Listening to cybersecurity experts can be terrifying. Cybersecurity experts are known to pull out bonechilling stories from the depths of digital darkness. The panic and anxiety a business experiences because of unpredictable competitive strategy or erratic customer behavior is trivial by comparison.
Here are some of the favorite tales from the world of cybersecurity: hackers can block critical systems preventing users from accessing data; they can expose critical information to the public; they can trigger public alarm systems; and even tweak election results. These are no longer stories. Each of them is real.
In May 2017, a strain of ransomware called WannaCry hit hospitals, shipping companies, oil giants and powerful government outfits. The hackers affected 200,000 computers across 150 countries and demanded a ransom in exchange for unblocking the systems. Estimates suggested that economic loss from the attack could reach $4 billion. A group calling itself Shadow Brokers has been publishing hacking tools and data from the National Security Agency — a great embarrassment to the NSA.
In April 2017 hackers triggered 156 sirens in Dallas, sending citizens into a state of confusion and panic. In October 2017, Yahoo! publicly admitted that a 2013 intrusion could have resulted in compromising information of its 3 billion users. And now there is news that a leading cybersecurity company cataloged information from a U.S. government employee’s computer. That data may find its way into the hands of agents from any rogue state. Nothing in the digital world, it appears, is safe.
This is just the beginning. As the Internet of Things (IoT) grows, the problem of cybersecurity is going to multiply. Analysts have predicted that by next year worldwide spending on information security products and services will hit $93 billion.
The key reason for this is simple. Digitization, cloud technology, the IoT and mobile applications have made the world a different place. Enterprises are using simple third-party plug-and-play systems for CRM, email, collaboration, payment transactions, content management and social interaction. Millions of consumers, business partners and providers, drones and autonomous systems have become part of the IT play of modern enterprises. The idea that the IT assets of an enterprise can be fenced within a boundary along with its stateful architecture has become history.
Banks, retailers, manufacturers, health care providers, utilities, governments, etc., must evolve and adapt to the new ways of doing business — and that includes dealing with a more amorphous IT architecture. Put another way, it means that the growth in connected systems, devices, operating systems, programming languages and networks is leading to a growth in the available attack surface for intruders and hackers.
Assurance before defense
Of course, enterprises have made continuous investments in setting up layered defenses such as firewalls, anti-virus engines, Intrusion Detection Systems (IDS), Host Intrusion Protection Systems (HIPS), content filtering systems, etc. The question is: “How do you know these are working?” Are they adaptive, resilient and scalable?
The dynamic nature of today’s threat scenarios is giving rise to newer threat models that demand fresh controls to defend assets as well as modifications to existing controls. This has a domino effect. The new threat models call for an overhaul of Enterprise Security Architecture — a function that is also being forced to become dynamic.
The changes call for a tighter correlation between the Security Architecture function and the Cyber Defense Assurance function. The processes and way existing controls and defense are measured, evaluated and assessed must be reengineered. Now, when security assurance becomes the focal point — as it does in a dynamic threat environment — it is akin to setting up a new security game plan for the enterprise.
Those tasked with security management have a new responsibility. They need to go well beyond traditional penetration testing and vulnerability management. The former provides a picture of an enterprise’s security posture while the latter is a static point-in-time assessment of an asset’s compliance posture. Both are inadequate to protect an enterprise from today’s cyberattacks.
Enterprises also tend to lean on the false sense of security provided by table-top risk assessments. They go through a check list of known security best practices and controls that fail to provide a real-time picture of what is happening within their systems.
Instead, the emphasis must shift to assurance of the cyber defense controls in real-time and in-line. Measuring the effectiveness of the controls in addition to dynamic assessment of the controls-architecture is what enables enterprises to effectively correct their cyber defense posture.
Current security practices do not emphasize the need to assess the state of security controls in real time. This is an astonishingly large gap that needs immediate attention.
Management vs. assurance
It should be evident that enterprises need to change how they think of defending their assets. But what is an effective mechanism? We believe every modern enterprise must move away from vulnerability management and take a step towards cyber defense assurance. This is what will differentiate winners from losers.
There are two clear steps that an enterprise must take to achieve the new level of cyber defense: Enterprises will need to find ways and means to bring in and adapt newer technology controls, which will help engineer a better defense posture, and they will need to continuously (re)engineer cyber defense in-line with the changes in threat scenarios.
The new assurance model would look like this:
(Re)Assess: Look again at current controls and map them to the dynamic threat landscape.
(Re)Evaluate: Examine existing controls for their effectiveness in various threat scenarios.
(Re)Architect: Adapt the controls to the latest threat models or bring in additional compensatory controls to defend effectively.
(Re)Engineer: Engineer the controls to meet the demand.
Finally, an enterprise will find it easier to navigate the new threat landscape when it identifies meaningful metrics that help drive decisions that create an effective cyber defense posture.
But IT teams are lost and confused when it comes to putting down the basis on which to judge systems for their effectiveness. The number of digital surfaces, actors and vectors is alarmingly large to consider. The internal and external risk scenarios also keep changing.
Here is a simple example of an incident that can cloud the judgment of an enterprise: A consumer credit reporting agency can get hacked and banks will suddenly hear alarm bells related to their own security. The catastrophic event affecting the credit agency may prevent the bank from releasing its next mobile app. “Am I not exposing one more digital surface with the mobile app?” is how the bank will think. The problem here is that the bank doesn’t know how to assess or respond to the external scenario in its industry that has suddenly changed.
The ‘how of change’
When the type of threat changes, security officers intuitively know that their threat models and risk management processes must change. However, there isn’t a well-established process to visit these threat scenarios. Neither is there a way to asses these scenarios so that learnings can be applied to threat models and risk management to create more effective cyber defense mechanisms.
The trick is to adopt dynamic and adaptive architecture. This is easier said than done. What dynamic security architecture implies is painful and difficult. For most IT teams, dynamic architecture means going back to the drawing board, re-examining assets and the change they are subject to, and how this results in new threat scenarios.
Then, even as new security practices are spelled out and brought in, the team must go back to examining the assets for (further) change and implement new practices … and thus it is an endless cycle. As can be imagined, this is a laborious and frustratingly uphill task (not to speak of appearing futile!).
These technologies together with analytics can help identify the right metrics to examine and thus ensure that an enterprise can respond faster to its changing security needs.
What are tomorrow’s best practices for cyber defense? Before you can capture them, be sure they will change.