Business resiliency boot camp – part I: The evolving cyber-threat landscape
There was a time when cybersecurity just meant keeping the bad guys out; but over time, cyberattacks have evolved and grown more sophisticated. As of September 2018, cybersecurity has been recognized by Secretary Nielsen as the #1 threat against the United States. While dealing with trillions of cyberattacks daily, C-level decision-makers can unite under the banner of cyber resilience to address critical challenges like offering faster cyber incident recovery and finding ways to remain in business with the understanding that the attackers are already in—now what?
Insider threat is alive and well. According to white hat Dark Web professionals at Black Hat 2018, it appears that many hackers are certified professionals who operate as trusted time bombs and have already penetrated most organizations. Insider threat has given rise to an underground economy, estimated equivalent to the 6th largest nation’s GDP. Cybercriminals with privileged access are currently benefiting from lucrative crypto-mining activities and, once they’ve finished depleting digital assets, will be ready to strike. Cyber-hacking monitoring organizations report that enterprises are plagued with insider threats who compensate themselves millions of dollars monthly at the enterprise’s expense.
Attacks are getting harder to spot
With the rise of this new under-economy, analysts report that six out of seven cyberattacks go undetected. In its 2018 report on the cost of data breaches, The Ponemon Institute conveyed that fewer than 2% of organizations have a plan to respond to cyber incidents, and organizations take an average of 69.5 days to contain a breach and 199 days to identify cyberattacks. As crypto-environments get patched, it’s important to implement various preventive and corrective measures (such as security micro-segmentation, end-to-end ID management and automated contextualization) to keep critical infrastructure going and deal with current and future insider threats.
Lethal IT/OT/IoT exposure
A new major trend that makes cyber resiliency more challenging than ever before is the weak security posture in operational environments and IoT devices, particularly with the Industrial Internet of Things (IIoT). Many of these environments are 20+ years old, were pushed out after performance testing (no security by design) and have never been updated or patched. As these environments are connected to IT environments and to the internet, they are becoming our deadliest and most destructive areas of concern. Cyber-resilience is all about keeping business going and offering near “always-on” solutions, so we need to consider IoT’s currently unpatched/unpatchable environment and employ pervasive security.
The good news is that technological advances benefit the good guys too. It is vital to implement end-to-end, integrated security for all devices (not just in traditional information technology environments) in a way that is orchestrated, intelligent, cognitive and automated.
Cybersecurity hiring (and firing!) practices
Talented cyber professionals aren’t easy to find. With an estimate of 3.5 million cybersecurity job openings by 2021, England echoed the United States’ need for cyber talent and announced upcoming hiring of 2,000 cyber professionals. According to the National Association of Software and Services Companies (NASSCOM), India is also going to need 1 million cybersecurity professionals by 2020 to meet the demands of its rapidly growing economy.
Even so… Counter-intuitive but true: High-tech security professionals and corporate executives/decision-makers are often fired as a result of a cyber- incident. This is like firing your fire-fighting department: the source of the confirmed cyber-event is most often not their fault and, given their knowledge of the environment, they are the best qualified to resolve issues most efficiently. In fact, firing your most talented cyber professionals actually opens up new vulnerabilities and the absence of timely decision-making capabilities just pleases hackers. Unless the individual in question was unequivocally part of the problem, ousting cybersecurity staff and decision-makers after a breach is not wise, especially given the industry talent shortage.
Successful cyber-criminals make more money selling access to your entire network of systems (including connected supplier and partner sites) and crown jewels like corporate trade secrets and intellectual property. Firing your cyber professionals 1) leaves your business without a knowledgeable fireman and 2) opens up room for artificial intelligence (AI)–based attacks that unfamiliar fire crews could not even imagine.
It was estimated by the Association of Certified Fraud Examiners (ACFE) that fewer than 25% of cyber-fraud cases reach any form of recovery, given hackers’ common practice of deleting trails. The latest wave of cyberattacks, AI-based cyber-destruction, requires organizations to equip their IT, infrastructure, compliance and security departments to continuously prepare, test, respond and coordinate efforts. Prepare today by employing cyber solutions like runbooks, forensic-based recovery tools, trained communities and orchestrated workflows. Bring all critical corporate executives—including your heads of operations, IT, communications, security, legal and governance—along with your cyber team to third-party cyber ranges at least two to four times yearly. Spread cyber-knowledge and responsibilities across your entire communities so that everyone becomes accountable for their corporate performance in your enterprise’s cyber-posture. Invest in continuously-tested, orchestrated cyber resilience as it is the key to corporate survival. Remember: cyber-prevention is much more cost-efficient and empowering than cyber-resolution.
Overwhelming proliferation of attacks
It only takes one attacker to be successful. As hackers get more advanced, threats like the new zero-day attack (ZDI-18-1075 / ZDI-CAN-613) that enable hackers today to gain access and dilapidate any systems using all Windows operating systems and most Microsoft products, businesses can no longer afford just trying to prevent the cyber-tsunami at their doorstep.
As seen with the complex “Evil Twins” Triton attack as well as with the Ukraine shutdown, nation-state attacks are on the rise and have the capacity to create WW3-class destruction. In an era of encryption-breaking quantum computing systems, AI-powered attacks and vulnerable IoT devices, the number of daily threats has increased from billions to trillions and enterprises can no longer manually address every single threat.
Instead, government and corporate decision-makers must “comm-laborate” more closely to identify, prioritize and resolve the entire interconnected infection. All teams should aim to contribute into global Information Sharing and Analysis Organizations (ISAOs). To supplement and augmenting mutual cyber-aid programs, it is vital to revamp enterprise risk evaluations towards dynamic and intelligent analysis, real-time publishing through customized dashboards and automated contextualization.
As cognitive cyber analysis becomes necessary, cyber risk analysis should be continuous and go far beyond the standard two-level dimensions (typically impact and probability). In my experience, organizations performing with weighted multi-dimensional analysis and extended performance metrics see much better insights and are able to establish a more credible enterprise risk posture to insurers, bankers and shareholders. Be prepared for security and resiliency to transform in major leaps as we enter an era of global community sharing and intelligence.
Cyber incident recovery
The Ponemon Institute’s 2018 Cost of Data Breach Study reports a 32% chance of a disruptive cyber incident within two years. It also reports that only 23% of organizations have a formal cybersecurity incident response plan (CSIRP.) It’s time for organizations to shift their plans for a cyber incident from if to when. Coordinated usage of security and recovery orchestration is vital in our increasingly interconnected world—which includes lots of cross-system dependencies. To best respond, corporate and external resources (like first-line responders) must be able to gain SHA copies for forensics and e-discovery. Experts need to complete systems analysis. Cyber-threat hunters, networking professionals and law enforcement need to work with tracking technologies like deceptive honeypot technologies and network sniffers to catch the criminals. In parallel, disaster recovery/business continuity operation teams need to figure out which air-gapped copies to recover and in which order from immutable storage while vulnerability experts focus on treating the quarantined deltas.
Buckle up, because we’re just getting started. Bookmark IT Biz Advisor and stay tuned for my next blog in this series, which will take a closer look at threats from within an organization. For more insights on cyber resilience, follow me on LinkedIn.
IBM solutions for cyber resilience range from maturity assessments to IBM Resiliency Orchestrator with nearly 500 pre-defined workflows. The latest two cyber incident recovery RALs enable cyber recovery experts to detect, monitor, repair and report on configuration and data delta changes. Questions? Schedule a consultation with an IBM Business Resiliency Services expert today.