This post was originally written prior to the COVID-19 crisis and back when there was such a thing as a network perimeter. Can anyone guess which year?
Regardless, the state of the union back then was almost exactly the same as it is today. It is often refreshing to look back midway through a journey to reflect on how far – or how little – we have traveled.
An Explosion of Attacks
Cybercrime and cyberattacks have remained a front-page problem last year with several mega breaches affecting millions of individuals, an explosion of payment-card system breaches and a surge of high-profile ransomware attacks. Cybercriminals have showcased resilience in their ability to continuously develop new ways to circumvent even advanced security protections, resulting in billions of dollars in damages around the world.
From efforts to evade smart chip technology to new forms and strains of ransomware, activity observed in the cybercriminal underground in [year] will have a profound impact on the [year] threat landscape.
According to the latest Allianz Risk Barometer (released this January) titled The Top Business Risks for [year], cyber incidents marched up the ranks to become the second-greatest risk faced, named by 90% of respondents, after placing 15th five years ago and ranking above natural catastrophes and market developments.
The 5 Drivers of Cyber Risk
While there are no shortages of challenges in the cybersecurity space, I believe the top macro-drivers of cyber risk today are:
- A rapid shift in the threat/prevention dynamic from a network perimeter-centric focus to a broadly sophisticated view dominated by bots, ransomware and insider threat vectors with rapidly increasing cloud, mobile and remote worker assets located outside the network firewall
- An almost blind-faith leveraging of digitalization technologies and opportunities for business advantage through intelligent devices and robotics for manufacturing, distribution and specialty applications in consumer products, science and medicine which has led to an exaggerated and far too rapid expansion of a poorly prepared attack surface
- The failure of best-of-breed cybersecurity point solutions to provide the undelivered silver bullet that most have promised, resulting in a fragmented, non-integrated and porous threat defense “system” of siloed and often redundant moving parts
- An approach to cybersecurity management driven by an obsession with threat vectors, device targets and physical assets versus a constructive defense of the threat landscape focused on the value of information assets
- A failure of both the venture community to direct capital toward machine learning and artificial intelligence technologies applied to the actual versus theoretical challenges and the information security custodians to properly communicate exactly what spending authorization decisions need to be made and why to their boards and executive management teams.
Kicking Ourselves in the Rear-End
It is not so much the fact that we can’t stop cyberattacks that is worrisome, it is the larger context in which they continue to occur that is alarming. And I’m not talking about existential level threats due to our asymmetrical imbalances on the battle field resulting from economics, education, technology and information dynamics. These 5 drivers are blue-collar realities over which we have complete tactical control.
It’s not like we have to worry about someone else kicking our rear-ends, when we continue to demonstrate how well we manage to kick our own.
No one in the cybersecurity community would be surprised to learn that conventional network perimeter defenses are no longer appropriate for modern malware detection or prevention. Today’s threats are smarter threats and the size and volume of attacks has exploded, as well as the number of potential attack vectors. Conventional perimeter defenses are useless, yet our budget and spending remains focused inordinately on the network perimeter security layer while correlation and behavioral analytics, threat modeling and intelligence, and machine learning enhanced technology spending suffers.
Ransomware Problem Rapidly Grows
Ransomware attacks are one of the areas of cybercrime growing the fastest, as the number of attacks has risen 36 percent in [year] (and doubled in cost). Four years ago, there were 500,000 malicious applications. In [year], that number increased to 2.5 million. By [year], it had risen to 3.5 million. And 77 percent of those applications are malware. Most cyberattacks are from insurgents already inside the network perimeter and much of today’s information being safe-guarded is shared by apps in a way that never touches the network perimeter devices at all.
The results are firewalls that rely on an exhaustive list of blocked apps that never get the chance to act because the app usage is remote and mobile combined with conventional anti-virus (AV) and intrusion detection or intrusion prevention systems (IDS/IPS) which look for suspicious traffic once it has passed through the firewall software that are easily evaded by today’s threats. In the modern cyber-world, the perimeter needs re-invention and has to be extended to every device and every employee.
Cost Benefit Analysis of Digitalization
Digitalization is of course wonderful for all enterprises as it allows us to do more things faster and more of those things with fewer resources. But there is a high cost associated with these benefits, most insidious of which is the increased vulnerabilities we invite into our organizations through leveraging those advanced technologies.
For the most part, responsibility for cybersecurity in digital transformation today is shared by the application team, which tends to focus on hardening and securing enterprise applications, and the cybersecurity professionals, who worry about governance, controls, detection and response. In the future as the focus shifts from traditional network-perimeter security to securing application data, those two worlds need to join forces and find a common understanding, a shared terminology and a unified approach to securing applications and data.
Systems are being leveraged in non-traditional contexts and as a result, there is far more complexity and direct connectivity with suppliers, partners, customers and consumers. And, there are tighter connections between a company’s web presence and its back-end systems and third-party suppliers. Frictionless process flows means an increase in the number of points where the process can disjoint and be penetrated.
Cybersecurity must be a part of any organization’s digital transformation conversation at the start and it just isn’t happening that way today. The longer we avoid the difficulty of addressing the issue when and where it needs attention, the higher the price we will pay in the end.
