Risk – it’s a four-letter word senior managers would love to banish from their organizations. Unfortunately, the “washing one’s mouth out with soap” method does not extinguish the type of risk cyber security experts worry about the most.
While there are numerous types of risk to discuss, I am going to limit my comments here to the area of compromise because that seems to be what is impacting organizations the most lately.
For systems failure, there’s high availability. For data loss, there are mirrored drives and backups. For major power outages, there are battery/generator backups. But when you are compromised and your protected information is stolen or leaked, there is no fallback mechanism to reduce or eliminate impact. You must reduce or eliminate the risk of the compromise occurring altogether.
There are three issues you should address to focus your efforts on reducing the risk of compromise to your organization: evolution, recognition and humility. Yes, on the surface none of these sound like they have anything to do with security operations and risk management, but that’s precisely why I chose them.
I have met many executives that understand advanced threat groups are constantly evolving and adapting to the defenses placed in front of them. They know these groups are well-funded, well-trained, mission-oriented and focused on them.
Yet, many times their approach to risk reduction is still business-cycle focused. A solution is purchased and it is expected to have a lifespan of three to five years. They stop looking at solutions in that area until their investment spend for that solution has run its course – regardless of whether the solution is still effective at protecting their organization from the threat it was intended to defend against or not.
Advanced adversaries do not operate on a business cycle. You must expect that the second you place an obstacle in front of them, they are going to focus their talents on figuring out how to adapt and overcome that obstacle. The second they do, your investment in that solution is no longer paying off. You must adapt and evolve, or you risk compromise.
The old adage “No one ever got fired for buying <vendor X>” does not hold up in our field. Security practitioners are heavily scrutinized and often lose their jobs when a breach goes public, regardless of the technology that was purchased (see OPM Chief Katherine Archuleta Resigns; Amy Pascal, Ex-Sony Chief, Acknowledges She Was Fired; Target CIO Resigns as Part of Security Overhaul; or As Data Breach Woes Continue, Target’s CEO Resigns).
In order to reduce your security spend in this area, you must focus part of your evaluation criteria on the vendor’s ability to adapt and evolve to new attack methodologies that are designed to evade it.
No, this is not the kind of recognition you get when being rewarded for doing a great job. Just like the never-ending battle of being the top closer for the sales rep, not being breached last month will mean nothing if you are breached this month.
If your detection solutions cannot recognize malicious behavior, you are in trouble. And even if your detection solutions do recognize malicious behavior, you may still be in trouble.
How do you explain the breach that occurred when your detection solutions did recognize malicious behavior but because of the confusing or difficult way it was presented, your security team did not recognize what occurred?
This means you cannot focus solely on alerts. You should focus on SOC/IR operational workflow and utilization of best-of-breed solutions that integrate together and provide easy to understand, actionable intelligence.
I think one of the best traits a security manager can have is knowing they do not know it all. Unlike military warfare, where the skipper must appear to know everything in front of the crew, cyber warriors must rely on plenty of help to keep advanced threat groups at bay.
The moment you convince yourself your defenses are impenetrable, you put yourself at high risk of compromise. You must deploy prevention solutions to block as much as possible, filtering out all the noise so your teams can focus on advanced threats. Your detection solutions must be able to adapt with the evolving threats, so that your teams receive clear indicators of compromise.
You must have the humility to believe that, despite your efforts, all your preventative measures may still fail, and you will have to actively hunt for your adversary. Assume the worst – assume they got in, and go find them.
Because when it comes to the APT, there is no silver bullet. There is no single “APT solution.” You must use the best of your abilities, the best technology, the best trained personnel, and then have the humility to consider it all may fail you.
That’s how you extinguish the risk!
About the Author: John Bradshaw has more than 25 years of IT industry experience including 20 years in network and systems security. He joined Lastline as Vice President, Worldwide Sales Engineering in February 2015 and is responsible for all aspects of the technical part of sales. Prior to joining Lastline, John was Sr. Director, Worldwide Sales Engineering at Mandiant (now a FireEye company). He has also held sales engineering leadership roles at ArcSight, Internet Security Systems and Digex. From 1996 – 2000, John was Director, Customer Security at UUNET where he grew a team of Internet security specialists from six to over 80 focused on abuse investigations as well as firewall and network configuration support for customers. John lives in Columbia, Maryland with his wife and four children. He holds a Masters of Science in Network Security from Capitol.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock