When it comes to cybersecurity, every organization is constrained and confined by some sort of budget. This webinar, hosted by BitLyft Cybersecurity, brings together a cybersecurity professional and an IT veteran to discuss the challenges and opportunities of finding the middle ground for how to build a great security program within a budget.
Most IT budgets are roughly 5% of gross revenue, and security budgets get a slice of that money. In this scenario, the panelists discuss a fictional organization that makes $250M with a security budget of $625,000. They each present their vision for what priorities get the budget and produce the greatest security ROI.
On the spot are Jason Miller, CEO of BitLyft Cybersecurity, and Kelly Culwell, Service Delivery Manager at Global Data Vault.
Find a summarised transcript below the video:
- Who are the speakers?
- The Methodology
- Kelly Culwell – Cybersecurity Budget One
- Jason Miller – Cybersecurity Budget Two
- Overlaps and Differences
- What considerations went into preparing these cybersecurity budgets?
- Why is there such an emphasis on automated security response today?
- Choosing cybersecurity solutions
- Execution and implementation
- Cybersecurity insurance
- With a limited budget, what would you do first?
- How would you go about building leadership support around budgets?
- If you could only do one thing with the budgets, what would it be?
Who are the speakers?
Jason Miller, is the founder and CEO of BitLyft Cybersecurity. BitLyft focuses on helping people optimize their security platforms, namely SIEM, so that people can see and detect threats and fix them in real-time or before they even happen.
Kelly Culwell, Service Delivery Manager at Global Data Vault, is a veteran of the IT industry. Global Data Vault is a Veeam Platinum Cloud and Services Provider Partner.
Jason and Kelly are going to share stories from their own experience on the front line of cybersecurity planning.
The example company:
Every industry is different, so the example company that we are using is not going to cover every scenario. It’s only a generalized outline to illustrate the points below. It goes without saying that if you would like examples of cybersecurity set-up to fit your own organization you should reach out to Bitlyft or Global Data Vault for advice.
Implementing is its own challenge. It’s easy for Jason or Kelly to say go implement multifactor authentication (MFA), but it’s not so easy to actually go and do that. Especially if you have 1500 employees, that are reluctant to use the technology. But because it is hard, doesn’t negate the fact that should it be done. What we are `providing here is a framework; a starting point that gives you some insight into how two industry experts, challenged with setting up a cybersecurity network on a budget, would go about doing just that.
The Example Company
Acme Company has an annual gross revenue of $250 million. Their IT budget is 5% of the gross revenues which is $12.5 million, and their cybersecurity budget is a percentage of that. In total, Jason and Kelly have a cybersecurity budget of $625,000 with which to work.
Cybersecurity Budget One – Kelly Culwell
With my IT and cybersecurity experience, I came at this less at a nuts and bolts level, but more as a higher-level plan. I took into consideration that much of the public sector, specifically higher ed, have lower budgets. And a lot of times, bad actors attempt to take advantage of this, knowing that these organizations may have outdated security measures or budgets that don’t conform with today’s standards. We’ve seen a lot of state and local governments and school systems be hit by ransomware and other cybersecurity threats.
Another thing I took into consideration in my budget is the measure of compliance. How do organizations monitor and log their environment? Many times, we see servers and machines getting sprayed with password attempts or brute force attacks. How does an organization keep track of and report that effectively? So I felt that a strong portion of the budget, $125,000, should go to compliance for just that.
Typically in cybersecurity, at least from an older perspective, the firewall is the perimeter. But today it’s not just the firewall. There’s deep packet inspection, watching all traffic coming and going, and intelligence built around normal activity. Nowadays, cybersecurity is about more than simply blocking and allowing connections or access to the internet.
There’s a lot of ways that bad actors can get in, and there’s a lot of ways that they can get data out, too. One thing that I think is often overlooked, and this goes into data loss protection as well, is what happens if somebody is leaking data from within your organization? What happens to credit card numbers or sensitive information that people might be disclosing?
What stance does your organization take toward its perimeter? It’s not just firewalls and identity access management. Since the pandemic, with people working from home a lot more, companies and organizations are switching to a more remote-only, or a remote-focused scenario. The challenges include:
- how do you manage remote workers’ identities?
- How do you allow them to have secure access to what they need from different locations?
- How do you safeguard company data from whatever might be on their home network?
These issues fall into having a secure perimeter, but they also fall into identity and access. You have to consider if you allow one computer access, will the computer next to it be able to spoof and access the network?
Likewise, using multifactor authentication or two-factor authentication, how do we verify credentials within an organization? People come and go all the time. How are we going to track that? So that’s another pretty substantial part of the budget from my perspective, especially if you have contractors and/or third-party vendors, which is where we see a lot of insider threats originating.
How do we manage that?
Zero trust is a big thing that we hear in the news. It encompasses the concept of if you don’t need to access it, you’re not going to access it. You can only have access to what you’re supposed to and nothing else. What often happens though, is that people get a little lazy and will assign access based on a group, or somebody will say, you know, Jason is my coworker. Why not just go ahead and mirror his access to mine because we’re doing similar things?
Before long, that laziness spread across the organization, and now you have someone with domain admin rights or somebody with elevated credentials who don’t need to have them. This is particularly impactful when it comes to accessing network resources.
When we think about malware and ransomware and how it traverses a network, it can access whatever resources its stolen credentials can access, so the less trust that you’re able to give to people, the better off you’re going to be.
This goes back to implementation and how easy these measures are to roll out. To many organizations, it’s just too much hassle. The attitude is, I need my people to be able to access the stuff they need to do their jobs. But later, after they get audited or after some ransomware hits, they have to look again at who really does need access.
I allocated a bit less to Zero Trust, only 10%, just because it can be an afterthought, but I think it’s a topic that needs to be brought up more.
Endpoints and User Training
Endpoints are some of the most dangerous components of a network. Mobile devices, computers, anything that touches a network from a compute standpoint, is an endpoint. That rolls into the user training scenario, because in any given situation, in any given environment, my opinion is that humans are the weakest link. You can pile millions of dollars into your cybersecurity planning and infrastructure, but all it takes is one person to click one link, one time, and you’ve got a nasty situation on your hands.
I allocated 20% of the budget to Endpoint Management, and 5% to User Training.
Having appropriate endpoint protection will safeguard against the user a little bit, but user training is important. It’s got to be ongoing and it has to be mandatory. Viruses, malware, and ransomware change every day, so constant updates and education of the users are required to keep up with that.
Data Loss Prevention
Last, but not least, is data loss prevention. I mentioned that earlier with the credit cards and somebody stealing your data. There was a famous automotive company that had somebody quit and go to work for somebody else, taking some sensitive data along with them, and that turned into a huge trademark or patent infringement.
In another case, a malicious insider threat resulted in an ex-employee hacking into the company’s O365 instance and deleting 1200+ Microsoft Office 365 user accounts.
So how do you prevent that? How do you prevent people from stealing your information or threatening to expose it within the organization? So that’s sort of how I went at it again, that’s not going to work for everybody, but I think it’s a good starting point. I know Jason’s got a little bit more of a breakdown for us with his budget.
Cybersecurity Budget Two – Jason Miller
As I was preparing my budget for this webinar, I was fresh from assisting organizations that were hit with ransomware. The data that I’m sharing here is therefore not only my opinion but also the opinion of our clients.
Firewalls & Perimeters
Today we talk about firewalls and perimeters, but those terms don’t quite have the same meaning that they did 10 or 15 years ago. Where before literally everything servers and data was inside four walls somewhere, now we interact with so many SaaS products and cloud products that the perimeter is really a mixture of components.
And that steps into where my line items of the budget dollars need to be spent. Thinking about firewall and VPN and perimeters, pockets of data, pockets of access, pockets of software, and how they all interact with each other, makes me think of the structure of DNA and how it all interconnects. That’s a lot like what we’re dealing with today.
Multi-factor Authentication (MFA)
As we head down that road and think about that inter-connectivity, we need to think about multi-factor authentication. Most organizations today are either acquiring or have already acquired and enabled MFA or are thinking about it and in the discovery process.
