A state security architect offered best practices and lessons learned on keeping bad actors out, and discussed the technologies that can help do just that, at the State of California Virtual Cybersecurity Education Summit.

In a conversation on “Real-Time Velocity Defense” with Dave Gold, senior director of sales engineering for SentinelOne, Franchise Tax Board (FTB) Principal Security Architect Ronald Mendoza reminded attendees that there’s a reason time-honored security postures remain in use today: because they work. He also examined newer technologies and their potential value in improving an organization’s chances at avoiding a security incident. 

“Security is not about insurance. You can have insurance, but it’s still going to happen, and the insurance might just kind of cover or pay for it,” Mendoza said. Among the takeaways:

Mind your CVEs. So-called Common Vulnerabilities and Exposures continue to be a “pretty good vector for attackers to leverage,” Mendoza said on Wednesday, noting they're on the rise this year. One reason why they're a go-to for bad actors is their sheer numbers — but solutions do exist to automate keeping track of all those CVEs and to aid in their identification. FTB maintains three- and seven-day timing mandates on the addressing of critical vulnerabilities, despite the fact that doing so isn’t always as easy as patching. Often, said Mendoza, it’s necessary to send a registry setting and change other configurations — and after-patch installation verification is important as well.

Stick to the classics — or not. The National Institute of Standards and Technology offers a “good framework to build upon,” the principal security architect said, emphasizing the importance of identifying vulnerabilities to lower an organization’s attack surface. Of course, once that risk is identified, it has to be addressed; and here, legacy fixes like antivirus solutions that are based on signatures probably won’t cut it. Why? Because attackers don’t always look like their signature, Mendoza said, suggesting moving to next-gen antivirus that goes beyond “simple recognition of an exact hash or signature.” The hope is that an organization won’t be forced to restore from backups, but he recommended knowing your restoration process and how long it will take, should it become necessary.

Autonomous protection can work. FTB took the opportunity last year to examine its existing controls and “move toward a new cloud-based antivirus solution,” one with a fair amount of local autonomous protection that takes place without the “heavy agent footprint.” The solution offers enhanced visibility, including into behavior, because it’s not just signature-based. That lets the Board look at Powershell scripts, bb-scripts and other “weird activity” it may not be aware of. Dashboards can help track an entity's progress on protection, he said, by increasing the visibility of effectiveness metrics.

Predictive and behavioral-based technology can bring value. FTB is seeing “quite a bit of value,” Mendoza said, when it correlates information from different sources. The agency is also in the process of implementing a user entity behavior analysis tool, which automates event correlation and “has definitely been eye-opening for sure.” Computers empower that work to a much higher degree than humans can, he said. It’s also worth considering that security is more helpful when layered, he said, comparing security to a bodyguard and asking: “Wouldn’t it be better to have more than one bodyguard?”