May 5, 2020
by Ludovic Rembert / May 5, 2020
Building a tech stack is one of the most difficult tasks that IT admins, cybersecurity professionals, and business owners face.
This is because building a set of productivity and cybersecurity tools requires a careful set of balancing acts.
In principle, the more cybersecurity tools you deploy, the more secure your systems will be, but only up until a particular point: if you make your stack too complex it can become difficult to manage, and thereby introduce vulnerabilities, as well as increasing your up-front investment in technical systems.
A report by Aberdeen and Cyber adAPT found that a typical six-layer enterprise tech stack – comprised of networking, storage, physical servers, as well as virtualization, management, and application layers – requires CISOs to grapple with no less than 1.6 billion versions of tech installations for 336 products, provided by 57 vendors.
This problem is exacerbated by the increasingly dynamic nature of most corporate environments. The rise in remote work software solutions, the renewed interest in managing virtual teams, and the gradual increase in VPN usage over the past ten years is an indication that many companies are now looking to develop cybersecurity stacks that can be effectively deployed off-site, with the added complexities that this brings.
In this article, we'll go back to basics. Building an effective cybersecurity tool stack rests, at a fundamental level, on a number of key principles. Have these in mind as you build and develop your own stack, and you'll be able to reach the balance of simplicity and functionality that is the mark of a great tool stack.
The first and most important step in building a cybersecurity tool stack is to have in place a cybersecurity and information governance strategy. That might sound obvious, but it is a step that many organizations still overlook: 44% of the 9,500 executives surveyed in PwC’s 2018 Global State of Information Security Survey said that they didn't have an overall information security strategy in place.
Without a thorough and rigorous cybersecurity strategy, it is almost impossible to build a tool stack that genuinely mitigates the threats you face. Any tool stack developed without strategic oversight will likely suffer from a number of interlinked issues. It will either be inadequately broad to deal with the breadth of your threat profile, quickly become obsolete given the growing number of threats out there, or will not allow you sufficient oversight of your data to meet governance and compliance legislation.
Two examples of this may be given. The precipitous rise of cryptojacking in the last few years has taken many companies by surprise, because they are used to protecting data rather than their computing resources, and without regular threat audits many have found it hard to respond. Similarly, the rising scale of internet censorship over the past decade has made many legacy remote working solutions almost useless, because companies have taken it for granted that off-site workers have complete access to all of the online resources and systems they need.
It's not all bad news, however. Developing a cybersecurity framework is not just about mitigating risk: it can also improve productivity. In Tenable’s 2016 survey, 95% of respondents with a framework in place have seen benefits, including greater effectiveness of security operations, contractual compliance, maturity, and the ability to more effectively present security readiness to business leadership.
Once you have an effective risk management framework in place, it's time to honestly assess the most dangerous cybersecurity vulnerabilities that your business faces, and prioritize those risks that will have the largest impact on the sustainability of your business.
Most cybersecurity analysis firms will break the kinds of threats faced by the average business into five elements:
These five elements are also those contained in what remains the most thorough framework for planning cybersecurity strategy: the NIST framework. This framework includes five principles (identify, detect, protect, respond, and recover from threats) that mirror those above, and present a start-to-finish approach for dealing with cyberthreats.
With a cybersecurity strategy in place, you can begin to invest in the tools required to protect your data (and your staff) from cyberthreats. The value of conceiving of your systems as a series of elements, and of following the NIST framework alongside this, is that this approach highlights that your network is not a monolithic whole. Each level of your system should be defended, and each of these defensive tools should build on the last.
There are two major lessons to be drawn from the kind of analysis we've explained above. One is that companies should balance their cybersecurity spend across all five elements in their network security, because ultimately the security of your systems is only as good as that of the weakest part. The second is that it points to a defensive paradigm that was first popularized by the NSA, but is now a fundamental part of most businesses' cybersecurity strategy: "defense in depth".
