Tactical Decisions in Fighting Cyberattacks must be based on a Security Framework
By Mike Benjamin, Senior Director of Threat Intelligence, CenturyLink
Security 101: Know Thyself
Anyone looking for a sign to show the cybersecurity tide is turning, that the industry is starting to gain back the upper hand from cybercriminals, is going to have to wait abit longer. In the first few months of 2018, we’ve already seen nearly 700 global breaches impacting almost 1.5 billion data records, according to RiskBased Security’s recent “Data Breach QuickView Report.” While these statistics show a drop when compared to the same period in 2017, they should serve as a reminder most enterprises are still in need of a sound security strategy. Why, with all the technology and attention paid to cybersecurity, aren’t we seeing the needle move in the industry’s favor? Spending on cybersecurity technology increases every year. The industry is experiencing amazing growth, and it seems there’s no end in sight. But, clearly, throwing money at the problem of growing data breaches is not the answer. The answer is: begin with basics of cybersecurity “blocking-and-tackling” and then spend money on appropriate technology controls. Let me explain.
Security 101: Know Thyself
"Frameworks are built over time, and they should not be overly complex"
Sometimes, the truth hurts.
For all the bold claims made by security vendors, the simple truth of cybersecurity is there is no failsafe; there is no vendor or product that can single-handedly protect a business from the universe of potential threats. But there is power in recognizing this truth because it can help enterprises take back the onus to understand their network environment and build the right security posture from the ground up. Organizations must come to the often harsh realization that technology must not lead, but instead follow, a strategy for dealing with cybersecurity risks. Industry observers and experts have seen a decline in the application of the basic, non-technical planning and governance elements that have been around for decades. This is a key reason why data breaches are increasing.
In order to be strategic, rather than reactionary, cybersecurity tactics must be based on a sound approach. This is why the application of technology, alone, is not a strategy. Instead, the starting point should always be the development of a cybersecurity governance framework. By assessing an organization’s data – the valuable and/or sensitive data held, where it’s kept, its age, who has access to it and how, and so on, the business can protect the confidentiality, integrity and availability of that data. With this knowledge, a framework of security controls and policies that includes risk assessments, asset classification, incident-response simulations and comprehensive training at all levels of the business can be developed. Once a guideline for treating risks is established, then – and only then – can proper technology controls be applied.
Looking for risk in all the wrong places
Many organizations don’t fully understand all the risks and threats they need to consider. When concerned with cyberthreats, enterprises tend to look outside the organization. However, insider threats are far more common than many companies believe and can be reduced significantly if the business employs basic network forensics, practical network segmentation, thoughtfully managed access controls and the monitoring and analysis of internal network traffic. Proper use of internal network and application data from firewalls, intrusion detection/ intrusion prevention systems (IDS/ IPS) and logs from network devices are powerful, often overlooked resources in evaluating the security of an organization. Only with a deep understanding of typical day-to-day network behavior, such as how much data an employee downloads on a given workday, can a business develop a realistic perspective of its network operations – and recognize early on when suspicious activity occurs.
What we need right now is more threat intelligence, right?
An example of a product area on which organizations have probably overspent (with disappointing results) is “threat intelligence” –which happens to be one of the most overused, and poorly defined terms in our industry. A plethora of threat intelligence vendors have launched their wares on a now-weary market suffering from threat fatigue, mostly resulting from these products and services creating interesting, but not truly actionable, data. Still, threat intelligence should not be ignored. It just needs to be used properly, with appropriate expectations of what it can deliver. Network forensics, when coupled with real-time threat data, can alleviate threat intelligence fatigue -- a familiar complaint of CSOs/CISOs. With the sheer volume of potential threats, the broad range of possible attack vectors and the steady stream of new vulnerabilities, many enterprises find threat intelligence overwhelming and ineffective. For example, CenturyLink monitors roughly 1.3 billion security events impacting more than 104 million unique victims per day. The threatscape is only growing, but not every piece of intelligence is relevant to an individual business. To avoid being inundated with irrelevant information, business leaders should leverage their cybersecurity frameworks to pinpoint the threats most applicable to their industry, their business and their particular areas of concern.
Where do we go from here?
Security costs are spiraling out of control, in some cases reaching north of 20 to 30 percent of IT budgets today. As businesses compete on seemingly ever-diminishing margins for customers hungry for a differentiated experience, this simply isn’t sustainable. But enterprises already have within their walls – concrete and virtual – the keys to reducing cybersecurity expenses and complexity, improving their security postures and improving the performance of their businesses. Every tactical decision made in fighting cyberattacks must be based on a security framework: starting with a basic one is better than nothing. From there, moving on to new and revolutionary technologies, such as next-generation firewalls, threat intelligence, deception techniques, mission-oriented resilient clouds (MRCs), and so on, will become far more effective and manageable. It’s important to note: the foregoing is not meant to be a comprehensive list of what organizations should do. Rather, it is meant to encourage a governance-oriented approach and frame of mind when faced with building a viable cybersecurity program. Frameworks are built over time, and they should not be overly complex. For organizations that don’t have one in place, wish to review the one they currently have or have no idea where to begin, an excellent place to start is with the National Institute of Standards and Technology’s(NIST) cyber framework guidelines. This will offer far more in bolstering an organization’s security posture than many leaders realize.