It's Time to Change the Reactive Mindset
When it comes to IT security, what IT knows keeps the process on its toes and what IT does not know makes the process fail. IT is solving a minimum information puzzle without a hint, playing a Hangman game with critical assets. With enough wrong guesses, you are slowly hanging the asset. The hackers have already drawn the gallows before the game begins. The level of network hygiene, on a frugal in-house budget, and outsourced IT make small businesses an easy target, mid markets a soft target, and large enterprises a value target for cyber criminals. Today, hackers thrive because of wilful indecision and blind-trust of security stakeholders on vendor products without a robust process for continuous monitoring; a term grossly ill-defined by standards organizations (NIST, MITRE) that have clearly failed to understand the lack of visibility that administrators in the network, security and cyber operations center have to deal with effective surveillance, investigations and remediation for risk management. The signature and heuristics based reactive mindset must change.
Expansion of cyber theft over time
The evolution of threats over the decade are clearly indicative of the diversity of methods, motives and means that hackers and cyber criminals use to conduct nefarious activities undetected. The attacks have evolved from social hacktivism, theft of intellectual property for financial gain, damage to critical assets or infrastructure, to ransomware (cyber blackmail). It is therefore critical for security stakeholders in the industry to take note and address the threats both as a technology innovation and process enhancement. The technologies of the past decades have been reactive solutions aimed at malware detection, victim (system) analysis, malware (breach) analysis to derive well-known signatures to thwart repeat attacks. This does not solve the problem and only emboldens the cyber criminals to morph signatures and strike again without remorse. Understanding how cyber-attacks are conceived, planned and executed with precision requires rethinking analogous to the medical realm – connecting biological markers to clinical symptoms. The DNA of a threat characterizes the behavior model and life cycle stages of malware across the controls evaded, devices infected and network compromised.
Breaches happen not because of a single point of failure but because of a series of failures. In today’s enterprise environment, users and devices far outnumber administrators. The user is the weak link and therefore automation is key for continuous vigilance. The division of roles and responsibilities between network, system, database, application and domain administrators is likely to introduce blind spots that malware and cyber criminals can exploit through social engineering and process gap exploits. A redundant security stack and automated analytics are essential to build fault tolerance in the decision logic to reduce false negatives for timely analysis of post-infection pre-breach evidence.
Need of a flawless instrumentation
As in any global war, both defense and offense would be required to achieve a decisive outcome. In war, the reliable information is generally harvested through field operatives (or informers) behind enemy lines, but in cyber security parlance that is difficult to achieve. Therefore, information must be harvested internally within the “red zone of defense”. That requires smart cyber-ready instrumentation that is unfortunately inadequate on networked systems and devices. Compromised systems comprise the ‘last mile’ of an attack; the ‘first mile’ is outside-in field intelligence assembled from trusted data sources. Between these mileposts are IT processes that were designed with access management in mind, not entropy management. There are two response options available: the ‘days after harm’, or the ‘days before damage’. A compromised system is the key indicator of a threat in play. So security first responders have to anchor and drill down on the dot signals. There is asymmetric urban warfare in cyber space; the ‘needle in the haystack’ at the hard edge is now a ‘cat among the pigeons’ in the soft core. Isolated security controls increase the entropy of systems and the fear, uncertainty and doubt (FUD) that comes with it.
Integration across the globe
Global participation is required to understand the depth and scope of the emerging challenges posed by IT processes in small to large enterprises, supply chain blind spots, outsourcing and off-shoring. On current course, any company is just a hop away from a disgruntled employee with a grudge or a partner who is the weak-link, from compromise and/or data breach. The ecosystem is complex and geography is history – attacks can be orchestrated from the opposite side of the planet by a team of incentivized and motivated professionals – remote is virtually local.
The India market faces serious challenges in order to sustain operational integrity as an important global player in IT services and offshore software development. Attackers leverage indirect pathways to the intended target systems by exploiting weak security posture of the partners, business associates and supply chain. Cyber security also offers companies in India an emerging market for managed security services for remote SOC, forensic analysis and 24/7 incident response.