Everything always comes back to the basics. Yet fast forward to today: blinking boxes, digital cyber sandboxing action, and artificial behavioral intelligence immune cyber systems! Hopefully these fancy systems identify how many authorized or unauthorized devices are on our network… or inventory of software applications… or if our systems are securely configured… but most of them do not. Many of these seemingly magical security products are great at aggregating data, but require other source systems to be correctly configured in order to actually collect actionable data. And even if some of these fancy cyber gizmos do collect this data, most do not know which data is most important and how to take appropriate action. They do not write your policies for you, or meet with your executive board, monitor themselves, or ensure that the systems feeding them are properly configured and outputting usable data.
This leads me to one of the most overlooked, yet most important steps: policy and planning. Policy and planning are very important. Spending money and installing all kinds of flashing toys is nice, but lacking a plan and policies on how to manage, monitor, and respond creates a false sense of security and disaster waiting to happen. Policy and planning should be number 0 – required before even thinking about controls 1-20 on the Critical Controls list.
In part 2 I will expand on policy and planning around these basic security controls. If you have not already reviewed the Critical Controls (Version 6) they are here: https://www.sans.org/critical-security-controls/