Rethinking Security

Rethinking Security: Why an Assumption of Breach Mindset Should be Adopted

2018 brought with it some unprecedented challenges in maintaining security against cyber threats; it also brought some of the most staggering and effective attacks to date, including the largest breach in history in which 500-million of Marriott’s customers' records were stolen. Cybercriminals, it seems, have stepped up their game-- we’ve seen increases in the frequency of ransomware, crypto-jacking and phishing attacks in businesses of nearly every size, location, and industry. Nearly 200 million ransomware attacks occurred last year alone with estimated damages over $8 billion.

AI and machine learning are being leveraged by criminals, helping them to improve their attacks. As a result of these highly successful attacks, IT professionals are being charged with not just maintaining, but updating their layered security defenses to protect their organizations and users against the increasing likelihood of a breach. What changes, then, should organizations be making in order to enable their IT resources to adapt to these new and constantly evolving security challenges?

During several public presentations recently, Martin Roesch, Vice President, and Chief Architect, Cisco Security Business Group, has asked his audience, “If you knew you were going to be compromised would you do security differently?” What then does this mean for organizations? What changes should be made to adapt to modern security challenges?

Before an organization starts strategizing about tools or policies to implement, the first step is making a vital change in their overall security mentality from “assumption of protection” to “assumption of breach.” A recent article in SC Magazine stated, “Companies are still prioritizing protection over detection despite the fact that preventative capabilities alone are fundamentally incapable of stopping today’s cyber threats.”

When transitioning to the assumption of breach model, an organization should start by looking at foundational security concepts in a different light. It’s also important to keep in mind that most breaches, in some way or another, are a result of some form of human error or manipulation. In other words, regardless of the security technologies you have in place, these are only as good as an organization’s security policies and their vigilant assurance that employees are following these policies. Employee training is the first step toward preventing security breaches. In fact, CompTIA reports that 9 out of 10 firms now employ security training to assess or improve knowledge among employees.

An increasing number of security leaders are recognizing that breaches are inevitable, and the assumption of breach mindset will go a long way to protecting sensitive data and networks. As part of an assumed breach defense strategy, security leaders suggest developing a multi-layered security posture in addition to making an investment in prevent, detect, and response solutions. Ideally, these solutions will:

  1. Detect threats and attacks that have made it past other defenses
  2. Gather detailed footprints of attacker actions from across the organization
  3. Supply information on the attack and recommends a response

Sean Sweeney, Americas Director & Chief Security Advisor at Microsoft, agrees, saying that when protective controls fail — as they inevitably will — SOC teams fall back on their detection and response technologies and processes to minimize damage.

When transitioning to an assumption of breach mentality, Sweeney also recommends a three-pronged strategy for battling ransomware and rapid cyberattacks as part of a multi-layered security protocol:

Invest more resources in preventing inexpensive opportunistic attacks, forcing attackers to develop more costly and sophisticated threats. “By focusing investments on low-cost, high-likelihood attacks, we force bad guys toward more-expensive threats. They then have to reconsider whether targeting a specific organization is worth it,” Sweeney said.

Contain damage by preventing cyber-actors from traversing networks at will. Start by restricting access to shared files and securing privileged access; network administrators that have access to the production environment should be required to use a hardened workstation that is disconnected from the Internet, as well.

Ensure data is backed-up, not accessible to attackers, and that there’s a process to restore it. Assume that even when detected, threats could potentially encrypt an entire IT environment before a team can respond. Sweeny advises following disaster recovery best practices, such as backing up critical systems and application data locally or to the cloud so that they cannot be accessed on the breached network.

In today’s BYOD environment, unintentional leaks through social media, email or even the public cloud are often out of a company’s control; data management must be optimized for varying levels of sensitivity to ensure documents and emails are only seen by authorized employees. In Anatomy of a Breach, Microsoft recommends that companies consider implementing a solution that:

  1. Mitigates the risks of stealing via file classification, labeling, and monitoring
  2. Prevents potential data leakage without interfering with the employee experience
  3. Keeps employee and corporate data separate, without switching environments or apps
  4. Protects existing LoB apps without requiring an update
  5. Wipes corporate data from devices while leaving personal data intact

A company with resources that are in multiple environments coupled with employees that are accessing this data in the cloud results in even more potential attack surfaces that need to be monitored and protected. According to Microsoft, an organization needs increased control and visibility over not just their increasingly diverse environment, but their security tools as well. Companies should consider employing a security management program that:

  1. Enables various tools to communicate with each other
  2. Gives customers the ability to react quickly during a breach, based on new insights
  3. Helps identify high-risk and abnormal usage, as well as security incidents
  4. Gives enhanced visibility into your usage and shadow IT

Security prevention strategies and technologies cannot guarantee safety from every attack; it is more likely that a company has already been compromised but hasn’t realized it yet. When an organization accepts the inevitability of a breach, they can then begin protecting and monitoring sensitive information to help mitigate risk.

Guest author Amanda Johnson is a writer for the security blog Threat Cats. This is Amanda's first post here and we welcome her to the GhostVolt blog. You can connect with Amanda via LinkedIn, or email at amanda@threatcats.com

comments
0