Cybersecurity simplified - What every startup needs to know about security
Cybersecurity has become a nightmare for several companies across the globe due to two primary reasons: a) myriad of technologies and associated jargons which make things more complicated for an already non-trivial subject even for the most technical leaders and b) an overwhelmiing sense of responsibility to protect the company, its employees and customers from mala fide actors. The first and foremost taks of every cybersecurity company, in our humble opinion, should be present all the risks and threats in a fashion that gives them complete confidence to face their investors, sharefolders, partners and other stakeholders.
Start-up and small businesses are building valueable products to their customers and have a plethora of tasks to handle with just a few people who are almost always overloaded and pressed for time. At the same time, cybersecurity for companies have become non-negotiable and sometimes even mandated by regulatory bodies. This makes it even harder for companies to manage all at once, particularly if the subejct that needs to be handled is complicated.
We start out by having a detailed discussion with your organization to understand your needs clearly. Does your company need security expertise in a specific area like application or cloud security or looking for overall security needs to clarified and naturally the starting point. Many times, we have seen that while the customer needs multiple aspects of security to be taken care, they might be concerned about a specific area. These inputs become vital to prepare a proposal, plan and most importantly execute exactly as your priorities.
Once there is an agreement on the scope and priorities, we set out with a simple 5 step approach of security landscape discovery, network segregation, identity and access management, securing applications and finally logging and monitoring. Each of the above steps is described below in detail for you to appreciate the importance and extent of task involved.
First and foremost essential activity in cybersecurity is unfortunately least spoken about in the Saas security space. It is about asset inventory. Before determining what technologies, tools and which teams or consultants will secure, we need to have an exact inventory of "what" needs to be secured. This is a comprehensive checklist of all the digital assets the company owns. Typically, this should be readily available but can also automated for many of the assets to pull out a list.
Segregation and isolation of networks
Whether you are an early stage startup or a fairly matured company, the chances are high that there are at least 2-3 networks or subnets in the cloud to separate the UAT, staging and production networks or whatever you have named them. The important aspect is that these networks should not be accessible from one another. Deep inspection of every subnet's ACL, security group at VPC level, firewall rules if any for both inbound and outbound traffic. Even under circumstances where communication needs to happen outside the networks (let us say from production instances to production database isolated in a separate network), it should be via network peering or secure channels (like VPC endpoints in AWS).
Apart from this fundamental principle of segregation and isolation of critical assets, there are other rudimentary steps that have followed without fail as far as network infrstructure is concerned. Creating EC2 or docker instances from hardened, labeled and internally approved AMIs or docker images, as the case maybe in the most basic step. If you are using Docker, ensuring that the images pulled are signed and from approved repositories are a must. Checklist for hardening should include least number of users, fully patched and all necessary security applications like ufw, clamAV, openVAS apart from AppArmor, which comes by default in most linux flavours.
Users or identities and access control
Management of users or identities can be easily go out of control, if not managed correctly and cause disasters. How many legitimate users, including employees, partners, auditors, contractors have been created in the system? Are there multiple sources from which these identities are created? How are they synchronised, what networks and applications do they have access to and how is single sign-on managed are some the several aspects related to users and identity management that need to be answered. This step will faciliate ease of pulling a report on-demand to answer all of the above questions and if centralized, comprehensiveness of the report makes it very manageable. Disallowing console access to root login, strong passwords, enabling MFA, strong good password policies have all become part of basic hygeiene but still need to be mentioned so that they are not forgotten.
Secondly, the lifecycles of the users is an equally critical dimension that needs to be taken care of. Who creates these users and identities, who authorizes them, what happens when someone leaves or terminated are again few of the multiple aspects that need close inspection. Maintaining an audit trail of every activity gives the organization complete confidence about identity management process and course correction can be quick, if things awry. Obviously, a mapping of a policy that dictates who should have access to which resources (be it devices, servers, networks, databases, repositories and other third party applications). As you can see, this is a lot work and all of it can be accomplished using any SAML compliant identity providers (idP) like Auth0or OneLogin. Finally, most companies fail to keep track of application related security credentials like API key and need to be recycled.
Many companies have resistance to moving to cloud-based or SaaS identity providers due to the concern of them being hacked, which in turn causes serious repurcussions for themselves. We believe that though this is a valid concern, the reality is that every company or more specifically every security vendor is likely to be hacked, today or tomorrow. The alternatives for managing these complex matrix of identities are few and far. The upside of using these tools definitely outweight the downsides. This is our studied opinion, not an official advise :-)
Securing your applications
We have already spoken on how to secure applications in a detailed fashion here. Please read through the same to understand our philosophy as well the comprehensive approach taken to ensure value for our customers. Two important points worth re-iterating mentioned in the application security column, is that application security can be never be stand-alone. It ties in very closely with network & cloud security as well as identity management. Secondly, this ties in our company's philosophy that one-time VAPT audits barely help companies that are serious about security. Don't get us wrong here, we perform complete VAPT audits both for network and applications but we place our client's security goals above anything else.
No matter how effectively the above steps were carried out, the vector that this not yet covered is an absolutely critical front - zero-day attacks!! Whether it is your operating system, application stack component, third-party component can have a vulnerability that exposes you pretty badly. Remember Log4j??! So what's the solution? Truly, there is no perfect solution. There is only mitigation and that is CONTINUOUS MONITORING. This monitoring has to be a complete assimilation of everything that is happening without company's landscape. Hence, all your virtual machines, applications, user activities, status of devices, network logs should all feed into a single SIEM, like Splunk or QRadar. Many organizations, nowadays, prefer Elasticsearch. Choice is yours!
Upto this point, what has been achieved is just aggregation and correlation of information to indicate probable events. Who monitors these events, decides which ones are false positives and which ones are real need to be answered by the appropriate decision-makers of the company. To make this decision-making easier, there are a couple of options available: SIEM integration with ticketing that can generate alarms and a dedicated SOC team. In the first case, the SIEM cannot different false positives and will trigger the alarm of the CTO at 2am, if an event occurs. In latter case, there is a huge cost that comes along with it. Like most things in life, striking a balance is not easy here too. But our suggestion for small and emerging start-ups is to settle with option 1 until you truly feel it has hit a threshold you cannot manage and willing to spend more money on option 2.
We truly hope that you found value from this blog on how to secure your company. Five simple steps, in theory, but involves a lot of work. If you are ready to implement the above and raring to go, congratulations and best wishes. If you feel, you will need help, we are here exactly for that and you can contact us, do mention if you looking for something very specific.