Too Much Time is Wasted "Reacting" in Security


By James Turgal, Vice President, Cyber Risk, Strategy & Transformation, Optiv

Despite how it feels in the current landscape of high-profile ransomware attacks and an ever-growing focus on cybersecurity in the news and geopolitics, seasoned security professionals have seen, and called out, the writing on the wall for decades. Yet, we appear to be stuck in a never-ending cycle, because security is still a reaction for most organizations.

It's well past time for leaders to make cybersecurity a front-end conversation and get serious about adopting best practices to build resilience. Disaster recovery has been around forever, but the successes lose their meaning when no tangible changes are made after the fact. If the growing attention on cyber incidents has taught us anything, it should be that it's a matter of when, not if, your organization comes under attack from malicious actors.

Thankfully, attack detection has progressed in leaps and bounds over the past few years. It's always improving, too, but a large time gap between detection, response and remediation still exists.

According to the Ponemon Institute, it takes an average of 69 days to respond to an attack. Detection alone takes, on average, 100 days from the initial compromise.

There are a number of complex reasons for these gaps, least of which is an organization's structural setup. How much investment is directed toward response and resilience? How are the associated tasks, roles and responsibilities allocated, resourced and supported?

It seems like a simple concept, but it's vital to know what normal looks like on your networks and use the appropriately configured tools to get as much network coverage as possible. Strive for 100 percent coverage.

How can we get there? As security professionals we not only want to improve those times, but also save the company dollars, whether it's in the direct cost of breach resolution or in the associated costs of system downtime, recovery of lost/compromised data, restoration of business-critical functions, regulatory fines and any public relations blowback:

Patch and Update Constantly: Ultimately the most hacker-resistant environment is the best administered one. Organizations are undercutting system and network administration activities through budget/staff reductions and lack of training. This often forces prioritization and choice about what tasks get done sooner, later or at all. Over time this creates a large, persistent baseline of low- to medium-risk issues in the environment that can contribute to a wildfire event under the right conditions.

Email Security: Email is the number one entry point for malware. Given how much data points to this as the root cause of many breach events, it should be the next place where organizations double-down on security in the enterprise.

Endpoint Detection and Response: Phishing emails are destined for users who will click on attachments and potentially infect themselves with malware of some kind. The second most common malware infection vector is also achieved through an end-user action, typically by viewing malicious web content. Making sure all endpoints are under management and kept current will help prevent whack-a-mole malware infections that can persist in environments with inconsistently applied controls.

Segmentation and Egress Filtering: Just because hackers or a piece of malware make its way into your environment, it doesn't mean they should be able to spread adjacent network nodes or slither back out with your mission-critical, regulated data. Limiting the ability to communicate both across and outside the network through a combination of controls, such as firewall policies and requiring the use of proxy servers, is an often-overlooked opportunity for organizations to increase their security, limit the impact of an incident and help prevent a network incident from becoming a public data breach.

Robust Detection Control Infrastructure: History teaches us prevention-centric strategies will fail and should be paired with detective controls to minimize time to detection and remediation. Make certain the organization has a well-tuned SIEM/SOAPA/SOAR infrastructure as part of its security architecture and that it is receiving logs that cover the internal network and applications, as well as through the perimeter.

Multi-factor / Multi-step Authentication: The majority of breaches involve the use of cracked, intercepted or otherwise disclosed authentication credentials at some point. Use strong, multi-factor authentication methods by default wherever possible. Combined with the ability to detect and alert on failed login attempts, this practice can provide clues to users that may be the focus of targeted attacks.

Engage People, Process and Technology: Build a detection and response strategy that is proactive by default. Organizations need their teams and partners to take decisive, threat hunting actions that not only remediate threats and minimize business impact, but also quickly identify known and emerging threats.

Develop and wargame your cyber incident response often with these in mind because bad actors aren't new, and they aren't going anywhere. If we ever expect to get out of this cycle, we need to think differently about security and where our time is spent.

Sustaining Partners