A Game of Disjointed Jenga
Traditionally, best of breed meant buying multiple security programs, each a separate tool that’s best at solving the individual problem it targets leaving a beleaguered IT organization to piece a cybersecurity platform together like some sort of conscripted Jenga tower, hoping that the pieces will all stay together to keep their company’s information assets safe. On paper, that seemed like a reasonable solution with a few alternate approaches:
- Do it yourself by drawing from the vast knowledge pit provided by over 500 separate product vendors that intend to guide you through the maze of marketing theatre to the answer most desirable from each vendor’s point of view, or
- Rely on a third party provider like an MSSP/MDR who has theoretically done all of that work for you to provide a best-of-breed integrated SaaS platform comprised of all the “right” best-of-breed point solutions and a SOC, or
- Shift your focus to constructing a simplified fundamental platform based on only the point solutions necessary to marshal an effective defense against 90% of the probable threat vectors that might put your crown jewels at risk.
After what seems like a million years in the trenches of cyberwarfare, only the 3rd alternative seems to make any sense to me.
Back to Basics
In this era of disjointed organizational silos applying drive-by principles of best practices to shadow IT activities, trolled by point solution vendors trying to by-pass your CIO’s authority, combined with rocket-fueled IoT adoption and knife-edged complexity curves, returning to fundamentals is not only comforting, it actually makes for the most effective defense against modern cyberattacks.
Focusing on the high value assets is the key. A great place to start is with a fully featured SIEM system that includes a vulnerability scan, behavioral and end-point analytics and leveraged threat intelligence that can operate behind a functional perimeter defense shield. This class of SIEM, augmented by an asset-value-centric monitoring and alerting system that can operate in conjunction is a very powerful way to monitor not just the threat activity but the actual asset values at risk. Aggregating, contextualizing and correlating event data from existing point solutions with vulnerability data to direct remediation efforts to the high value assets at risk is a solid foundational approach to cyber risk management.
The result will be a sufficient all around defense against the most common threat vectors and since its focus is on asset values versus device-level threat activity, it can maximize remediation resource allocation so that your already over-tasked IT staffers aren’t chasing non-critical system devices at the expense of high value assets at risk. No matter how you slice it, no third-party SOC or “integrated” cybersecurity management platform is going to provide the quality of technical remediation necessary for you to address all of today’s modern threat vectors at a price you can afford. But doing it this way, you will end up with a risk-management platform that is focused on what counts and not on the surrounding noise.
No More Wild Risk Chases
The bonus is that while you may not be getting the crème-de-la-crème of point solutions against every threat vector known to mankind, you will also not find yourself chasing down potential IOCs that lead to a threatened clerical workstation that contains or processes low-value assets and is an insignificant threat to the critical domain. Instead, your resources will be directed toward prioritized devices exhibiting perhaps fewer and less critical vulnerabilities but storing or processing much higher value assets.
This also translates to higher maturity levels for overall cyber risk management as you will now be able to manage threats and vulnerabilities while measuring risk impact in monetary terms and express those metrics to your management team in a language they can understand. The result is not just improved cybersecurity management, but improved business management.
The other bonus is that you won’t be faced with reengineering your solution to accommodate every flex in the future arc toward digital transformation. Focusing exclusively on the high value assets will keep your hand steady on the tiller. While the rest of the organization rushes ahead to adopt cloud and mobile technologies, you can remain concentrated on keeping the organization’s critical assets centrally focused and protected.
Best practices, consistent and repetitive employee training and awareness are also essential pieces to the puzzle but are neither difficult nor expensive to implement.
Viewing Security Through the Prism of Cyber Risk
The increasing weaponization of data as an attack tool which the Mirai botnet and the attack on the DNC demonstrated is now the new normal. The web has vastly expanded the scale by which these attacks can spread and the avenues through which they can have an impact. These attack styles are targeted not just at the theft of information assets for re-sale, ransom, extortion or blackmail, but are now designed to hold data hostage and strategically leak classified or sensitive information in concert with a cybercrime agenda.
Face it. No matter how many best-of-breed cybersecurity point solutions you vet and consider for implementation, there is simply no way to get ahead of the threat curve anymore. This becomes especially true as long as you continue to view cybersecurity defense through the lens of threat vectors and not through the prism of cyber risk.
The combination of the increasing scale of attacks and the expanding complexity and scope of systems and data, along with broadly distributed information and applications has created an attack surface that is virtually impossible to defend.
Wandering in the Wilderness
The venture community will continue to make new investments in theoretical versus applied AI and ML to create first mover positions and will continue to double and triple down on existing investments to drive conventional “advanced” cybersecurity product companies to dominant leadership positions in their market segments because that is what VCs do. If you are hoping for a breakthrough in the latest and greatest biometric or quantum technology space that will lead you to the cybersecurity promised land, you should probably make yourself really comfortable because it is going to take a long time.
In the meantime, you have a fortress to defend.
Speaking in Monetary Terms
Getting back to basics, tightening the clamps on what you know works, and starting to talk with your management team in a language (fiscal) that makes sense is the trailhead. If you can shift your attention away from the noise, simplify your cybersecurity infrastructure, leverage analytics and threat intelligence, start capturing actual risk data in monetary terms while factoring threats and vulnerabilities against the asset values at risk and bridge the communication gap between you and the people at the top, you will have done what many others have not been able to do so far.
As foreign a concept as it may be, the best course of action in [year] might be to stop trying to protect everything and instead focus on what’s vital – the crown jewels of your information assets – those assets that if compromised could destroy your business.
Equifax is a brutal example but sadly not an outlier. Our collective lack of response will translate into lots of similar breaches in the coming months.
Can anyone say “Zero Trust”?