Cybersecurity is now a war of attrition. Companies face new threats every day, and it is impossible to keep up with the frequency and volume of vulnerabilities that profoundly impact a company’s IT hygiene. Bad actors and nation-states have created a cottage industry for hackers/crackers who indiscriminately attack foreign networks and their critical infrastructure. Recently, the FBI complaints regarding security incidentsquadrupled, mainly due to more employees working from home. Based on our own research and in-field cyber assessments, we have seen the costs of ransomware attacks increase to nearly $12 billion, up 74% since 2018. This is particularly evident in healthcare, critical infrastructure, financial services and the public sector. We expect the number of ransomware attacks to grow by an additional 60%, or to nearly $19 billion, in 2020, with the increased number of employees working remotely due to Covid-19.
Unfortunately, most organizations do not have the insight or visibility into their infrastructure to detect or react to a breach, nor do they have the policies and processes to respond to an attack. In an age of interoperability, many companies still live in silos of information that prohibit security teams from practicing proactive cybersecurity. Because they are not proactive and cannot see their blind spots, they are more likely to be the target of a significant attack. Mature companies realize they cannot keep determined bad actors out of their networks. However, they can reduce the frequency of substantial intrusions, limit the damage and restore normal operations faster by taking a proactive cybersecurity posture.
Effective and proactive cybersecurity requires a combination of technology, processes and people. The intelligence community (IC) recognizes this and implemented several guidelines, designed to keep classified information out of the hands of bad actors while improving cross-agency collaboration.
Dataflow automation – The IC works diligently to automate how information and services are shared across the various agencies. Sharing data allows analysts and investigators to gain visibility into their assets in the office and the field, and improve the speed with which they can respond to security threats–physical or otherwise. By eliminating data silos, IT operations and cybersecurity teams can unify their teams, reduce friction and improve efficiency.
Security is everyone’s responsibility – All personnel, from IT, operations, executives and analysts, cross-train on cybersecurity hygiene and threat detection tools. This allows IC teams to have a broader perspective (counterterrorism) and insight into where attacks are originating from and by whom. Further, by making security everyone’s job, awareness and cyber literacy rates have improved.
Know your enemy – Continuous monitoring via global security operations centers (GSOCs) and network operations centers (NOC) can be used for Identifying and responding to cyber threats (SOC), Monitoring and managing critical infrastructure and endpoints in the field or a centralized location (NOC) , and organizations to look in the mirror and strive for constant improvement and accountability.
The Department of Defense (DoD) and IC have several cyber commands (USCYBERCOM) throughout the world. Their mission is to align cyber efforts in order to defend our national interests and those of our trusted allies. Analysts and hunters monitor attacks from every corner of the world. One of the most intriguing aspects of these facilities is how U.S. agents know who the most skilled hackers/crackers are, when they work and which specialties they have. Pursuing attackers is just one aspect of their mission. The main goal of USCYBERCOM is to expose, disrupt and degrade the offensive cyber capabilities of U.S. enemies while strengthening the cybersecurity and resilience of the IC and DoD. The IC’s holistic approach to security has helped agencies:
- Communicate intelligence and data more efficiently with speed and visibility and reduce barriers between departments and agencies
- Reduce the noise and focus on aligning systems and solutions for improved interoperability between distributed assets and centralized locations
- Increase cybersecurity awareness and literacy community-wide, making everyone accountable for their actions
Tanium’s approach to unifying IT operations and security teams aligns well with many of the IC and DoD cyber-readiness best practices, such as the current National Institute of Standards and Technology (NIST) 800-171 cybersecurity compliance specifications (and eventually the Cybersecurity Maturity Model Certification (CMMC) standard). Tanium’s platform is especially relevant as it pertains to asset visibility, network resilience and organizational accountability.
Putting the pieces together to deploy a cybersecurity force-multiplier
Distributed networking environments create significant complexities, especially from a security and management perspective. Most platforms that address network management focus on improving operational efficiencies or systems maintenance but fail to address risk and security concerns. Conversely, most endpoint security platforms do not consider asset management and overall IT health. This is a significant vulnerability, especially within distributed environments.
Based on dozens of our ”red team” gap analysis and cyber-readiness assessments, we found nearly 60% of the organizations tested had misconfigured firewalls. Firewalls are where IT operations meets security. The explosion of policies for bring your own device (BYOD), the Internet of Things (IoT) and edge computing have increased nearly every business’s attack vectors, exposing their vulnerabilities. Further, endpoint devices can create blind spots that allow attackers to find and exploit gaps within the network.
It is important for organizations to eliminate the silos and bring IT operations, risk and security onto one platform. A unified approach gives enterprises the ability to homogeneously monitor, secure and manage endpoints, effectively eliminating visibility gaps and improving business continuity and resilience. By bridging the gap between IT and security operations, CIOs benefit from:
- Comprehensive visibility into asset discovery and inventory
- Real-time endpoint performance monitoring and configuration
- Accelerated software optimization
- Cross-functional data risk and privacy management
Asset discovery and inventory
As the number of network-connected devices grows exponentially, IT organizations must be able to discover unmanaged assets within the network—from public and hybrid cloud environments, servers, workstations, laptops and even virtual environments like containers. Collecting asset intelligence and determining what software, services and configurations are installed on each IP-enabled endpoint gives security and IT professionals a holistic view of the network, which helps them defend against attacks. By automating asset discovery and endpoint inventorying, customers can improve their cybersecurity posture, integrity and dataflow.
