Pages

20 March 2023

When Managing Cybersecurity, Operate Like You’ve Already Been Compromised

Renee Tarun

Not to dredge up unpleasant memories, but do you remember how we all felt in the early stages of the Covid-19 pandemic? Vaccines and treatments weren't yet available, and people faced real risks. We isolated ourselves in our homes for weeks or months, kept our distance from other people when we had to go out and canceled gatherings with family and friends. We went through the day with the assumption that everyone we encountered might have the virus.

Then, two things happened. Vaccines were developed that reduced the likelihood of infection and severe illness. And more contagious variants of the virus began to circulate. The result? Many who were vaccinated, boosted and continued masking and distancing practices wound up contracting the virus. But partly because of the precautions they'd taken, the illness wasn't as severe for most of them.

Coping With Near-Universal Cyberattacks

I think this scenario parallels the situation we see in cybersecurity today. The most effective organizations have been working for years to bolster their cyber defenses in a strategic way. They've worked on broadening protection to cover the entire attack surface, integrating across the cybersecurity stack to provide centralized monitoring and management and automating processes for better efficiency and quick incident response.

Yet, many organizations occasionally suffer a successful attack. In fact, it would be much easier to count the number of organizations that weren't impacted by a cyberattack in 2022 than those that were.

It's hard to open a news site these days without seeing a report of another data breach. Fortinet's threat research shows that ransomware attacks surged in 2022. Ransomware-as-a-service offerings now make these attacks accessible to cyber criminals with less technical expertise. To make matters worse, advanced ransomware attackers now exfiltrate data rather than simply locking up systems, increasing the risk that customer and corporate data—and intellectual property—can be exposed. And newer variants like Azov use wiperware to erase or corrupt data, making it useless to the organization.

One of many factors in this exploding volume of attacks is the war in Ukraine, which correlated with a heightened threat environment globally—not just in eastern Europe. And although many initially assumed the war would be short, and things would get back to “normal” soon, there's no end in sight a year later. The heightened threat landscape seems to be here to stay.
Operating On The Assumption That An Attacker Is Already Inside

So, no one's immune from attacks, and the relentless volume isn't going away anytime soon. This raises the question: Why bother with updating cyber defenses at all? The answer is that organizations that are best prepared stand the best chance to avoid serious impact or attacks at all. Just as vaccinated and boosted individuals still contract Covid-19 but have much less severe illness on average, companies that deploy best practices and a well-designed security architecture will weather the storm more effectively overall than those with less robust protection.

But I would go one step beyond this. One security leader recently told me, “We always operate as if we have already been compromised.” Just as we assumed in mid-2020 that everyone we encountered might have Covid-19, security teams should assume that an adversary is already lurking in the network. If everyone who makes it past the “perimeter” is treated as a trusted user, we have a problem. Assuming that someone is already inside brings a very different perspective on how to protect internal systems.
Inoculating The Organization Against The Worst Damage

Despite the worsening threat landscape and the near inevitability of a successful attack, it's still possible for companies to position themselves for minimal damage when this occurs. Rather than focusing solely on attack prevention, organizations should work to build cyber resilience—intercepting most attacks before they happen and responding quickly to contain the damage when an adversary breaks through.

Here are some ideas that can help build cyber resilience in 2023.

• Shore up cyber gaps while reducing the footprint. Technology teams have had a difficult three years, scrambling to quickly stand up new infrastructure for remote employees, students and patients. In the rush to deploy and secure this new architecture, many purchased point security tools that weren't integrated with the rest of the security stack. Now that things are settling into a new normal, it's time to ensure that security teams can view and manage everything from one place.

• Augment people shortages with automation. By many accounts, the cybersecurity skills shortage is getting worse—if that's even possible. CISOs across the country have open positions or have simply restructured their teams with the assumption that a higher headcount isn't possible. This means that organizations must take maximum advantage of technology to automate as many security processes as possible. Technologies like artificial intelligence (AI) and machine learning (ML) enable even more automation when it comes to both detection and response.

• Get out of the “set and forget” mindset. Although automation is critical, no one should be fooled into thinking that it can eliminate the need for strategic thinking. Many security tools falsely purport to enable customers to configure the settings, turn on the tool and never worry about that aspect of security again. But the threat landscape is ever-changing, and leaders need to keep abreast. Every organization should have access to advanced threat intelligence sources—especially those that look at the big picture. Some organizations may want to engage with digital risk protection (DRP) services to focus on how cyber risk contributes to a company’s overall risk portfolio from an external attack surface point of view.

These suggestions should help an organization move from a reactive stance to a proactive one and can make the inevitable attack much less painful.

No comments:

Post a Comment