No Such Thing as Hacker-proof
You’ve been breached, or you soon will be. Now what?
Many organizations may have a false sense of security, perhaps even complacency, resulting from their investments in non-agile security tools and processes they have relied on for years. Yet firewalls, antivirus, intrusion detection systems (IDS) and intrusion prevention systems (IPS) are increasingly less effective as attackers leverage encryption and other innovative techniques to evade them. Many companies are failing to detect long-dwell cybercrimes in their IT environments and misallocating limited resources to lesser, more generic threats. Basic security blocking and tackling is valuable, but is in no way sufficient.
Organizations across many industries need to up their games. That can require changing the lens through which they view cyber risk – not relying upon traditional security controls revealing tell-tale signs of an effective attack – but leveraging intelligence and advanced techniques to identify the coming threat and proactively respond.
Hear Gary Warzala, Chief Information Security Officer at Visa, describe first-hand his perspective on No Such Thing as Hacker-proof.
Kieran Norton, principal, Deloitte & Touche LLP, describes how the cyber threat landscape continues to change, and offers a recent example from the oil and gas industry where attackers have compromised systems looking for bid and exploration data.
Read more about No Such Thing as Hacker-proof
Where do you start?
Secretary of Defense Leon Panetta says that America’s critical infrastructure systems have been breached already1. This is not defeatism – it is a catalyst to spark the recognition that the world has changed. Organizations should view cyber intelligence as a strategic priority. The threat is real. We are under attack. Yet the impact can be lessened by a systematic response. Potential places to start include:
- Identify the jewels. Understand the external cyber-threat beacon of your organization – the market value of stolen intellectual property in your industry and, specifically, in your company. Tap into external intelligence to understand the broader threat landscape. Then look inward and catalog your high-risk assets – either because of high potential for monetization if stolen, or critical business impact if breached.
- Know your baseline. Assess your current cyber-threat management program across specific dimensions in order to identify strengths and gaps. Include intelligence capabilities, emerging threat research and modeling, brand protection, and network and malware forensics.
- First things first. Develop a roadmap for enhancing your target threat defense architecture, prioritized based on perceived risk of high-value business assets. Update your threat assessment process to focus on the select business risks to the organization, and then model how those business risks may be affected by specific cyber threats. All too often organizations group a series of threats together into a single ‘cyber bucket’ – focused on the general security threats various companies deal with, not those use cases that could impact their own business in a material fashion. This approach typically doesn’t allow for targeted mitigation, often resulting in important threats to the business that are not addressed.
- Don’t forget the business case. Based on the program assessment and updated threat scenarios, articulate the business case for enhancement of the cyber-threat-management program. This seems like an obvious step, but many information security teams look at their mission as a pre-ordained mandate. Clearly articulating the reasoning, justification and business impact can breathe new life into the security organization and increase likelihood of funding to expand capabilities.
- Think “extend,” not “replace.” Seek to gain the most leverage out of the technologies and processes already in place before building or implementing new ones. It is likely that there are a number of existing SIEM capabilities that can be enhanced, as well as the ability to dig additional functionality and intelligence out of tools including endpoint protection, vulnerability assessment and patch management, content monitoring, data loss protection, intrusion prevention and core network services. Determine which pieces of the target threat defense architecture are in place today – or could be with additional tuning and integration, versus net-new technology and process needs.
Cyber security may sound technical in nature, but at its core it is a business issue. Any company’s competitive position and financial health may be at stake.
Business and technology leaders need to engage in effective dialog about what the business values most, how the company drives competitive advantage, and which information and other digital assets are the most sensitive. Brand, customer trust and strategic positioning are at risk.
This new reality requires a new attitude around security and privacy. Anticipate and prevent when possible, but be ready to isolate and encapsulate intrusions to reduce impact. There may be No Such Thing as Hacker-proof, but there’s a chance to reduce your cyber beacon, be less inviting to attack, and proactively establish outward- and inward-facing measures around your most valued assets.
1J. Nicholas Hoover, DOD: Hackers Breached U.S. Critical Infrastructure Control Systems, http://www.informationweek.com/government/security/dod-hackers-breached-us-critical-infrast/240008972 (October 12, 2012).