Government agencies, large corporations, banks and even small businesses are falling for old tricks as well as new ones. Healthcare is a vertical in particular that has had to watch over its shoulder for some time, but the recent rash of malware outbreaks and ransoms paid is creating a surge of pressure on everyone. I also know a couple of local schools and several small businesses recently hit by ransomware. These are likely from small hacking groups that are getting in on the frenzy.
Cyber criminals are also known as “threat actors,” and the FBI defines three groups: Organized Crime, State Sponsors and Terrorists. There is a fairly clear delineation in who they typically target, whether it’s the financial services industry, government agencies, or media entertainment, but that could also change. Organized crime probably spans the most, in the type and size of target or victim. Bottom line is that if great skill is combined with narrow focus, you’d better be stronger than your adversary, or have a good incident response plan in place.
In the 90s, IT Security was focused at the perimeter. After Y2K we realized that wasn’t enough, when hacking went from garden variety to organized, funded and directed at stealing inside information. The consensus was to keep the bad stuff out, but also keep the good stuff in, and we shifted toward privacy. Defense-in-depth really hit its stride.
Then malware grew up, became very complex, and it’s purpose higher and higher in helping achieve major heists. Today, looking back on most of the big breaches, it proves that even large companies with big IT haven’t solved yesterday’s best practices in enterprise security architecture. Endpoint features not deployed, DLP program goals not met, SIEM collectors to-be-developed. People are not paying enough attention.
Most organizations have been forced to become “IT companies,” and the variety of security solutions alone owned in the Enterprise is staggering. With three or more tools per layer, there is overlap in the workloads as well as non-active critical features everywhere. Overall, the lack of tool maturity is an enormous challenge and few organizations have plans to address it fast enough. Operational maturity is not realized and a lack of native integration. As an example most endpoint security suites can reduce or limit the impact of ransomware, but only a little more than half of those customers are using those features even though they are licensed for them.
Assuming that you have fully utilized the right tool in the right place, automation could be the next area of focus. Companies need to take better action on critical security events, starting with improving incident management and it’s workflows. There’s also security processes ripe for solving where key actions or responses can be taken, or extra protection can be automatically applied and removed during a maintenance window or a window of vulnerability. Externally facing vulnerabilities should also be a priority because if you look weak from the outside, you WILL draw attention and get picked on.
If you have invested significantly in tools as well as process, and your operational challenges persist, you may have a people problem. Looking back on the trends and tactics now needed to protect information and defend against today’s threats, the ITSEC challenge has become large and broad for many roles. For example a next generation threat management team requires participation and ideally collaboration between desktop, network and security teams. A fully operational DLP program requires a large cross-functional team of product SMEs, involvement from Compliance, various Lines of Business and occasionally HR and Legal.
As the perimeter is dissolved with mobility and as the data splits off to the cloud, it’s giving organizations the opportunity to re-evaluate what IT does and doesn’t do well. I’m finding more and more that would like to focus on aspects of IT that truly help the company make money and leave aspects of Security to experts that focus on those specific services. Others prefer to shift focus from away managing infrastructure so they CAN focus on Security.
Not only does IT want to be liked again by users, but they generally want to be happy taking what they do best and combining with what drives the business. This will drive outsourcing and staffing.
Many of you have the technology you need to reduce threats in the organization and give you visibility into what would ensure higher levels of privacy…what are you waiting for?
Another rub with a slough of best-in-class tools is that they are very limited without intelligence behind them. If your not accurately correlating events between firewalls, IPS and endpoints, you’re seriously limited in being able to detect an attack, let alone respond. Getting rich intelligence around key tool investments with Security Monitoring and advanced endpoint suites can give ITSEC the much-needed edge to detect and remediate fast, as well as reduce ongoing exposure to known bad sites and files. If your SIEM solution isn’t giving you anything valuable today, trust me, it’s not configured correctly.
If you know what to do and just haven’t, get on that already or get some help to kick start it. It’s getting crazy out there. If you don’t know what to do or where to start, get some assistance from a recommended Integrator.