particularly rigorous Patch Tuesday can attest, remediation efforts can create unintended consequences. For example, your attempts to close a security hole could also close off a critical business process or prevent it from functioning properly.

Also, not everything can be easily patched. Many organizations have aging but vital equipment containing software that's well past its end of life, or worse, its end of service. When the support for these systems is gone and the patches stop coming, they sit vulnerable to exploits.

The key to successful vulnerability remediation is to close the weaknesses you can and build a web of defensive depth to catch what you cannot.

Results: Likelihood and Impacts

While improving these three key areas won't prevent every possible breach, it will reduce the surface on which attacks can land and the reach within the organization they can spread. This will go a long way toward increasing the likelihood of preventing an incident, as well as containing the damage an attacker can do and buying time when an attack occurs.

It's important to note that the measures discussed can be done incrementally, even by a small IT team or security team of one, so you can become more proactively protected day by day.

But these measures are just a first step to being truly proactive and prepared for attacks. IT leaders who are forced to choose between these efforts and monitoring for specific attacks often choose the latter. See the recording of my webinar on why that tends to be the wrong choice for teams with less mature, or even maturing, cybersecurity capabilities.

To learn more about these and other security functions that you can prioritize to help your security practice, check out our white paper "The Opportunity Cost of Making 'Impossible' Cybersecurity Trade-offs."

About the Author

Adam Mansour

Adam Mansour

Chief Security Officer, ActZero

Mansour has over 15 years of experience in the cybersecurity sector. As chief security officer of ActZero, he drives the company's virtual chief information security officer and technology integration programs. His experience spans endpoint, network and cloud systems security; audits and architecture; building and managing SOCs; software development and resellership; healthcare, education, defense and financial organizations; and global enterprises of all sizes. Most recently, he served as VCISO at ActZero. Prior to that, Mansour was the founder and CTO of IntelliGO Networks (acquired by ActZero) and developed its proprietary MDR software. He also had key roles in managed security services for SIEM, NGFW and penetration testing performed by the company.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.