Security spring cleaning time

Time to get rid of that shelfware.

Security spring cleaning
Credit: Thinkstock
Get rid of that stuff collecting dust

As new security threats continue to emerge and security teams find themselves stuck in the cycle of piling on new products and policies each time they receive an alert notification, true functions of security programs get lost in the clutter. As melting snow and longer days promise that spring is right around the corner, take this time to start fresh and “spring clean” your security ecosystems. To help get you started, these infosec professionals provide guidelines for what to check off on a security spring-cleaning list.

Security spring cleaning
If you don’t need it, toss it…

Dr. Chase Cunningham, Director Cyber Threat Research and Innovation, Armor:

There is so much “junk” that we all have acquired over the last few years that is gumming up our networks and making inventory and baselining that much harder, we just need to clean shop and toss the crap out. If it’s not something that is actively being used and it's not doing anything for your organization, junk it. Keeping tools and technology around that aren’t actively helping or fixing problems only makes things worse.

Take all the stuff that has been sitting around on the “shelves” and “in the closet” and break it out. If it’s a tool or system that has been collecting dust, check on it and see what it is actually doing. If it’s a legacy system that can be “cleaned up” by moving it to the cloud, then do that and free up the space you need for other items. 

Security spring cleaning
Credit: redjar
Clean out Old user accounts

Morey Haber, VP of Technology, BeyondTrust:

Spring cleaning is a great time to review user accounts within the domain or local systems. Old accounts that haven't had passwords changed or used for a long period of time (over three months), should either be flagged for password updates, disabled, or even deleted. While this process should occur year-round, cleaning out old and unused user accounts in the spring can remind us of how they can be leveraged against the business for insider threats if left untreated.

Security spring cleaning
Credit: Scott Meyers
Spring cleaning your storage

Not all systems and applications gracefully clean out temporary files and logs. Periodically executing 'Disk Cleanup' on Windows workstations and servers is a great way to keep a system performing well, remove old files that may inadvertently contain Personally Identifiable Information (PII), and ensure hard disk storage is not consumed to a critical point that causes operation issues. If your organization has requirements to keep log files centrally managed, ensure that all data has been aggregated and processed before your clean up occurs.

Security spring cleaning
Credit: .naut
Review overall architecture

Andrew Wertkin, CTO, BlueCat:

Security systems must be part of an overall architecture. Teams should assess architectures for both gaps and redundancies and ensure interoperability and automation. Critically, requirements change often as companies drive compute to the edge and security teams must align, plan and execute with the core business strategy — this means short circuiting serial processes by working as part of cross-functional teams that are building secure systems.

Security spring cleaning
Get clean – throw out the old

Kurt Roemer, Chief Security Strategist, Citrix:

  • Audit all access to remove inactivated users and outdated groups
  •   Eradicate deprecated encryption algorithms and insecure certificate chains
  • Scrutinize third-party connectivity – especially removing unnecessary network-to-network connections
  •   Review firewall rules, removing those that are “excessive” and then configure allowed connections to be as explicit as possible
  • Engage a trusted third-party auditor to identify outdated security processes and technologies
Security spring cleaning
Credit: Fahim Fadz
Stay clean
  • Implement the CIS Critical Security Controls for Effective Cyber Defense
    • Ensure that strong authentication protects access to all sensitive data, with no exceptions
    • Implement contextual access using the five W’s of Access (who, what, when, where and why) for granting entitlements
    • Configure for RBAC (Role Based Access Control), least privilege and specific communication relationships
    • Virtualize access for privileged users so there’s no direct access to sensitive administration resources
    • There’s gold in your logs – mine for it, looking for anomalies and optimizations
Security spring cleaning
Give your security teams an updated “vision test”

Ravi Devireddy, co-founder and CTO, E8 Security:

Ensure you’re capturing the right information (systems, applications, endpoint and devices) in one centralized system. You can’t protect what you can't see.

  • Re-confirm you’ve instrumented your threat intel feeds 

There’s no benefit in just subscribing to threat intel if it’s not immediately used to identify, alert and block new malicious behavior operating inside the network.   

  • Review the gaps in your security data

Start retaining security-relevant data in a centralized analytics platform to understand behavior patterns, look for unusual activity that is not dependent on known threat intelligence. This will enable a more streamlined security practice by bringing automation to incident triage and retrospective analysis. 

Security spring cleaning
Credit: Dean Hochman
Am I fully patched

Garve Hays, Solutions Architect at Micro Focus:

Check both the operating system, and your security solution? Regarding TLS/SSL alone, there have been a menagerie of attacks including DROWN, FREAK, POODLE, Logjam, Heartbleed, and BEAST. Responsible vendors are usually quick to provide updates for exploits or potential vulnerabilities and in security parlance this means reducing the "attack surface."

  • Are we rotating logs and archiving the older ones to "offline" or "nearline" media?

This serves multiple purposes, foremost being that more "bite-sized" logs are easier to evaluate and digest. Human analysts do much better focusing on a more discrete time interval whereas automated systems can reduce processing time with smaller intervals. Maintaining older events is also important for non-repudiation and backtracking to discover breaches. An audit trail is also necessary for any evidence if ever comes to an investigation.

Security spring cleaning
Is the threshold on my event notification set too high?

Are my security analysts struggling to keep up with the number of alerts? False positives and low to moderate incidents can lead to "alert fatigue" wherein the amount of information becomes overwhelming and is ignored by already busy staff. If "Chicken Little" keeps telling you the sky is falling that only provides more opportunity for a break-in. Your security monitoring solution should actually help you rather than making for more work.

  • Is there a "back door" in my security solution?

A significant common element in most secure coding guidelines is there should be no hard-coded passwords. Choose a vendor that adheres to such a policy.

Security spring cleaning
Credit: Jonny Hughes
Access review

Michael Spahn, Information Security Consultant, Rook Security:

Review and audit access logs for employees/contractors that no longer work for the company or no longer have needs to access company data and systems.

  • Scan External and Internal Systems

Specifically making sure that all systems, devices, and applications have the most up to date supported versions and patch levels.  

Update and test the company's incident response plan making sure all IR Team member contact information is up to date and roles and responsibilities are defined and communicated through the ranks.