Over the years, we information security professionals have seen the threat landscape and attitude to cybersecurity change significantly. Even the language we use has changed – from ‘if’ to ‘when’, if we get attacked becomes when we get attacked.
We’ve all heard the same advice — we should be operating as if we’ve already been attacked and our systems are compromised. We’ve thought about it and considered this approach. We’ve seen the research that indicates it takes on average of 205 days for a compromise to be discovered on the network. So, at a high level, in our logical and reasonable thought pattern, we’ve conceded that this is likely true. But acting on that advice is another story entirely.
Most of our security operations teams take important actions, like building good defence-in-depth strategies, monitoring for security events, developing most of an incident response plan, educating users, completing assessments, and complying with audit standards. These are all best practices, but they don’t make your organisation a smaller target.
Here comes the game changer
Having foundational security is important and necessary, but what is it that prevents us from acting on the idea that we need to operate as if we were already breached? The answer is that you need a game changer.
If you’re familiar with American football, you’ll see how your cybersecurity program is similar.
Foundational security (as described above) is like the running game of football. In the early days of football, throwing the ball forward was against the rules. In order to win you had to run the football and play good defence. The game was good, but scores were usually low and the action wasn’t very fan friendly. The rule change to allow a forward pass was a game changer. It made the game more dynamic, with more options, more scoring, and more fans.
It’s time for your security program to start using the forward pass. Be offensive in your approach to security. Want to reduce the number of days an attacker is sitting on your network? Get on the offensive — hunt them down. You know your environment the best; you know what your team is capable of, so use those skills to go find the problem.
I know what you’re thinking: 'So, if I go on the offensive and try to hunt down the threat within my environment, if I find something, doesn’t that make my team look bad? If we’ve done our jobs well, we shouldn’t find any issues. If we do find something bad living and breathing on our network, then it’s my fault.'
Putting pride aside
Herein lies the biggest problem. On the surface, we agree with the idea that we are operating in a new world, a world where attackers are already in our IT infrastructure. But we hesitate to apply this realisation to our day-to-day operations, simply because of pride. So, in theory, we believe attackers are on network, but in the application of our security, we don’t.
In the same way that the forward pass was a game changer in the game of football, changing our rules of engagement and launching an offensive attack is our cybersecurity game changer. The ability to actively pursue attackers in our own IT infrastructure is the next phase of security operations. Twenty years from now, CISOs are going to go to a security conference and hear stories about the early days of the internet, and how our only strategy was a good defence. It will sound as strange and ancient to them as playing football without the forward pass seems to us.
At this point in the discussion, we as security professionals feel like we understand the challenge and deep down know we need to do something about it. But that pride keeps sneaking back into our minds. 'How can I be on the offensive and ensure that I won’t find a hornets’ nest of problems in the process?' The answer is easier than you might think — the cloud.
Turning to cloud
The cloud is one of the tools that can make the game changer happen. Migrating your systems to a hosted cloud environment opens the opportunity to go on the offensive: you eliminate vulnerabilities in your core infrastructure. Game changer.
You may or may not be able to move everything into a hosted cloud environment, but migrate what you can, as soon as you can. If you’re able to move 50 per cent or 70 per cent or 90 per cent of your IT to the cloud, then your traditional IT infrastructure just got smaller.
In football, you can still win with a good running game and a good defence (in depth) strategy, but you have to pass the ball to open up running lanes. Having this effective combination helps keep the other offence off the field, making the target of opportunity smaller for your opponent.
If we truly believe and operate in an environment where our systems are already compromised, then we need to add a passing game (hunting for attackers) to our already good running game and defence. A good defence will always be necessary, but just like in football; some times the offence is just too good. The game changer is to have a good offence and hunt down attackers and zero days in your environment. Migrating to the cloud is the offensive playbook that makes it easier for you to be the real game changer.
Paul Fletcher, Cyber Security Evangelist, Alert Logic