It seems as if the only thing the IT industry talks about these days is cyber security.
And rightly so. The nature of the issue means that there will always be a debate around it and companies do not want to fall victim to cyber crime now do they?
But do we always have to look at the issue from a victim’s point of view. The current industry narrative paints companies as sitting ducks waiting for the invisible fox to come and pick them off one by one.
I recently read two articles which looks at the issue from a prevention standpoint. And it is a very refreshing view to have.
What you need to know.
The first article looked purely at what must be done from a prevention point of view.
The article points out that if you search the definition within the Oxford Dictionary, resilience alone is defined as the capacity to recover quickly from difficulties; toughness. If you narrow the definition down to cyber resilience, it shifts to maintaining vs recovery. As noted on Wikipedia, it becomes the ability to provide and maintain an acceptable level of service in the face of faults and challenges to normal operation.
Matt Torrens, the COO at Sprout IT, spoke to tripwire.com about cyber resilience. He provided the following definition: “A true cyber resilience approach blends protection, detection, response and recovery to form an organization-wide, collaborative strategy.”
As part of this definition, all three elements of the cyber security triad—confidentiality, integrity, and availability—are vital to an organization’s resilience. Resilience is essentially a holistic approach to preparing for, responding to, and recovering from an incident.
Recognizing risks.
The article adds that, to protect businesses from cyber threats, we must first be able to recognize risks (combining threats and vulnerabilities) and go on to define solutions to help manage those risks.
Response and recovery plans may then take many different forms but should always have the aim of enabling the organization to rally with minimal financial or reputational damage. When it comes to cyber security, in general, organizations across all sectors still tend to emphasize protection over response and recovery. While in the last few years, cyber insurance has become more commonplace, many organizations have still not considered how they would respond to a major attack at all.
Putting thought into planning.
The article points out that cyber resilient organizations are ones that put the thought into planning, explicitly record decisions and alignments within their risk register, and consistently carry out testing to validate that these decisions are accurate. Cyber resilience requires ongoing dedication for when disaster strikes, be it a malicious actor, human error, or even natural disasters that are responsible. The organization is able to maintain at least minimal services and recover to full operations without completely diminishing their resources.
Organizations that are looking to enhance their cyber resilience can begin by working within three areas: preparing against, responding to, and recovering from incidents.
Prepare for incidents.
Principle of Least Privilege (PoLP): The article adds that, simply put, this step consists of providing the access that is required and restricting all else. Feel as if you have heard this over and over again? Unfortunately, whilst vital to resilience, PoLP is often entirely missed. It might sound logical and simple, but the challenge is that in order to do it properly, an organization must understand their employees’ roles and responsibilities completely along with what each transaction requires from systems, services, and persons.
Prioritization of assets: The article points out that, on top of understanding employees’ roles and responsibilities, an organization has to prioritize each part. Assets include data but also departments and persons. Consider if the office must be relocated. Which department will be moved first? Which team must be settled in and back online first to maintain operations, and further, what teams aren’t business critical in this reduced scope? When able to return to the office, which department do you move first to validate this? These are the lowest priority, not the top, because you want to reduce any impact to operations.
Depth of controls and testing: The article adds that security and privacy are not switches that you turn on and then walk away from. They’re long-term goals that require consistent testing, a holistic involvement and training. By implementing controls based on the identified risks of the organization’s threat map and then validating via a variety of testing, an organization can strengthen their responses and identify gaps via things like red team exercises, simulations, table-top exercises, and disaster recovery scenarios.
Respond to incidents.
Incident handling: The article points out that, when incidents happen, a resilient organization will respond with a strong team and rehearsed approach. This allows for faster response, reduction in cost, and possible mitigation of further damage. Organizations need to know what to do, have the controls in place to provide required intelligence, and be aware of what further capabilities they can use to effectively respond to an incident. It’s impossible to achieve this type of response by simply implementing policies and procedures. The response team will need to practice and simulate likely incidents and therefore know what to do and have the tools identified in part.
