We need to face some hard facts, to move forward.
Fact #1: cybercrime is here to stay
It has been around for many decades, but in the early days of the internet it was not so much about making money rather than understanding how things work and run, it was a quest for knowledge. There was a difference between a hacker and a cracker, the latter being the one with malicious intent.
Nowadays, it seems that there is no distinction between them, and cybercrime is on the rise and is a very profitable business, true for both private bad actors as well as nation-state bad actors. Nation-states are the ones who have the abundant resources to pull the largest attacks and bring havoc to weaker states, for their own agenda.
Fact #2: security will never be absolute
Nonetheless, we need to work towards that goal, continuously and ruthlessly. It will never be absolute because systems have weaknesses, they will always be a target, and if vendors do not fix the weaknesses reported fast, they will always be susceptible to attacks.
Fact #3: people will always get scammed
A “good” hacker should first be a good social engineer. A great hacker should be also a great software engineer.
Nowadays, we say hackers “log in” they do not “break in”. To avoid this, we need to raise awareness of our human capital, raise it and keep it up there. Then add the proper security controls on top.
Fact #4: security engineers and security operations analysts are scarce
Even the best security technology out there needs a human to run it.
If you add to scarcity, alert-fatigue then you have an explosive mixture, numbers show that more than 44% of the alerts are not checked by SOC teams, because of too many different security systems in place that produce too many and even the same alerts that are not truly correlated, and it is this “unchecked” alert stream where a real attack can slip through the cracks and leave your network exposed.
Fact #5: business does not always align with IT
Business does not always align with IT, because it could be that IT can make things slower, not on purpose but because of controls, to counter any business-associated risk.
This is where business gets ahead of IT (using IT as a generic term here, including ITOps & SecOps) and maybe deploy a “pilot” solution that can impose a threat, by introducing holes that can be exploited by attackers and move laterally into the organization. Large organizations are aware of that and have C-level executives to always recommend the proper approach. Smaller organizations need to adapt, too, as they are becoming the #1 target for hackers.
And now what?
So, where do we stand in this? How should we run in our organizations to avoid getting hit? “Getting hit” is unavoidable, it is a matter of time. Even the most airtight systems can be hacked, given the time or the human error factor.
Know what to protect
First, we need to know what we are to protect. Once we do know, we apply risk assessments (high, medium, low) and check the consequences if a breach occurs for each of them and prioritize.
Always prioritize ruthlessly. Cybersecurity should start once and never stop, doing circles of iterations to make things better every time, fail is also inevitable but fail fast and recover faster with the right anti-measures in place, backups, offline archives, encryption, data loss prevention (DLP) mechanisms, data labeling, and governance.
Too many mice
Cybersecurity is like the cat and mouse game. The problem is that there are too many mice.
Vulnerabilities are infinite, weaknesses of systems and procedures are also a factor, and as a factor, we need to be able to see where we fail and refactor procedures fast to counter attacks.
Zero trust and governance
Try to have a single identity repository, that is governed and protected by the proper features to supply only the right access to the right people just in time they need it and not in a permanent manner.
Trust no one, always verify. Apply MFA to all your users but in a way that is not counterproductive otherwise, people will find a workaround, and there lies the beginning of problems. Apply password-less wherever possible with FIDO-2 keys or features like Windows Hello for Business, using biometric facial or fingerprint recognition.
Use the Zero Trust principles, and apply them to various levels of your security architecture. Remember, always build systems with defense-in-depth logic, apply security controls to each level, identity, network, infrastructure, compute workloads, applications, and finally your data.
It’s not about winning the adversary, it’s about making it not a good “business” for them to engage in the first place. If they see that it will be difficult to penetrate and exfiltrate they will probably move along to find a better ROI-target.
“Trust no one” goes also for internal threats.
Risk has no boundaries, do not assume that you are safe. Always assume breach. Behaviors change, and we should be able to pick this up.
We need the right tools
In this quest, we need the right tools and the right platform, one that is agnostic of vendors, and one that can cover all our digital estate needs no matter where these resources live.
Tools that do the inventory, and prioritize vulnerabilities and weaknesses found to help the busy SOC Analyst and the Security Engineer.
A unified platform for your endpoint detection and response (EDR) needs as well as your extended organizational detection and response needs (XDR), as well as a security information and event management (SIEM/SOAR) platform to cover apart from security and vulnerability also the compliance aspect. Platforms that apply ML and AI and bring features like User Entity Behaviour Analytics (UEBA) into play.
Aim for a platform that will have all the mentioned capabilities in one integrated environment to remove noise and dial-down alert fatigue for your already exhausted SOC team.
Start today, start small, but start today. Plan and apply.
- No matter the size of your organization, you need to put in place all the basic countermeasures:
- multifactor authentication,
- up-to-date endpoint operating systems,
- endpoint antimalware,
- data governance,
- and device management
Do you have legacy systems? Isolate them as much as possible.
Think with the 3 principles of Zero Trust, in mind:
- Verify explicitly
- Use least privilege access
- Assume breach
October is Cyber Security Awareness Month, but we need to make sure that we stay on alert all year round.
- Zero Trust Model – Modern Security Architecture | Microsoft Security
- Microsoft Digital Defense Report OCTOBER 2021
Vassilis Ioannidis is a Microsoft Technical Trainer at Microsoft.
He has a passion for data and the cybersecurity space and his playground is Microsoft Azure. He has a degree in Computer Programming, holds numerous Microsoft certifications since 2000, and has been a Microsoft Certified Trainer since 2005. Vassilis is a community enthusiast and speaker at many events. He's result-driven and a lifelong learner.