Heroes in war movies rally the troops by pronouncing: failure is not an option. Heroes at the forefront of cybersecurity know better: failure is practically unavoidable. To protect businesses, the new name of the game is visibility. Monitor your computing environment, recover from attacks quickly, and learn from breaches so no attackers’ ploy will work twice.
Businesses must assume today that most infiltration defenses will fail – and deal with that reality.
Let me explain.
Securing a corporate computing environment is not a simple job. Most networks today include a jumble of defense products added over time. Add the challenge of “BYOD” (bring your own device) with employees plugging their own, often hackable, personal phones and tablets to the network. The result is a messy infrastructure where full protection from cyberattacks is usually an impractical goal.
The last two years show that no matter how robust the external defenses, a determined and persistent adversary can find a way to ransack a corporate network. In fact, the attackers’ malware typically does its damage for weeks or months before losses are detected. One dirty secret of corporate hacking episodes is that the adversary’s code can be nearly impossible to remove – even after it’s discovered. The hack may have made headlines months ago, but there’s a good chance the hackers are still in there.
Trying to stop cyber criminals from entering your network still remains necessary and critical to a robust security strategy. But the focus in corporate cyber defense is subtly shifting – from trying to prohibit the bad guys from getting in to minimizing damage done by the bad guys stealing information.
There are two new secret weapons for businesses trying to protect personal data.
The first is network visibility – a way to see who is on your network every minute, map their locations, and know everything they are accessing. When corporate security managers have a real-time view of every connected device, every authorized user, and every malware link clicked on by the careless or unwary, they have a far better chance of pinpointing the small minority but highly damaging incoming threats.
The best protection approach is to detect strange, out-of-profile behavior on the network; launch a coordinated response; and have a security architecture that “learns” from attack event data.
The second secret weapon is speed. Once you – or your software – become aware of a breach, how long until you are aware of exfiltration attempts, block them, and actually fix the issue? Remediation is more important than placing blame, and speedy remediation is a function of visibility. The faster you see and size up a rip in your safety net, the faster the net gets back to normal. Repairing a breach with speed and confidence limits damage done to public trust.
The new, real-world view: We may not always be able to stop them from getting in, and we may not be able to completely flush them out – but we can make it extremely difficult to get out with anything useful. So difficult, in fact, that most attackers will give up and go looking for a softer target. Which should suit cyber defenders just fine.
The old way of betting the farm on endpoint monitoring is no longer an effective strategy. This is not a border war anymore. Today’s cybersecurity landscape is more like urban warfare, where cyber criminals have to be rooted out door to door. And they are well-funded cyber criminals. Spending by our adversaries is skyrocketing while Global 2000 IT budgets grow at just 3 to 4 percent per year.
To keep pace, businesses must not only invest more, and adopt a visibility-and-speed strategy, but push for:
- New government policy that improves sharing of threat information – though sadly the 2015 Cybersecurity Information Sharing Act (CISA) remains stalled in Congress. Adversaries are incredibly collaborative; we fall short. We are boxing with one arm tied behind our backs until we have an information-sharing framework that involves businesses, private security interests, governments worldwide, and consumers.
- IT systems that talk to one another, so when a threat is detected it is rapidly shared and recognizable to multiple defense systems.
- A shift in user culture toward smarter, safer practices. The majority of corporate breaches are triggered by user error. Neither government nor industry can solve this problem without individuals understanding their responsibility in the security equation.
It would be overly pessimistic to call the cybersecurity battle unwinnable. But for businesses to gain the upper hand, they must adopt the creative and collaborative skills of cyber criminals who are out to get them. Acknowledging that cyber defenses occasionally will fail is not accepting defeat. It’s a stepping-stone to more effective corporate security strategy.