Real-time endpoint performance monitoring and configuration management
Most security teams underestimate the importance of performance monitoring, while IT operations tend to focus on performance monitoring and availability as the bellwether. Further, traditional unified endpoint management (UEM) and unified endpoint security (UES) tools scan devices for compliance or security vulnerabilities periodically and on an as-needed basis (typically monthly but at times weekly). Further complicating things is the fact that most IT departments have a tortuous process for divvying up the results amongst stakeholders and system owners.
Although performance monitoring is a viable way to determine when a system is failing or needs maintenance, it can also identify anomalies such as attackers dumping database tables or changes in the master-boot-record (MBR)—a significant signature of ransomware attacks. For security professionals, endpoint performance functionality is an effective way to establish a reporting and alerting baseline for remote assets and devices.
Another core building-block for effective and proactive cybersecurity is configuration management. At its core, configuration management databases provide IT and security organizations with a single source of truth to track and manage all aspects of the network, from hardware, endpoints, appliances, network devices, software, and their relationship to and dependencies on each other. By understanding the relationships and configuration of each device or asset, IT and security operations have greater visibility and unity across the organization.
Like endpoint monitoring, software optimization provides insight into the applications/services deployed on each machine. From an IT operations perspective, software optimization allows for visibility into the warranty, service status, and compatibility of BIOS and firmware for patch/upgrade compatibility. Software optimization is often also used as a budgetary tool to ensure companies are not paying for software licenses owned, deployed or no longer in use. Like a misconfigured firewall, endpoints that are not compliant with the most up-to-date software and patches pose a significant cybersecurity risk to the overall organization.
One of the security trends we have seen shows how determined and skilled groups of hackers are moving beyond traditional network attack methods like distributed denial of service (DDoS), brute force or phishing attacks that affect performance and usability of an organization’s devices and infrastructure. After early public attacks like Stuxnet (or later, Rowhammer and Meltdown) showed hardware attacks can be successful at scale, hackers began attacking the hardware stack. In traditional open systems interconnect models (OSI), hardware was the most challenging (and often ignored) attack vector. Now, a new breed of hackers/crackers are moving seamlessly between the device, data and software layers. By having network visibility and a single interface for security, compatibility and compliance, customers can decrease their risks of system and business disruption while ensuring all corners are covered and within the arena.
Data risk and privacy management
At the heart of every IT operations and cybersecurity program is the need to protect data and privacy. The new generation of cyber warfare is here, and the main prize is information. A single data breach can significantly impact revenue, and eliminate years of hard-earned customer trust and brand equitity. Companies like Target, Equifax, SONY, Capital One, UK’s National Health Service (NHS) and the Department of Veterans Affairs all continue to recover from preventable breaches. Based on our research and other anecdotal evidence, we estimate the average cost of a breach now exceeds $4 million, with a 180-day infrastructure recovery time and three to five years for brand repair.
In most high-profile cyberattacks, there are more excuses than solutions. Still, the main reasons are failures to patch known vulnerabilities. Misconfigured firewalls or network infrastructure, unsecured databases and social engineering malware are the usual suspects. In our opinion, nearly 80% of breaches occur behind the firewall, and most are employees innocently clicking on phishing emails or opening files they shouldn’t. In some cases, organizations were victims of state-sponsored advanced persistent threat (APT) groups of determined hackers but nation-state actors also exploit old vulnerabilities. Data and privacy keep hackers going, while keeping security officers awake at night.
Putting it into perspective
2020 has created both a significant challenge and opportunity for IT operations and security professionals. Most of the past investments in technologies only produced incremental improvements in efficiency, resiliency, accountability and overall protection. In a perfect world, IT operations and security teams would co-mingle seamlessly; sadly, that is not the case with most organizations. With more people working remotely than ever before, cyber risks are at an unprecedented level. Many chief information security officers are tempted to rely on technologies like monitor detect and respond (MDR) or other endpoint security (EPS) solutions to manage security operations. However, it’s important to remember that mature and proactive cybersecurity is a combination of technology, humans and processes (such as augmenting security platforms with security operation center services (SOC), much like the IC model). Further, many businesses have invested in expensive security information and event monitoring (SIEM) systems only to be disappointed by the results. In our experience, many enterprises have never fully deployed their SIEM systems. Of those that did, many did not take the time to tune-up and eliminate the false-positive security incident noise within these tools. An unconfigured and untuned SIEM causes security teams to chase ghosts in the machine when they should focus on real-world threats.
Cybercrime is an ever-moving target that indiscriminately focuses its efforts on every government, business and individual. Now, more than ever, the stakes could not be higher. Networks are moving from centralized data centers to distributed environments that require securing, monitoring and managing thousands of devices (not just those in the building). Further, the need to defend networks and systems that support critical infrastructure has become a significant priority for governments. The DoD and other government agencies must respond to cyber incidents by exposing, disrupting and degrading anyone that is threatening the U.S. and the country’s critical infrastructure interests. As important as protecting critical infrastructure is, businesses must employ the same rigor with cybersecurity to protect their employees, brand reputation, internal systems and the bottom line. For more information and to download the white paper on this subject click here. Stay safe and secure my friends.