Let's take these two ideas in turn. The primary value of risk assessment according to the rubric above is that it allows companies to balance their investment in cybersecurity stack tools according to the type of data they hold, and where their vulnerabilities are most acute.
For businesses who need to protect significant amounts of intellectual property, for instance, backup system vulnerabilities are likely to be a major priority, and the area in which more advanced cybersecurity tools will need to be deployed. This kind of company should also focus on breach protection, and intrusion mitigation, because they hold valuable (and therefore potentially vulnerable) data.
Another type of company, say one that is focused on delivering SaaS tools, will need to prioritize a different part of their stack. A company which delivers most of its services via the web will need to focus more on DDoS protection and server integrity. Instead of value being held in data, in this kind of company sustainability is represented by uptime, and this should inform purchasing decisions when it comes to building a cybersecurity tool stack.
The concept of "defense in depth" is one that is inherently contained within the idea of a cybersecurity "stack". In practice, this means that your defenses should be organized as a series of defensive layers, each building on the last. It also means that the methods used by these defensive mechanisms should be well diversified.
The central idea here is that hackers should be presented with a series of escalating defenses and countermeasures. As well as thinking of your stack as protecting you at the five levels we've covered above, this also means that your tools should make use of as many of the following techniques as possible:
Defense in depth also means that companies should not see their defenses as an impenetrable “wall” that will deter all intruders. Instead, you should accept that, eventually, some of your first-line defenses will be breached.
A good example of this is email security. The vast majority of firms will use email provided by either Microsoft or Google. Both these systems come with well-known security vulnerabilities, and it is also well-known that the vast majority of cyberattacks start with a phishing email.
Trying to stop all of these attacks at the level of employee inboxes is essentially impossible whilst still providing the flexibility and functionality that employees require to work productively. Instead, companies should look to the next level of security: where emails are stored, which for most firms will be cloud storage.
Therefore, email encryption and staff training are critical in preventing cyberattacks, ensuring defense in depth also means putting in place encrypted cloud storage solutions for email, and backing up these encrypted archives.
When working through the framework above, you will immediately recognize that building a secure cybersecurity stack will likely involve investing in multiple tools from multiple vendors. This diversity – as we've pointed out – is critical for ensuring strong cybersecurity defenses, but it can also cause issues.
This is because there is a tendency for companies to sub-contract security services for the various levels of their cybersecurity stacks without carefully thinking through the responsibilities that each vendor should be given.
Alongside investing in quality tools, therefore, your cybersecurity strategy should also involve a careful mapping of which of your vendors are taking responsibility for which parts of your system: both on an operational basis, and when it comes to possible litigation following a cyberattack.
Ideally, your relationship with your vendors should be thought of as a business partnership, rather than as a simple buyer-supplier relationship. Quality vendors can be recognized by the time and effort they take to understand your needs, and their responsiveness to them. A respectable vendor will also be able to outline their precise operational and legal responsibilities when it comes to protecting your data.
When it comes to building cybersecurity stacks, many businesses still exhibit "target fixation". Depending on the sector they work within, it can be tempting to focus solely on one part of your cybersecurity infrastructure: protecting data if your business model is based on analytics and data acquisition, for instance, or attempting to make your outreach platforms 100% secure if you work in marketing.
As we've shown above, this kind of approach is problematic because it fails to realize the central insight of the "stack" model. Instead of building supposedly impenetrable walls around your network, you need to accept that eventually someone will intrude into it. At that point, they should be faced with an escalating series of difficulties.
By taking a more holistic approach, you can improve security at every level of your stack – whether you are working with marketing data or an IoT ecosystem – and ensure that there is no chink in your armor.
Ludovic Rembert is a security analyst, researcher, and the founder of Privacy Canada.
The zero-sum game between cyber adversaries and defenders is now becoming lopsided.
Security is a significant cornerstone of any business.
May I have a few minutes of your time?
The zero-sum game between cyber adversaries and defenders is now becoming lopsided.
Security is a significant cornerstone of any business.