Creating a Cyber Battle Plan
Published 10/07/2024
Originally published by CXO REvolutionaries.
Written by Ben Corll, CISO in Residence, Zscaler.
Nearly every day (certainly every week) the headlines scream of massive data breaches. It's enough to make you wonder: with companies supposedly pouring resources into cybersecurity, why are cyber incidents and data breaches still on the rise? The answer, unfortunately, isn't a simple one. Cybersecurity is a complex dance between evolving attacks and the ongoing struggle to maintain a truly secure environment. We, the defenders, want to protect the organizations and their data. Yet, we cannot stop employees from being able to do their jobs and we cannot interrupt business operations (if we want our salary).
Attackers on the upward climb
Cybercriminals are not ostracized and shadowy figures operating from their mother's basements. Today's attackers are often sophisticated, well-funded, and constantly innovating. They leverage cutting-edge tools and techniques and exploit vulnerabilities faster than ever (using GenAI?). With these types of adversaries it's important to stay diligent.
Let's delve into a few key factors contributing to the rise of cyber threats:
- The professionalization of cybercrime: Cybercrime has become a lucrative business attracting skilled individuals and organized groups. These groups operate with a business mindset, employing sophisticated techniques like social engineering and zero-day exploits to bypass traditional defenses.
By acknowledging the nature of our adversaries we can begin to build programs to defend against their attacks. We are not simply fighting hoodie-wearing loners working from laptops in the dark of night. We face well-dressed and well-educated criminals with plenty of time and resources to dedicate towards bypassing our defenses and evading our sensors.
- The rise of ransomware: Ransomware attacks have become a dominant threat. Not only do these attacks disrupt operations, but the stolen data becomes a valuable asset for further exploitation. Having amazing backups which are immutable and unreachable by malware doesn't mean we have a silver bullet solution.
I hate the idea of ever paying a ransom and feeding into a system to perpetuate its growth, but stopping ransomware takes more than backups. It requires adopting different architectures and models. For example, limiting the blast radius of a compromised account or system is a considerable improvement. Likewise, stopping an attacker’s ability to spread laterally through an organization is better than only being able to restore lost data. This is why I truly believe that implementing a zero trust architecture is a must for the modern enterprise.
- The expanding attack surface: As technology evolves, so do the potential entry points for attackers. The rise of cloud computing, the internet of things (IoT), and the increasing interconnectedness of systems creates a vast attack surface. Each compounding and interactive new technology makes it more challenging to secure points of entry into your enterprise.
Right now we need to greatly reduce the attack surface (ZTNA/SSE anyone?) while also having a firm grasp of where our assets truly are. What's ours? Where is our data? Which API's are we using? What accounts are no longer being used? Which non-human identities or accounts (i.e. service accounts) are being used and what's normal usage look like? To reduce our risk exposure we must monitor activity to understand what “normal behavior” looks like. Then we can detect when things deviate from the norm.
The Achilles' heel of cyber defenses
Advancements in cybersecurity tools are undeniable, yet a crucial gap exists between having a solution and configuring it to work effectively. A large part of my day is spent evaluating the effectiveness of solutions and determining if they are being adequately used. Afterall, a tool can't help solve a problem if it isn't properly configured.
There is an ever-widening gap between what we perceive as adequate protection, and the capabilities our cyber solutions actually provide. This gap is often filled by inadequate cyber hygiene practices – by which I mean the foundational steps businesses take to maintain a healthy cybersecurity posture. The result is a false sense of security. Far too often I hear an executive or board member say “...but I thought our firewalls would protect us from that.”
Here's where I believe some common critical weaknesses lay:
- Human error: Humans remain a significant security vulnerability. I don't say people are our weakest link as they are our best threat sensors (people have intuition). But human error is still a problem. Phishing emails and social engineering tactics continue to trick employees into giving up sensitive information or clicking malicious links. I often say that all of us will fall victim at some point (including me!). The right email, at the right time, in the right situation will get anyone to accidentally click. This is why we need proper tooling and training - so that when one security measure fails others can protect the business.
