Author: Stefan Lager, SVP Global Service Lines, Orange Cyberdefense
Investments are essential for getting ahead in life, whether it is work or business-related or for personal gain. But they do often pose a dilemma, because where do you spend your time and resources? How do you know in which areas to invest?
Take new year’s resolutions for example. The most popular resolutions are focused on self-improvement, with living healthier as number one. There are many methods to implement for a healthy lifestyle, but generally, they can be summarized in three key areas to invest in: Get sufficient exercise, hold a healthy diet and get enough sleep. Investing in only one of these areas will already show results, but real benefits are achieved when all three elements are tackled.
When it comes to cybersecurity there are hundreds of different solutions to invest in, so finding the right one can be challenging. Just like for a healthier lifestyle, we believe there are three key areas to focus your investments on to create a better cybersecurity strategy.
In this area we see two elements coming together, traditional IT issues and vulnerabilities.
One common traditional IT issue is the lack of visibility. We often see organizations that do not have a good grasp of what their environment looks like, that don’t have a good CMDB or don’t know what legacy applications and systems are in place. Often a move to the cloud has increased the attack surface, adding to the problem of poor visibility.
A lack of time and resources is another traditional IT issue that we commonly see customers. As a result, patching often goes to the bottom of the list when it comes to prioritizing of work. A fear of downtime of critical servers also makes people hesitant to patch as the potential risks of downtime is weighted above the risks of a potential virus or malware.
The second part are vulnerabilities. Not only as individuals but also business as a whole, continuously rely more and more on technologies every day. These technologies are powered by applications, applications are written by code, and code is written by humans. And humans, as we all know, make mistakes.
The lack of visibility and patching, combined with a growing set of vulnerabilities in the assets, makes these assets perfect targets to obtain access, elevate privileges or use as backdoors into a company.
So before anything else, the relevant question is: How can you ever do optimal investments in security if you do not know where the key assets and data are, and what the attack surface is to those assets.
Traditionally IT security has commonly been set up in a castle and moat approach, where often too much trust had been put in the perimeter protection, making access to assets quite relaxed behind these firewalls and VPN services. This approach has become redundant because a lot of the applications have moved to the cloud and with Covid-19 most personnel has moved from the office to a remote location.
According to Forbes, 80% of enterprise IT will move to the cloud by 2025. On top of this, the threat landscape is more advanced than ever. So we need to consider every device as breached and set up access so that it can cause as little impact as possible in case it really was. We need a better security posture for today’s applications, which are more mobile and cloud-focused and have a lot of remote users. This approach is called Zero-Trust. Never trust, always verify and monitor.
Here is an example to illustrate the difference in security approach, taking a nightclub versus a hotel. Say an underage teenager manages to get into a nightclub using a fake ID. If they are successful and pass the check at the entrance, there are no further restrictions down the line. Access has been granted, no further permissions are needed and all facilities can be used. This is how the old security permitter has been set up.
A zero trust model could be compared to the checks at a hotel. Upon arrival, you need to show your identification and provide a payment method to make sure you can pay for the room. Once you’re identified you get a room key that only works for your room. If you were to lose this key, a person that would find this would be able to enter your room. However, this key will only give access to your specific room, and this is under the condition that they know the room number you are in. Some modern hotels go even further with their security by limiting the access to the hotel elevator with a room key, sometimes going as far as only being able to access the floor you are on.
This is an example of how the impact zone is limited by restricting and controlling the amount of access.
When it comes to cybersecurity there is a widely accepted view that the question no longer is if you’ll be hacked, but when. And the impact of the breach or intrusions is directly linked to the ability to, first of all, detect it and secondly the speed with which you are able to respond.
There are three main types of detection and response technologies: log-, network- and endpoint-based. Each of them have weaknesses of their own, however. With log-based detection, you are reliant on the quality of data and it’s availability. With network-based detection, you are limited to the details you can extract from encrypted traffic and with endpoint you’re limited to agents, and agents can only be installed on managed devices.
This is why Gartner suggested the SOC Visibility Triad, which is essentially using all three in conjunction with each other and therefore closing any gaps that any threat actors could use. Most importantly, you need to understand your own environment, the threat against it and also the actual capabilities of different types of technology. On top of this you also need the resources and expertise to tune this around the clock.
So how do these three elements come together?
Traditionally companies invest a lot in medium complexity solutions such as firewalls and anti-virus and not as much in vulnerability management and detection and response. Our suggestion is to shift towards more low and high complexity investments, like vulnerability management and detection and response.
It is our prediction that security investments will shift from being focused on building standalone capabilities to being focused on reducing the risk for the company. By doing so, companies will accomplish reduced risk and also optimize their security investments.