Third-party response: the article adds that, at times, an organization is unable to respond with only their in-house team. A third-party incident may require them to work across teams, for instance. As a part of the preparation phase, teams will have likely practiced executing this type of response; however, when responding to an incident, the organization must have existing contracts and documentation to share with these teams. Essentially, the pre-existing relationship can provide a massive benefit. In the situation where it does not, having the right documentation and controls in place to investigate will also help.
Notifications: The article points out that, during an incident, the organization will be required to make the decision on when and how to notify internally and externally. In some situations, there are legal requirements such as notifying the ICO within 72 hours within GDPR, which adds an additional layer of complexity. Many organizations I have interacted with are often torn between notifying the public and receiving the negative response while retaining the transparency that consumers value. Further still, there are some organizations that either weren’t given the ability to choose the date or were notified externally of a breach. For me, providing notification early on as well as in an appropriately worded and transparent way is a massive benefit when attempting to salvage one’s reputation following a security incident.
Recover from incidents.
Returning to Business as Usual (BAU): The article points out that some incidents require office relocation while others require an organization to purchase new hardware and software licenses or even hire full-time employees in a long-term or even permanent position. Whatever the requirements, a vital piece of returning to BAU means that the organization must firstly know what business as usual looks like for its particular case. It must also determine whether it has the financial resources necessary for recovery. All resources have a finite value, but a budget runs out, and the workday has only so many hours in it. When validating the business capability to respond to an incident, has the organization actually considered their return to BAU effectively?
Lessons learned: The article adds that incidents happen, and even practiced teams make mistakes and find failures or gaps within their processes. A resilient organization addresses these shortcomings through formal analysis. Team members must feel safe to identify failures of themselves, of others, and of processes in order to better the resilience posture overall. Towards that end, it’s important for leaders to document and then follow up on actions taken. They should also utilize recent events and knowledge to empower the workforce and make a more effective solution for the problem at hand. They need to set the tone.
Remediation: The article points out remediation isn’t looking at the bare minimums or throwing money at a problem in the hope it will go away. Remediation is about identifying gaps within the organization and dealing with them. Is it a lack of holistic view of security? Is it never having a proper risk assessment done? Is it a skills gap within your existing teams? Is it no SIEM or a lack of effective logs, etc.? Remediation takes on a variety of hats, from enhancements made by the defensive side, to validations performed by the offensive team, to leaders refreshing the business processes and teaching non-technical teams how to protect themselves.
If resilience is the capacity to recover quickly and cyber resilience is about maintaining an acceptable level of operations within a challenge, then resilient organizations must prioritize a holistic understanding of their people, processes, and technology. They must then effectively document and continuously validate their processes throughout the life cycle. Resilient organizations do this in order to withstand, respond to, and recover from security incidents when the time comes.
Endpoint becomes important.
The second article points out that the growing threat landscape requires endpoint security be the cornerstone of any enterprise security strategy
Ransomware attacks continue to loom large as a threat and cybercriminals are evolving ever-sophisticated approaches to target organizations across industry and government agencies. No one is untouched it’s only a matter of time.
The article adds that it’s becoming challenging for security and compliance teams to protect the enterprise assets and data from cyberattacks. The killing of the Iranian IRGC Quds Force commander Qasem Soleimani has put the U.S. on high alert, as government leaders and others prepare for Iranian cyberattacks retaliating for the U.S military strike that killed a top Iranian leader.
Most threats start at endpoint.
The article points out that most cyberattacks that transpire today start at the endpoint, despite enterprises spending a lot to protect their assets. Regardless of the motive—such as financial gain, geopolitical conflicts or espionage activities—and no matter what latest or greatest cybersecurity protection that an enterprise has invested in to protect the organization, unprotected endpoints are the low-hanging fruit that cybercriminals go after to get into the enterprise. Once an endpoint is compromised, it is easy for cybercriminals to move within the network laterally and find the critical business-sensitive and customer data.
The article adds that the speculation around Iran’s cyberattack kicked off 2020, though there is a lot to come including the upcoming U.S. election. That will be the country’s most prominent cybersecurity test, as we all know debates surrounding the last election and Russia’s interference.
According to IDC, 70% of successful breaches originate from the endpoint. The JP Morgan breach, which exposed half of U.S. households and millions of small businesses, started with a compromised endpoint.