- Patch management lag: Software vulnerabilities are inevitable (humans are flawed, so what we produce is also flawed), and attackers are quick to exploit them. With the continued advancement of GenAI and its adoption by cyber criminals, attacks will only come faster. Additionally, timely patching of vulnerabilities is often neglected, leaving systems exposed for extended periods. Patching must happen as soon as it makes sense.
- Unsecured cloud environments: The rapid shift to cloud computing presents opportunities and challenges. Businesses may lack the expertise to properly configure cloud security settings which leads to inadvertently exposing sensitive data. In a multi-cloud environment this becomes a bigger problem as engineers must properly configure and maintain multiple cloud tenants with different security requirements.
- Inadequate user access controls: Granular control over user access to data is critical. However, many businesses struggle with limiting access to what's strictly necessary for employees' roles. This is why I believe that identity (or contextually-based identity) is the new perimeter of the modern-day firewall. As identity and access management (IAM) continues to evolve we'll see fewer issues with overprovisioning access (for human and non-human identities).
Moving towards a more holistic approach
The fight against cybercrime requires a multi-pronged approach. Here are some key steps organizations can take:
- Invest in security awareness training: Employees are the first and often last line of defense. Regular training on recognizing phishing attempts, cyber threats, and security best practices can significantly reduce the risk of human error. This shouldn’t be a one-time or once-a-year event - it should be continuous. Training must be more than phishing simulations that track click rate. Talk to people, educate them, relate to them. Use real examples that happened at your organization, not something observed at some other company somewhere in the world. Make examples real and relevant if you want to have an impact.
- Prioritize vulnerability management: Develop a comprehensive vulnerability management program. Notice I said vulnerability management program, not patch management program - they are not the same. Vulnerability management includes regular scanning of the environment and mandatory testing before deploying. It also can mean removing applications, sunsetting systems, and using configurations to isolate access. There is so much more to vulnerability management than pushing a patch (something I was woefully unfamiliar with when I ran a patch management program some 15 years ago).
- Secure cloud environments: Businesses migrating to the cloud must invest in understanding and leveraging cloud security tools and configurations. We need to train our people and allow them time to learn. Ensure training encompasses all the clouds your organization uses.
- Implement least privilege access controls: Granting users only the access necessary for their job functions mitigates the potential damage if an account is compromised. The concepts of principle of least privilege and just-in-time (JiT) access need to become the de facto standard in access management. This is also a governance issue as account and privilege management have been messy in every organization I've encountered. People move roles. They leave organizations. There are breakdowns between the IT & HR departments. Work needs to be done to solve the security problems created as employees advance or leave the organization.
- Embrace a culture of security: Security shouldn't be seen as an additional burden but as something ingrained in the company culture. Fostering employee engagement in cybersecurity creates a more vigilant workforce. When I worked in a manufacturing company, inside every factory were signs that read "safety is everyone's responsibility". Everyone bought in on safety. We haven't quite gotten there with cyber or information security. Still, give security leaders time and a platform and we'll work to win the hearts and minds of our employees and users.
It's a continuous battle
Cybersecurity is an ongoing arms race. While attackers are continuously refining their methods, as are cybersecurity practitioners and their solution providers. The key(s) is recognizing that effective cyber defense requires a multi-layered approach. By investing in robust cyber hygiene practices and having a security-conscious culture, organizations can significantly improve their cyber resilience. Like the attackers, we must also keep up with technological advancements. Don't get left behind, stay in the fight by staying up to date.
Above all, remember, even the most sophisticated vault can be breached if its foundations are weak and unmaintained. Keep your cybersecurity program fresh and review its foundation on a regular basis.
Related Articles:
The Evolution of DevSecOps with AI
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
A Vulnerability Management Crisis: The Issues with CVE
Published: 11/21/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024