Which is best? Duo? Office 365 or maybe OneLogin? There’s a lot of MFA products out there and but the purpose of this webinar is to outline a budget, not to discuss the pros and cons of various tools and services. Here, we’re simply stating that from a category perspective, MFA should be part of your cybersecurity budget.
We see a lot of organizations today that need to spend some dollars on single sign-on and have one place where their credentials are happening from, and to, all the other SaaS applications, the data. The thing is, you need one spot where authentication is either successful or it fails.
It’s very important that you have the logs around that, and you understand where the authentication is trying to come from, and where you’re actually successfully authenticating users to. It goes along with the point that Kelly was making about identity access management (IAM), and having zero trust. We want to verify and validate that that user truly is that user, and not a criminal.
Endpoint Detection & Response
An endpoint could be anything from an iPad or laptop, to servers or endpoints out in the cloud. Everything that has an operating system today is considered an endpoint. And you need a good EDR solution to help you with that. In an EDR, look for something that is not legacy antivirus. Go with an algorithm-based detection methodology, and the word response here is imperative.
Not only do you need to have a methodology of detection, but you also need to be able to respond to that endpoint if you so choose, meaning take the endpoint offline, if you don’t like the behavior that it is showing. Or maybe disable a process. You need to be able to respond even when these endpoints may not be within close proximity. Especially when a client on the phone says, “Hey, we’ve been hit with ransomware. We’ve got malware all over our systems. Can you help us out?”
Backup & Disaster Recovery
In the above scenario, the first thing we need to know is what is their backup and DR situation? When did they last test their backups and how much emphasis are they putting on their backups? And then oftentimes we find out that even backups themselves are being shortcut and the dollars that need to be spent there really aren’t being spent there.
People sometimes take an “it’s not going to happen to me” approach. Or, they have the data backed up but don’t have the operating system and all of the other environment variables backed up. That’s important because when you need to restore, it’s not going to happen on a sunshiny day when everything’s going perfectly. You’re going to be restoring at 2:00 AM. You’re going to be tired. You’re going to be irritable, and you’re not going to be happy about how you’re restoring.
Security Information Event Management (SIEM)
And then you’re going to be thinking about all the environment variables that you’re going to have to set up once you have data ready to restore. So whether you are already familiar with SIEM or not, it’s an important addition to our checklist here.
Out of two recent events that we’ve experienced with organizations in the last two weeks, we literally had to log into 14 different software packages to help the client understand indicators of compromise and indicators of activity. That was all security information event-related, and it was logs and data that was not coming into the SIEM because, during the time when we were implementing the SIEM and setting up the system, people on the IT team said, “Hey, well, we really don’t think that that’s that important. We’re not going to ingest it into the SIEM.”
So they swept it underneath the rug or didn’t really give value to it. But yet when it came time to do incident response and figure out initial indicators of compromise, and how did the threat actor get in, all of a sudden that data was important to us.
Critical network monitoring goes along with SIEM. It’s actually a building block to SIEM. We would really encourage network monitoring to be part of your budget and part of your program patch management.
Now, I feel like we’ve been talking about patch management for at least the last 10 to 15 years, but I still run across organizations that don’t take patch management seriously. One of those incidents happened because the VPN server was not fully patched.
The VPN server was out of date. Criminal actors found the VPN server and that it had known vulnerabilities they could exploit. Once they exploited the VPN server, they were able to maneuver around the entire network.
If you have a strong patch management program, and you adhere to it, you would prevent yourself from having some major headaches.
One thing that is a little bit more mature in the space today is encryption and SSL certificates. It’s probably something that’s been around since the late nineties, early 2000s. And I see a lot of folks do spend time here, but it is important because even if a criminal got a hold of the data, I can’t stress enough encryption at rest, encryption in flight, and the importance of highly-regarded SSL certificates all across your environment.
Data Leak Prevention
As Kelly already mentioned, data leak prevention and protection, as well as security awareness training are all extremely important items for your checklist.
This list of cybersecurity budget items could be a lot longer but in the restricted timeframe of a webinar, these are the top items from experience and from client feedback on where to spend their budget dollars.