The weakest link.
The article points out that endpoints are the weakest link in the enterprise network security. Endpoint devices include laptops, desktops, mobile devices, point-of-sale (POS) devices and IoT devices that connect to the network and access and/or process enterprise business data. The workplace is changing as businesses embrace digital transformation and a new way of working from anywhere and anytime, keeping sensitive data safe is growing the challenge for the enterprises.
Cybercriminals today are trying to get into organizations by compromising the endpoints and using the latest tactics, techniques and procedures (TTP) as well as technologies powered by AI and machine learning capabilities. The threat landscape is continuing to grow in its complexity and sophistication: 71% of data breaches were motivated by financial gain, according to Verizon’s 2019 data breach investigation report. The findings further indicate that financial gain is still the most common motive behind data breaches where a motive is known or applicable.
The article points out that the common threats that target the endpoints:
- Malware, any software or code developed for the purpose of compromising or harming information assets without the owner’s informed consent;
- Social, tactics employing deception, manipulation, intimidation, etc., to exploit the human element, or users, of endpoints assets;
- Advanced persistent threat (APT), which is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, that gains unauthorized access to a computer network and remains undetected for an extended period; and
- Ransomware, a type of malicious software, or malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.
The article adds that Endpoint Security Challenges are:
- An organization must protect every single endpoint in the network, while cybercriminals only need to compromise one to get success;
- According to the recent findings, 42% of endpoints are unprotected at any given time, the study indicates that increasing security spending does not provide adequate protection;
- Misconfigurations and employee mistakes contribute to breaches—84% of organizations say spear-phishing attacks successfully compromised them;
- A large endpoint footprint and legacy endpoint protection solutions that were implemented a few years back fail to provide protection from today’s evolving threats;
- Some industry processes still follow traditional waterfall approaches when it comes to upgrading new solutions or technology implementation, which take years for them to be able to operationalize the new technology or solution, which by that time the solution that was selected, becomes outdated;
- Traditional or legacy endpoint security solutions not only fall short on providing protection from evolving threats, but they also generate a high volume of alerts and organizations don’t have enough resources or time to investigate every single alert;
- Organizations don’t have visibility across the environment to address open vulnerabilities that may be present on the endpoint due to the lack of asset management or configuration management database (CMDB) practices;
- Almost every organization today faces a lack of in-house skills and security expertise when it comes to managing the existing solution or opportunities to transition these legacy solutions into next-generation endpoint security solutions; and
- Research says that users are significantly susceptible to social attacks and cybercriminals are targeting endpoints (laptops or mobile devices) using email-based spear-phishing, spoofing attacks that attempt to mimic legitimate webpages and attacks via social media.
Time to Redesign Endpoint Security Strategy.
The article points out that cyberattacks are growing in complexity and becoming more difficult to prevent and continue to accelerate. It’s time to think beyond traditional endpoint technology focused on signature-based prevention. Today’s malware changes daily and hourly, making signature-based prevention tools obsolete. Today, we need an integrated threat prevention solution powered by AI and machine learning models to detect and block malware infections with additional security controls to provide protection against script-based, fileless, memory exploits and zero-day attacks, and be able to detect a threat in the environment if the protection layer fails to contain the threat and minimize the damage.
To address the growing cyberattacks on the enterprise, endpoint security needs to be integrated into the overall cybersecurity plans to be more effective at providing prevention, detection and response to the attacks in real-time and provide effective compliance reporting. An organization must be able to isolate, secure and always be able to control every single endpoint on the network and design the solution with zero trust strategy: Validate before trusting an endpoint in the network.
The article adds that BYOD is another endpoint source joining the enterprise network as our workforce becomes even more mobile. An organization should not trust an employee’s own laptop or mobile device without required protection and monitoring capabilities. BYOD devices come with an extra risk to enterprises if an attacker is able to compromise it while the user is connected to the enterprise network.
Imagine if we all had a victim mentality? No business would be done. We need to be proactive and look at our vulnerabilities and how we can address them so that we are pre-emptive and prepared when an attack comes.