By Peter Mesker, CTO and Eward Driehuis, CRO at SecureLink
Cyber risk used to be easy. The vast majority was caused by criminals, trying a handful of different attack methods in order to get our money. Going after low hanging fruit, always looking for a quick ROI. They caused us some grief, but rarely were our paradigms shifted. We reduced the risk with technology and accepted the rest. How wonderful life was, and we didn’t quite appreciate the simplicity.
Looking back, we now view this period as the “sea of criminal predictability”. Yes, there were waves. Some might have been higher, there might have been a storm and tides, but in the end these things were fairly predictable, and you had to have made some serious errors in judgement if you managed to sink your ship.
Now, nation states have entered the game. Malware might be used as a weapon (like Wannacry, or Olympic Destroyer). Making money is no longer the goal, but to cause destruction. Incidents are rarer with a higher impact. We call this added risk the “steep nation state cliffs”. We see organizations struggling to deal with these events, and they’re difficult to predict. How do we deal with this new paradigm, where we deal with rare, high impact events?
One eye on your dashboard, one eye on the future
Technology is very good at catching predictable attacks. For these new ones, we’re increasingly investing in people and processes: SOC provides detection of threats missed by prevention, and emergency response takes action based on these detections.
In the past, looking back was enough. Creating signatures for new attacks sufficed. Now, we accept the fact we can’t stop everything. Our new challenge is where we draw the line. What can we prevent (and at what cost) and how much do we want to invest in detection and response? Do we create a threat hunting team? How much effort do we put in the unknown unknowns? How much time do we allocate to research, and how much to ethical hacking?
The sea of predictability, nation state cliffs, and drawing the prevention line.
Next generation solutions and services
The good news is, technology hasn’t stood still. Signatures have evolved into rules and AI. Prevention tools catch more than in the past, utilizing machine learning techniques. Endpoint solutions don’t just block, but offer forensic analytics, too. SIEMs are evolving and the introduction of UEBA added the necessary capabilities to reduce the number of alerts and create automated response actions or prioritized risks.
While the architecture needed to run your business is evolving into a complex multi cloud architecture, the odds of creating a weak link in the chain is also rising. Knowing your risk profile and taking the infrastructure and perimeter security into a real architectural blueprint is a necessary approach to keep a clear overview. Due to regulations like GDPR, organizations have also changed their data access (identity) and protection strategies.
Building the platform, or fabric if you like, to offer cyber resiliency is, in our opinion, the biggest task for organizations over the coming years. With this platform we mean creating full visibility (including NOC and SOC services), making your infrastructure query-able and connecting the “dots” by using API technology. This can only be achieved and maintained by using automation and orchestration tools to minimize errors.
The ability to consume the separate building blocks as a service makes it much easier for organizations both in the deployment, but also in the operational phase. Standardization, using best practices, data telemetry and strong integration are the necessary ingredients.
Depending on the risk profile and the available budget, organizations must focus their efforts on the most effective next step. Some threats can be mitigated by technology, awareness and automated incident response. The more sophisticated, once in a lifetime threats, such as specifically targeted attacks, can most likely not be prevented. For those, the focus should be on resilience and minimizing the impact.
Put your head on a swivel
Cybersecurity will remain a balancing act, but a more complex one with higher impact and chance on destruction. Technology, processes and people, preferably in the right services mix, is necessary to build the layer of defence to cover the risk profile. Next generation technologies, strong integration and the use of orchestration tools are required for this journey.
With one eye on the dashboard and one eye on the future, you can still miss some relevant parts in the journey. You must also keep an eye on the different operational and DevOps teams, an eye on the board creating the company’s strategy, an eye on your customers, etc. By putting your head on a swivel, you will have a 3600 view for both current and upcoming phases of your digital transformation.
It’s orchestrating the right mix and drawing the line at acceptable risks. That’s the challenge.