5 ways to improve security hygiene and posture management

As management guru Peter Drucker famously said: ‘You can’t manage what you can’t measure.’  That’s certainly true when it comes to security hygiene and posture management. Organizations must know what assets are deployed on the external/internal attack surface, understand the state of these assets, identify exposures, prioritize remediation actions based on risk, and work with IT operations on continuous risk mitigation.

This is made more challenging as the attack surface grows larger and more complex each day, demanding new requirements for data collection, processing, and analysis along with process automation. Unfortunately, these changes aren’t really happening—or at least not quickly enough. Security pros continue to approach security hygiene and posture management using point tools, aggregating data into static spreadsheets, relying on manual processes, and working haphazardly with their IT operations colleagues.

Oh, and while defenders muddle through to keep up with security hygiene and posture management requirements, cyber-adversaries use automated tools and division of labor, subcontracting aspects of attack campaigns to specialists.

This is an alarming situation, but fortunately security professionals recognize the gravity of the current security hygiene and posture management mismatch. According to ESG research, 80% of organizations plan to increase spending on security hygiene and posture management this year.

It’s worth noting that ESG’s data was collected before the Log4j vulnerabilities and the Russian invasion of Ukraine, so it is highly likely that they’ll be even more investment in security hygiene and posture management. In terms of investment areas, infosec pros tell ESG they will spend on data security tools, cyber-risk quantification, cloud security posture management (CSPM), security asset management, and external attack surface management (ASM), amongst others.

As part of this research project, ESG also asked security professionals to identify actions that could most improve their organizations’ security hygiene and posture management. Here are the top responses:

• Performing continuous security control validation to discover gaps in existing security tools (38%). This is especially valuable when organizations can evaluate their security defenses and processes against attacker tactics, techniques, and procedures (TTPs) in combination with frameworks like MITRE ATT&CK. ESG is seeing strong growth in continuous testing tools (ex. AttackIQ, Cymulate, Randori, SafeBreach, XMCyber, etc.) and interest in cloud-based cyber-ranges (CloudRange, Cyberbit, Fifth Domain, SimSpace, etc.) for this very reason.
• Automating processes associated with security hygiene and posture management (36%). Good thought as security hygiene and posture management depends upon too many people, tools, and data sources. But before organizations automate security hygiene and posture management processes, they must ensure that the processes themselves are sound. Remember Bill Gates’s famous observation that “automation applied to an inefficient operation will magnify the inefficiency.” In other words, effective security hygiene and posture management process automation may take a while.
• Deploying a dedicated tool for security/IT asset management that can interoperate and pull data from other existing systems (35%). Think Axonius, Balbix, JupiterOne, or Sevco here. Security pros want one place to view and analyze ALL asset data. This alone could improve security hygiene and posture management efficiency.
• Increasing staff dedicated to security hygiene and posture management (31%). Tough to do given the global cybersecurity skills shortage. As an alternative to more hiring, leading CISOs I have spoken to are creating a dedicated security hygiene and posture management budget and working with their CIO counterparts to improve collaboration between security and IT operations teams.
• Taking a more adversarial/offensive approach to cybersecurity so we can adjust our defenses as countermeasures to modern attack TTPs (29%). Sometimes referred to as a ‘threat informed defense,’ this involves operationalizing the MITRE ATT&CK framework, adopting continuous testing, developing ‘purple team’ capabilities, etc. Of course, this will require training, creating processes around continuous testing, and investments in cyberthreat intelligence.

These and other suggestions deserve consideration as soon as possible. After all, the growing attack surface won’t protect itself.