How to Bake Anticipation into Enterprise Cybersecurity
We’ve all heard the castle and the moat analogy when it comes to cybersecurity. But those days are long gone. It may have worked when script kiddies roamed the land, but today that approach is as effective as a Band-Aid on a bullet wound. Needless to say, the threat landscape has evolved to a point where not only security technology must be up to snuff, but a security leader’s mindset must adapt depending on the enterprise’s risk tolerance. Tools like firewalls and IDS/IPS to email gateways and antivirus remain an important part of an overall security arsenal, but as the sophistication of cyber threats and attack surfaces increase, the wait-and-see approach to cybersecurity of yesteryear won’t cut it.
No matter how often your systems are patched, a reactive stance ultimately leaves your security and risk department in a constant firefight, one where the ember never cools. Businesses across the globe are experiencing an increase in breaches in the last year, and the only way to turn the tide is to bake anticipation into your cybersecurity strategy. That requires a proactive stance.
Organizations with a low appetite for risk have recognized that more needs to be done to protect critical assets. Many have added SIEM, active alerting and security intelligence with the understanding that perimeter defense layers may be breached. But to prevent attacks from occurring and drastically decrease response time, adopting an adaptive security model is optimal. This approach promotes early detection of compromises and the automatic response when a security incident occurs. It continuously assesses risk and monitors networks in real-time to hunt for malicious traffic, vulnerabilities, and other indicators of compromise.
Adaptive security relies on artificial intelligence analysis of cybercriminals’ behavior to anticipate new attack methods. As threats and attack tactics evolve, an adaptive approach would allow for your enterprise to as well. To embrace this approach to cybersecurity it’s important to focus on the following three steps:
Step 1: Gauge Your Enterprise Risk Tolerance
How do you know if you’re ready for adaptive security? It all comes down to your ability to stomach risk. A company’s appetite for risk informs its entire approach to security, including the budget it allocates toward it and the services it engages. The lower the risk tolerance, the more resources will be required to effectively and measurably reduce it. To gauge your enterprise’s risk appetite, you’ll want to have a good understanding of what and where your critical assets are located. More often than not, this is what digital marauders will go after. Understanding the core business not only allows you to prioritize the protection of company assets, but also helps in understanding the phases of the cyber kill chain that could impact the enterprise.
If successful attacks have already taken place within your environment, you already have a great place to start. Take advantage of those scenarios when it comes to building your adaptive strategy, says Jeremy Batterman, global director of threat intel and detection at Trustwave SpiderLabs.
“You look at your attack profile and your taxonomy of threats and based on the behavior of those threats you build your profile,” Batterman says. It’s all about visibility, he adds. In order to take an adaptive approach to securing the enterprise and anticipating attacks, visibility is crucial. Even if an attacker is successful, gathering as much information as possible about the incident can only make your approach to security stronger, and also allow you to be proactive, Batterman says.
“For example, ask yourself if you have the visibility to see malicious activity that comes in via weblinks and through email,” he says. “Can you look at weaponized attachments and determine that they’re indeed weaponized? Do you have the capability to detect or deny something malicious trying to be executed by the behaviors that the malware would normally do?” Working through exercises like this allows security leaders to start building good visibility, which leads to great defense. “Even if you stop an attack, you need to investigate all of its attributes,” Batterman says.
Step 2: Get Enterprise Leadership on Board
The communication challenges that security leaders face with upstream management is nothing new. For years they’ve been told to “speak the language of the business,” and while they’ve made strides in that area there’s still a way to go. Adaptive security requires the right mix of talent, tools, and techniques, and outlining that affectively to the C-suite is important. Security leaders that don’t have other leadership support within the enterprise are facing an uphill battle. “It’s absolutely critical,” Batterman says. “I’ve worked as a consultant for companies that don’t have it, and they lost the battle before they even got started.” While it can be complex to communicate, not getting in the weeds with technical concepts and relaying a higher view of this approach to the executive team will ultimately help in getting them bought into the program.
Step 3: Assess Your Team to Assess Your Technology
Before you even think about purchasing more bells and whistles to add to your security arsenal, ask yourself, “Do I have the team to maximize its use?” As a managed security services provider (MSSP), this is an area where we find many gaps. You can have the latest and greatest state-of-the-art technology to combat cybercrime, but without the right staff or assistance, it’s likely useless in the grand scheme.
“The talent is more important than the tools,” Batterman says. “If you have talent and you have tools, that’s great. But good talent, at times, can make their own tools, even if you’re limited on resources. A talented staff always figures out a way to make things happen.” In many cases, good talent could lead to good technology, even if they aren’t building it themselves. You should lean into the talent to help assess the most appropriate tools to leverage. Batterman suggests asking yourself the following questions when it comes to making purchasing decisions:
- Is this something that will be helpful in investigations?
- Will it be a hindrance on my team and adaptive approach to cybersecurity?
- Is this solution too complex?
- Does this tool give us the visibility we need?
Too many businesses have made the mistake of tapping into security technology when they don’t have the right staff to manage it. While no business is immune to the cybersecurity talent shortage, many are tapping into external sources to handle various aspects of security, especially when it’s difficult to compete against the larger tech companies that attract and retain top talent.
An adaptive approach to security best fits an organization with a low-risk appetite, including financial institutions and manufacturing and utility companies. Meanwhile, smaller businesses such as local retail stores have a much higher risk appetite, so covering the basics and taking a traditional perimeter defense approach could suffice. As the threat landscape continues to evolve, the security mindset that enterprises take is changing as well. Taking a reactive stance on cybersecurity could be more costly for an enterprise than approaching it in a continuous, proactive way.