The Complexity Problem

The New Brand of Flashing Red
The flashing red lights that CSOs are seeing on their security dashboards these days is a strong indicator that we have shifted states – we are now in a constant state of flashing red.

And the brand of flashing red has also changed.

Most of our cybersecurity defenses are easily bypassed and malware is able to sit inside a compromised network undetected for months collecting and exfiltrating massive amounts of data.

The fact that we don’t know what’s going on is the frightening part.

A Pileup of Problems
And as we stand in the middle of an expanding threat landscape with very little knowledge about our adversaries, their tactics and techniques, the threat vectors in use and our own critical assets, we try to make decisions with vast amounts of imperfect data.

Our networks have become hopelessly complicated, our defensive tools may or may not counter each other’s efficacy, our attempts at finding the best software solutions are heavily influenced by the opinions of pretenders and market noise, we lack both skills and resources to provide fundamental hygiene so that all of our systems remain susceptible to exploit through published vulnerabilities we haven’t patched and we continue to build out a flawed system architecture in the mistaken belief that new technology will provide relief.

It won’t.

Un-Updateable Automation
As we have seen over the course of this year with multiple cyberattacks on physical infrastructure, the landscape is morphing toward automated control systems, SCADA, ICS and all of those billions of sensors and actuators that comprise the modern plant floor, keep it running and keep it feeding our global supply chain.

Because of the nature of these devices, many can’t even be patched or updated when vulnerabilities are discovered.

Mobile attacks have increased 500% over the past year.

The solution to both network complexity and unsecured PLCs is to replace them all with devices certified safe and with a network that has been designed on the principles of Zero Trust.

Can we do that? Yes.

Will we do that? No.

Blinded by the Complexity
In addition to the blinding complexity, organizations are asking their CISOs and security IT teams to navigate a whole range of new technologies, ranging from artificial intelligence and deep learning to behavioral analytics. From embedded hardware authentication to blockchain cybersecurity, migration to the cloud and X-as-a-service delivery models and to make recommendations around how these new technologies can help the organization fend off cyberattacks.

In the hope, of course that they find a pony in there somewhere.

No pony so far.

A Million More Avenues of Attack
In fact, many new architectures built using isolated multi-cloud services often have restricted visibility, further complicated management systems, and no way to implement any sort of centralized orchestration or control over security policies or posture. And at the same time, all of these new technologies are creating new avenues of attack.

While we are doing all of that, the bad guys are getting really good.

And organized. We now have fully functional affiliate marketing models operating on the dark web that provide everything you need to become an armchair cybercriminal including smooth processes for laundering your bitcoins.

What surprises me is that I detect no sense of panic.

If this sort of meltdown were happening on Wall Street, the entirety of the global financial services markets would be in turmoil, frantically figuring out how to get out before the avalanche buries them all.

But here, nothing.

Running Out of Options
Daily stories of ransomware attacks, hospital patients at risk, killware, pipelines in peril, supply-chain multipliers, hidden malware, ubiquitous Eastern European and Chinese hackers successfully taking down networks of large banks, and dispensing fake news with their other hand.

What do we do?

There seem to be several paths forward from here.

One, we could continue as we are, building out defensive postures with technology and hoping that somehow, our number doesn’t get called. This seems to be the model preferred by most investors, who while interested in finding a cure, are more concerned with the well-being of their fund.

And, that is as it should be. Their job is to multiply their clients’ investments and maximize gain – either with cybersecurity or soybeans.

Two, we could slam on the brakes and let the business unit owners know that digital transformation is on temporary hold until the attic and basement get sorted out. LOBs won’t like this news. You may be fired. But unless we stop enabling the creation of autonomous production centers through cloud services in thousands of shadow IT organizations, it will be impossible to know about or control what’s going on around us.

This approach only changes the allocation of resources on a temporary basis, but will go a long way toward preventing additional breaches in the future, without requiring major overhauls.

Three, we could immediately begin adopting a Zero Trust mindset, by incrementally selecting the business’s most critical assets, isolating them within a protect surface micro-segmented away from the large attack surface, and implementing robust and continuous identity access authentication and proofing processes.

Not knowing who is on our networks, what they are doing and to whom they are doing it, is one of our biggest vulnerabilities now, and with the proliferation of open source software, we will continue to discover flaws that had not been surfaced earlier.

Four, we could rip and replace. Everything.

And, at the same time, get your attic and basement in shape.

Implicit Vulnerabilities in Legacy Systems
Ultimately, we will have to do this in the realm of IIoT or OT anyway. The talent pool with an understanding of the inner-workings of these complex systems of systems grows smaller every month. This lack of knowledge of legacy systems provides an opportunity for intentional and unintentional insider risk, as well as external risk via exploitation by cyber bad actors. People with mal-intent, whether insiders or external to the organization, will use the opportunity to exploit the legacy system recognizing older technology has implicit vulnerabilities.

True across the board: IT, OT, IIoT, IoT

Non-mal-intents may unintentionally make changes to the system without a thorough understanding of the complex nature of the ecosystem causing down time with catastrophic impact to the organization, including death.

Time to Bite the Bullet
We already carry a high cyber risk profile, so if you are dependent upon ICS in any way, you know you will have to bite the bullet soon.

I could give you the 5 steps to securing legacy systems or you could Google them – either way, the answer won’t be found there.

Whichever of these four paths we take, we better get started, because folks like DarkSide, REvil, Cosmic Lynx, Exaggerated Lion, Fin7 and Florentine Banker aren’t waiting on our decision.

Read more: