And The Hits Just Keep On Coming
Steve King, CISM, CISSP
Cybersecurity Marketing and Education Leader | CISM, Direct-to-Human Marketing, CyberTheory
Cybercrime and cyber-attacks have remained a front-page problem with several mega breaches affecting millions of individuals, an explosion of payment-card system breaches, and a surge of high-profile ransomware attacks. Cyber-criminals have showcased resilience in their ability to continuously develop new ways to circumvent even advanced security protections, resulting in billions of dollars in damages around the world.
From efforts to evade smart chip technology to new forms and strains of ransomware, activity observed in the cyber-criminal underground in 2017 will have a profound impact on the 2018 threat landscape.
According to the latest Allianz Risk Barometer (released this January) titled The Top Business Risks for 2018, Cyber incidents marched up the ranks to become the second-greatest risk faced, named by 90% of respondents, after placing 15th five years ago and ranking above natural catastrophes and market developments.
While there are no shortages of challenges in the cybersecurity space, I believe the top macro-drivers of cyber-risk today are
1. A rapid shift in the threat/prevention dynamic from a network perimeter-centric focus to a broadly sophisticated view dominated by bots, ransomware, and insider threat vectors with rapidly increasing cloud, mobile and remote worker assets located outside the network firewall,
2. An almost blind-faith leveraging of digitalization technologies and opportunities for business advantage through intelligent devices and robotics for manufacturing, distribution and specialty applications in consumer products, science and medicine which has led to an exaggerated and far too rapid expansion of a poorly prepared attack surface,
3. The failure of best-of-breed cybersecurity point solutions to provide the un-delivered silver bullet that most have promised, resulting in a fragmented, non-integrated and porous threat defense “system” of siloed and often redundant moving parts,
4. An approach to cybersecurity management driven by an obsession with threat vectors, device targets and physical assets versus a constructive defense of the threat landscape focused on the value of information assets, and
5. A failure of both the venture community to direct capital toward machine learning and artificial intelligence technologies applied to the actual versus theoretical challenges and the information security custodians (CISOs) to properly communicate exactly what spending authorization decisions need to be made and why to their boards and executive management teams.
It is not so much the fact that we can’t stop cyber-attacks that is worrisome, it is the larger context in which they continue to occur that is alarming. And I’m not talking about existential level threats due to our asymmetrical imbalances on the battle field resulting from economics, education, technology and information dynamics. These 5 drivers are blue-collar realities over which we have complete tactical control.
It’s not like we have to worry about someone else kicking our asses when we continue to demonstrate how well we manage to kick our own.
No one in the cybersecurity community would be surprised to learn that conventional network perimeter defenses are no longer appropriate for modern malware detection or prevention. Today’s threats are smarter threats and the size and volume of attacks has exploded, as well as the number of potential attack vectors. Conventional perimeter defenses are useless, yet our budget and spending remains focused inordinately on the network perimeter security layer while correlation and behavioral analytics, threat modeling and intelligence, and machine learning enhanced technology spending suffers.
Ransomware attacks are one of the areas of cybercrime growing the fastest, as the number of attacks has risen 36 percent in 2017 (and doubled in cost). Four years ago, there were 500,000 malicious applications. In 2015, that number increased to 2.5 million. By 2017, it had risen to 3.5 million. And 77 percent of those applications are malware. Most cyber-attacks are from insurgents already inside the network perimeter and much of today’s information being safe-guarded is shared by apps in a way that never touches the network perimeter devices at all.
The results are firewalls that rely on an exhaustive list of blocked apps that never get the chance to act because the app usage is remote and mobile combined with conventional anti-virus (AV) and intrusion detection or intrusion prevention systems (IDS/IPS) which look for suspicious traffic once it has passed through the firewall software that are easily evaded by today’s threats. In the modern cyber-world, the perimeter needs re-invention and has to be extended to every device and every employee.
Digitalization is of course wonderful for all enterprises as it allows us to do more things faster and more of those things with fewer resources. But there is a high cost associated with these benefits, most insidious of which is the increased vulnerabilities we invite into our organizations through leveraging those advanced technologies.
For the most part, responsibility for cybersecurity in digital transformation today is shared by the application team, which tends to focus on hardening and securing enterprise applications, and the cybersecurity professionals, who worry about governance, controls, detection and response. In the future as the focus shifts from traditional network-perimeter security to securing application data, those two worlds need to join forces and find a common understanding, a shared terminology, and a unified approach to securing applications and data.
Systems are being leveraged in non-traditional contexts and as a result, there is far more complexity and direct connectivity with suppliers, partners, customers, and consumers. And, there are tighter connections between a company’s Web presence and its back-end systems and third-party suppliers. Frictionless process flows means an increase in the number of points where the process can dis-joint and be penetrated.
Cybersecurity must be a part of any organization’s digital transformation conversation at the start and it just isn’t happening that way today. The longer we avoid the difficulty of addressing the issue when and where it needs attention, the higher the price we will pay in the end.
Traditionally, best of breed meant buying multiple security programs, each a separate tool that’s best at solving the individual problem it targets leaving a beleaguered IT organization to piece a cybersecurity platform together like some sort of conscripted Jenga tower, hoping that the pieces will all stay together to keep their company’s information assets safe. On paper, that seemed like a reasonable solution with a few alternate approaches:
1. Do it yourself by drawing from the vast knowledge pit provided by over 500 separate product vendors that intend to guide you through the maze of marketing theatre to the answer most desirable from each vendor’s point of view, or
2. Rely on a third party provider like an MSSP who has theoretically done all of that work for you to provide a best-of-breed integrated SaaS platform comprised of all the “right” best-of-breed point solutions, or
3. Shift your focus to constructing a simplified fundamental platform based on only the point solutions necessary to marshal an effective defense against 90% of the probable threat vectors that might put your crown jewels at risk.
