Using Gap Analysis to Fix a Leaky Enterprise

Attackers Evolve Quickly, and We Must Work Daily to Ensure We Are Ready for Their Next Move

I recently had a rather comical experience involving a leak in the watering system in my garden. One day, I noticed that one part of the system was leaking.  After that piece was replaced, a second part starting leaking. Replacing that piece resulting in a third part leaking. Finally, after four different components were replaced, there were no more leaks.

As you can see, the water found its way out of the system via its weakest point. Once that point was fixed and was no longer weak, the water found its way out of the system via the next weakest point. This continued until all weak points in the system had been replaced.

The parallel to information security is a natural one. Risks and threats will always be out there, and some of them will flow towards, into, or through our enterprises. If we perform gap analysis well and remediate findings appropriately, we can reduce both the number of weak points within our enterprise and our susceptibility to attack at each of them. If we don’t, we risk exposing our enterprises to unnecessary risk and introduce the potential for grave damage at the hands of attackers.

It is in this spirit that I offer five tips for using gap analysis to fix a leaky enterprise:

1. Build according to plan: One of the best ways to stay on top of security weak spots within the enterprise is to know where all spots (weak or otherwise) are located within the enterprise. It may sound obvious, but in practice, there are often far too many surprises around the business that are unknown to the security team. Security should have a good understanding of what different network and cloud environments look like.  Assets within each environment should be known. Access rights and privileges should be controlled and audited. Security should be a part of each new deployment. When applications are developed, that process should include security from the start. If security is involved, weak spots will be known and can be addressed.  If security is left in the dark, the weak spots will still be there, only unknown to security and thus unmitigated. Whoever coined the phrase “ignorance is bliss” certainly wasn’t talking about security.

2. Use quality components: While it may cost a bit more to acquire a solution with good security, to build security in from the start, or to configure a technology securely, it is well worth the cost.  Unfortunately, this doesn’t always happen. In those cases, security issues, often critical ones, are discovered down the line. When this happens, a work around or retrofit must be designed and deployed. It’s rarely as good as a proper fix, but in many cases, it’s the only option there is. The resource cost can be quite high when team members must be pulled off of other important job functions in order to address a burning security issue with no supported fix. Further, beyond just the time required to design the initial fix, the maintenance and upkeep of a custom fix also add up over time. It’s far more efficient and far more sound security-wise to include security from the get-go.

3. Find weak spots before the attackers do:  When I looked at the pieces I replaced on my watering system, I saw that they were quite worn and brittle. Had I been paying closer attention, I could have noticed them and replaced them sooner, before I had leaks. The same is true in security. If you keep a close eye on the various moving parts of the enterprise, you might find that some of them are about to sprout a leak. Vulnerability scanning, penetration testing, and other techniques can be leveraged to keep this close watch. The idea here is to find the weak links before the attackers do. Something that is certainly not an easy task.

4. Prioritize and remediate findings: Once weak links are located, they will need to be remediated. This most often requires the cooperation of multiple stakeholders from different parts of the enterprise. Further, limited budgets, staffing challenges, and other resource constraints can complicate matters. Prioritization is necessary here. Look for the issues that will result in the most dangerous leaks and address those first. In other words, tackle the highest risks first. Which issues may result in sensitive data being stolen? Which issues may result in large monetary losses? Which issues may result in regulatory fines? Which issues may cause serious or irreparable brand reputation damage? Those are the issues that need to be prioritized first. Once those have been addressed, the security team can continue working its way down the list of issues, from highest risk to lowest.

5. Consider the job partially completed: Resting on its laurels can get a security organization in trouble.No matter how well we’ve performed gap analysis, how thoroughly we’ve remediated issues, and how foolproof our methodology is, we must remain humble. We must always look for that next weakness, that next undiscovered asset, and that next previously unknown threat. Attackers evolve quickly, and we must work daily to ensure we are ready for their next move.

Related Reading: Leveraging Gap Analysis to Drive Security Metrics

Related Reading: Examining Enterprise Security Blind Spots