Overlaps and Differences
The overlaps in the two proposed budgets are the standard things that are common to cybersecurity systems such as installing anti-virus on all your computers, and firewalls. Also, more recently, identity and access management as well as training and data loss prevention.
One thing that should be considered when planning a cybersecurity budget is where the money is going to come from. A cybersecurity budget spreads across departmental budgets for their piece of the pie.
Patch management is something that we practice at Global Data Vault. In addition to the example that Jason gave there was a ransomware attack a couple of years ago that preyed on a Windows patch that had been out for three years. Some organizations had not applied up-to-date patches and that gave the ransomware the entry point.
Jason and I both had patch management in our budgets but perhaps with slightly different approaches. How it’s all delivered and the newer technology are things that Jason might be able to explain better.
One thing that is important to understand is that you should not walk away from this webinar and say, well, we’ve got a firewall and we’re protected. The up-to-dateness of your firewall and your endpoint protection should be next generation. For example, the endpoint protection that you need to have installed in your systems today needs to be able to help protect against scripts.
It has to have script blocking in place, and you have to block PowerShell scripts that you have not verified and validated on your network. That is one of the main things that allows ransomware to run rampant on systems today, so when you’re looking at these technologies, you need to look at them through the lenses of the modern day. Has the software kept up and has it been rewritten within the last few years to be able to help you protect and solve the challenges that we’re fighting today?
And on the differences side, one of the reasons why I put DRaaS at the top is because we are still seeing clients getting hit with ransomware. They are trying to restore at midnight or two o’clock. It’s never at the most opportune time, and they are struggling to restore systems. And it happens because they have not tested their backup scenario within the last six months or a year, even two years. So I can’t stress enough that testing your backups, shutting down, shut your production system down, have a maintenance window, and then fire off a restore and see if you can restore your system from scratch during that maintenance window.
And, and I know it sounds scary, but the even scarier part is that you’re going to be forced to do it when you’re hit with a ransomware event. And so that’s why that one’s sort of bubbled up to the top. I’m trying to coach clients and coach people out in the space not to pay the ransom and in order to do that, you’ve got to have good backup and recovery systems.
What considerations went into preparing these cybersecurity budgets?
It really depends on the organization, whether or not they are staff-heavy versus technology-heavy. One of the biggest challenges of implementing cybersecurity, is who’s going to manage it? Are you going to be able to hire or train people to do it? Do you need to bring in somebody who’s already got 15 years of experience in cybersecurity to help out with some immediate needs? And how does that fit into your budget?
We didn’t include staffing in the budget, but it’s something that should be considered. Along with that, how do work from home changes affect the budget?
In 2020, we saw cybersecurity, especially in the DR business, skewed off the chart for remote access and change in the way that people access data, so that’s a big challenge. What would that do to your budget if that were to happen again?
Jason talked about having a couple of situations with customers hit by ransomware. Ironically, we’ve had two as well in the past two weeks. Our customers were hit by very similar ransomware, and it happened because the hackers were able to scrape elevated credentials out of memory.
Basically, they lured somebody onto a malicious website, scraped the credentials, and had their way with the network. Jason was talking about disaster recovery and having good backups, but these bad actors know where to go first to get what they want. Their intentions are to secure the data so that they can get money from you. That’s why it’s called ransomware. To do that, a lot of times they will go after your backups first. They are familiar with every kind of backup that’s on the market today.
I would say they’re more familiar with some of the bigger ones, but everything has a file extension. Every situation is going to have some type of software on it. So they’ll go look for those. If they get domain admin access, they can access the systems on your network via PowerShell or whatnot. They will attempt to lock down your backup files so that you can’t restore data. If they can’t lock those files down, they delete them, right? Because they have access to your backup servers in your backup software, guess what they can also navigate to? Your cloud backups, your offsite backups, or disaster recovery environments where they will try to encrypt those. If they can’t encrypt those, they delete them.
So we had two customers recently that suddenly had no backups. They couldn’t access most of the systems on their network. One of them couldn’t even log into their VMware environment. They couldn’t access the internet.
We were able to rescue them with some special sauce that we put into our disaster recovery. We have some gapped environments where we place that data, and the ransomware attack had wiped out their entire environment.