After what seems like a million years in the trenches of cyber-warfare, only the 3rd alternative seems to make any sense to me. In this era of disjointed organizational silos applying drive-by principles of best practices to shadow IT activities, trolled by point solution vendors trying to by-pass your CIO’s authority, combined with rocket-fueled IoT adoption and knife-edged complexity curves, returning to fundamentals is not only comforting, it actually makes for the most effective defense against modern cyber-attacks.
Focusing on the high value assets is the key. A great place to start is with a fully featured SIEM system that includes a vulnerability scan, behavioral and end-point analytics and leveraged threat intelligence that can operate behind a functional perimeter defense shield. This class of SIEM, augmented by an asset-value-centric monitoring and alerting system that can operate in conjunction is a very powerful way to monitor not just the threat activity but the actual asset values at risk. Aggregating, contextualizing and correlating event data from existing point solutions with vulnerability data to direct remediation efforts to the high value assets at risk is a solid foundational approach to cyber-risk management.
The result will be a sufficient all around defense against the most common threat vectors and since its focus is on asset values versus device-level threat activity, it can maximize remediation resource allocation so that your already over-tasked IT staffers aren’t chasing non-critical system devices at the expense of high value assets at risk. No matter how you slice it, no third-party SOC or “integrated” cybersecurity management platform is going to provide the quality of technical remediation necessary for you to address all of today’s modern threat vectors at a price you can afford. But doing it this way, you will end up with a risk-management platform that is focused on what counts and not on the surrounding noise.
The bonus is that while you may not be getting the latest and greatest point solutions against every threat vector known to mankind, you will also not find yourself chasing down potential IOCs that lead to a threatened clerical workstation that contains or processes low-value assets and is an insignificant threat to the critical domain. Instead, your resources will be directed toward prioritized devices exhibiting perhaps fewer and less critical vulnerabilities but storing or processing much higher value assets.
This also translates to higher maturity levels for over-all cyber-risk management as you will now be able to manage threats and vulnerabilities while measuring risk impact in monetary terms and express those metrics to your management team in a language they can understand. The result is not just improved cybersecurity management, but improved business management.
The other bonus is that you won’t be faced with reengineering your solution to accommodate every flex in the future arc toward digital transformation. Focusing exclusively on the high value assets will keep your hand steady on the tiller. While the rest of the organization rushes ahead to adopt cloud and mobile technologies, you can remain concentrated on keeping the organization’s critical assets centrally focused and protected.
Best practices, consistent and repetitive employee training and awareness are also essential pieces to the puzzle but are neither difficult nor expensive to implement.
The increasing weaponization of data as an attack tool which the Mirai botnet and the attack on the DNC demonstrated is now the new normal. The web has vastly expanded the scale by which these attacks can spread and the avenues through which they can have an impact. These attack styles are targeted not just at the theft of information assets for re-sale, ransom, extortion or blackmail, but are now designed to hold data hostage and strategically leak classified or sensitive information in concert with a cyber-crime agenda.
Face it. No matter how many best-of-breed cybersecurity point solutions you vet and consider for implementation, there is simply no way to get ahead of the threat curve anymore. This becomes especially true as long as you continue to view cybersecurity defense through the lens of threat vectors and not through the prism of cyber-risk.
The combination of the increasing scale of attacks and the expanding complexity and scope of systems and data, along with broadly distributed information and applications has created an attack surface that is virtually impossible to defend.
The venture community will continue to make new investments in theoretical versus applied AI and ML to create first mover positions and will continue to double and triple down on existing investments to drive conventional “advanced” cybersecurity product companies to dominant leadership positions in their market segments because that is what VCs do. If you are hoping for a breakthrough in the latest and greatest biometric or quantum technology space that will lead you to the cybersecurity promised land, you should probably make yourself really comfortable because it is going to take a long time.
In the meantime, you have a fortress to defend.
Getting back to basics, tightening the clamps on what you know works, and starting to talk with your management team in a language (monetary) that makes sense is the trail-head.
If you can shift your attention away from the noise, simplify your cybersecurity infrastructure, leverage analytics and threat intelligence, start capturing actual risk data in monetary terms while factoring threats and vulnerabilities against the asset values at risk and bridge the communication gap between you and the people at the top, you will have done what many others have not been able to do so far.
As foreign a concept as it may be, the best course of action in 2018 might be to stop trying to protect everything and instead focus on what’s vital – the crown jewels of your information assets – those assets that if compromised could destroy your business.
Equifax is a brutal example but sadly not an outlier. Our collective lack of response will translate into lots of similar breaches in the coming months.
Vice President, Media Relations at Havas Red US
6 年Cyber security is an area that always interested me. Taking some courses to learn more as we speak. If you're ever in NYC or have some time, I would love to connect. This was an excellent read. Keep them coming.
Mortgage Broker | Home Loan Broker | Commercial Loans | Business Loans | Car Finance | Equipment Finance
6 年I’ve had a bit of experience in cybersecurity, great reading your view, you really know what you’re talking about.
Retired IT Project Manager
6 年Thanks Steve, another great cyber security article/LI post!