Splunk
Every career has defining moments. Most are spread out over years or even decades, but the cybersecurity world has had two career-defining moments just in the past year.
It started with the global shutdown due to the COVID-19 pandemic. Overnight, many organizations were forced to support employees working remotely. CISOs, like me, were expected to keep both our company and its employees safe in a completely unpredictable world. Then came the SolarWinds attacks, Codecov, Colonial Pipeline and Kaseya, a series of supply chain and ransomware attacks that could turn out to be the farthest-reaching attacks many cybersecurity professionals will see in their entire careers.
The question that many of us are asking is "What can a security organization do to combat these wildly differing threats"? We first need to acknowledge that these problems are not going away. Supply chain attacks and ransomware are both lucrative and effective geo-political weapons. Supply chain attacks, once attributed by default to governments, are now being leveraged by organized crime to realize significant profits through high profile ransomware compromises.
A key component of countering these risks involves implementing a continuous cycle of threat hunts to assess the organization’s resiliency against emerging threats and elevate defenses. For such capability to be effective, organizations need to remain hyper aware of their technology footprint, attacker tactics and attain high scope coverage when deploying security controls. Other key parts of defending against these threats involve proactively assessing your software supply chain and technology vendors for ransomware mitigations, deploying solutions to counter known attacker tactics such as phishing, credential stuffing and malware, identifying and remediating vulnerabilities on your systems before they are exploited.
Effective security is by definition multi-layered and strives to achieve the balance between prevention and detection. Because we can’t predict every tactic an attacker may use, aggressive detection is central to mitigating the risk of advanced attacks. We also need to modernize our security operation centers (SOCs) to improve the ability to detect notable events in an ever-expanding attack surface, and reduce dwell time: the time between when a compromise happens and when it’s detected. This can be achieved through actionable intelligence, scalable SIEM solutions and automation.
Because cyber compromises are bound to happen, a robust Incident Response capability can make the difference between a routine event and one that threatens the organization’s ability to continue operations. Incident response plans need to be augmented with threat-specific playbooks (e.g. ransomware), that address considerations beyond technical containment. Ransomware response for example cuts across multiple functions and management layers within your organization. It needs to account for considerations such as restoration of operations, internal and external communications, decisioning on paying the ransom, specialized professional services firms and more. Lastly, your plan needs to be regularly tested through cross-functional tabletop exercises that stress test and cement your ability to respond to incidents before real one occur.
In short, for the majority of organizations, threat actors will pursue the shortest path to compromise by leveraging known tactics and vulnerabilities. Our responsibility as security professionals is to deploy multi-layered defence, be threat aware and scale our investments. It’s imperative we remain on a continuous improvement journey by iteratively collecting intelligence about the latest threats, testing your resilience against those threats, improving controls and enhancing your ability to respond.