We’re just over a month into 2020 and already there’s been a steady stream of data breaches, critical bug disclosures, and ransomware attacks. The latest big name in trouble is global foreign currency firm Travelex, now disrupted for several weeks thanks to a ransomware-related outage that some reports claim stemmed from an unpatched flaw. It’s another example of the high stakes game CISOs must play today.
Get your strategy wrong and it could have a serious impact on customer loyalty, brand reputation and the bottom line.
That’s why organisations are increasingly looking beyond cyber security to focus on cyber resilience. It’s about acknowledging that we live in a post-breach world in which incidents are inevitable — it’s how you respond, adapt and improve after each one that matters.
The times are a-changing
IT systems are undergoing a period of fundamental change as businesses look to drive growth from digital transformation projects. There’s no such thing as the traditional perimeter. In its place is a more volatile, fluid IT environment dominated by cloud computing, virtual machines and containers. The priority is agility: DevOps teams leverage infrastructure-as-code to rapidly test and deploy so that the organisation can respond to ever-changing market demands.
Yet these trends also create new risks. Cloud systems, DevOps processes, microservices architectures and an explosion of IoT endpoints have expanded the attack surface beyond recognition. Remote workers introduce new threats whenever and wherever they log-in to the corporate network. Stretched cyber security teams struggle to manage the basics of IT hygiene, let alone track sophisticated attackers.
One estimate claims that the average UK business was hit by one cyber-attack per minute in 2019, a 152 per cent increase from the previous year. Yet these were mainly commodity, automated attacks. More dangerous still are the carefully planned, targeted operations designed to take advantage of weaknesses in IT security posture.
The bad news is that these weaknesses are endemic. They expose sensitive corporate accounts still protected by nothing more than simple passwords. They target the credulity of employees and insufficient awareness training programmes. Just ask the Texas school district that lost $2.3m in a recent phishing scam. They exploit weaknesses in the supply chain which allow for “stepping stone” and other attacks, like the infamous Operation Cloud Hopper that hit managed service providers (MSPs). And they look to seed malware into the third-party libraries used by so many developers to accelerate CD pipelines. They also target unpatched vulnerabilities, like the Apache Struts bug that led to a 2017 mega-breach which is still costing Equifax billions. And they’re taking advantage of many organisations’ failure to back-up regularly, forcing them to pay ransomware extorters massive sums.
From security to resilience
In this context, organisations should be looking to adopt a cyber resilience approach which goes above and beyond cyber security. What’s the difference? Security implies a binary state: something is secure or it is not. Cyber resilience is more holistic.
It is an approach that admits no organisation can be 100 per cent safe from a determined attacker. Instead, resilience focuses not only on building the best defences possible, but also ensuring that a victim organisation can continue to operate successfully, even during a major incident. And that it can learn, adapt and improve following the all-clear.
The National Cyber Security Centre (NCSC) likens cyber resilience to the human immune system. It features multiple layers of defence; rapid incident detection, response and remediation; a recovery process in which other parts of the body retain critical functionality; and an ability to form “antibodies” which protect the system from similar attacks in the future.
Our five steps
Cyber resilience is therefore about making IT systems as secure as they can be, minimising human error, and then accelerating response and minimising impact in the event of a direct hit. There’s no easy silver bullet answer to the challenges outlined above, but the following five steps will help.
First, secure systems by design. This best practice approach is advocated by GDPR and NIS Directive regulators across Europe. Deploy operating systems using secure templates like those provided by the Center for Internet Security (CIS), and audit any destined for production environments, as well as continuously after. This continuous approach is the only way to manage risk given the volatility of cloud workloads.
Second, automate everything you can. Negligence and human error is still a top cause of data breach incidents, so aim to improve reliability and reduce risk through judicious use of technology systems. Everything from managing your TLS certificates to patch management and even infrastructure-as-code can be automated. Automatic back-ups can be a useful hedge against crippling ransomware attacks.
Next, implement a strict role-based access control policy, along the lines of least privilege, to further lock down risk. And combine this with multi-factor authentication across all accounts to confound the phishing and social engineering attacks that are the first stage in so many damaging security breaches, and the lateral movement that follows. Log all system and group changes for visibility into possible suspicious activity.
Consider adding physical controls to your cyber security output. These can include CCTV, and swipe cards used to physically enter buildings and restricted areas. Data from these should also be logged centrally to monitor activity, especially of visitors to a facility.
Finally, log as much data as you can. This should include system-level logs, application logs, system metrics and much more. With the right data agnostic search tool, complemented by machine learning and data science techniques, you can start to make sense of this huge volume of information, enhancing SIEM systems to improve incident detection and response and build an architecture more resilient to future threats.
James Spiteri, cyber security specialist global solutions lead, Elastic