So you want to look at current past familiar threats, and I liked the solution that Jason describes, staying alert to what’s in the news, what are other people seeing? Crowdsourcing so you’re not only relying solely on what you know, but you’re also relying on what other people have seen.
Why is there such an emphasis on automated security response today?
It’s because of what we’re seeing with a fast-paced, moving target with the criminal behavior. They get in, they scrape credentials. They already have their scripts lined up and ready to go. So you need to have your toolkit and your responses ready to go as well.
When an account is compromised or you see activity on a machine that is bad behavior, or anomalous behavior, you’re able to neutralize that activity very, very quickly. That’s extremely important.
Choosing Cybersecurity Solutions
Organizations can sometimes get too used to the products that they already have. They become very brand familiar and invest heavily in a specific brand of hardware or software or solution. But as Jason mentioned earlier, are these tools up-to-date? Are they able to handle the threats of today, or are you just trying to put a new sole on an old shoe?
One of the hacked clients I discussed earlier was using one of the higher-tier EDR solutions that just didn’t have automatic script detection and deterrence enabled. The question that I always have is, do you go with what you know, and what you’re hoping will work, or do you look at new products?
Everybody needs to have cybersecurity insurance today. We all have car insurance but having it doesn’t make us drive more recklessly. I would encourage any company to have cybersecurity insurance, but you must still take the proper precautions.
We have started seeing underwriters and carriers step back, and maybe even not insure or have a huge increase in a premium policy if you’re not taking the appropriate precautions and/or implementing some best practices.
That’s interesting, Jason. A customer recently told me that their cybersecurity insurance underwriter required proof of their offsite backup strategy and what that did to protect against these types of attacks.
Cybersecurity insurance companies are in it to make money. They are an insurance company, but they are in it to be profitable as well.
With a limited budget, what is essential to do first?
If your budget’s limited and you need someplace to start, I would start with MFA. A lot of Office 365 and Google Gmail applications offer entry-level multi-factor authentication included in their price, so it’s a great way to get started without spending a lot of dollars.
I think the second thing that I would focus on would be that endpoint EDR solution–having best practices and proper configuration with the EDR solution, simply because if bad actors get past some of the initial layers of your security, you can start to rely on your EDR solution in place.
I’ll just add that one of the simplest and most often overlooked items is your backups and your disaster recovery plan. Get a copy of that data offsite, protect that however you can, because sometimes that’s going to be your last stand against these types of attacks and to be able to recover your business.
How would you go about building leadership support around budgets?
This is where the news really helps. You get a little bit of fear factor when you read the news and see who has been hit. Sometimes you actually see the ransoms that are paid. So then news and the media really help with that. By pointing out ransomware attacks that are in the media, you are not just coming up with buzzwords. It’s a powerful prompt.
Also talk to companies like Global Data Vault and BitLyft. We are happy to talk to people and help them understand, because there are still people out there who don’t realize the impact that something like this can have on their organization.
What we have seen be very successful in the C-suite is getting the IT managers involved with the budget design and the purposes behind those budget dollars. Removing the IT jargon from the conversation and talk about what is the business doing? What is the business going after and how it is going to enable the business to stay operational and to keep it safe at the same time.
I have seen a much better buy-in when leadership is involved in a cybersecurity budget conversation that has been stripped of the jargon and acronyms. I have been a part of many conversations where the CFO and the CEO are involved. If they understand the journey and they understand the risk, then they’re better equipped to help you with allocating the dollars that are available out of the budget.
If you could only do one thing from the budget, what would it be?
Get your backups offsite! We did a webinar a little while back on how to create a disaster recovery plan, which encapsulated a lot of the things that Jason mentioned like testing your backups and making sure that things are working correctly. Along with that, make sure you have backups, make sure that you test them, make sure that you get the data offsite.
If I only had one thing that I could choose from, it would be multifactor authentication. We have seen it be enabled on banks where it validates your control over the account. If you’re getting text messages or the six-digit code sent to you from your bank account, and you’re not trying to access it, you know that either your email is compromised or somebody knows the username to your account or environment and they’re trying to get in. That tells you to pay attention and take action now!