Should security shift from defence to containing attacks?
The risks of cyber attack are more than doubling every year. So should CIOs and CISOs rethink how they organise IT security, Nic Fearn asks
When it comes to fighting cyber crime, the emphasis is overwhelmingly on prevention.
But with the volume of attacks against businesses growing by 122 per cent over the past year alone, it's clear that organisations are struggling. Once an attack happens, the focus soon shifts to containing it and ensuring the damage is as minimal as possible. How do businesses do this effectively, though?
Developing a holistic approach
The threat of cyber crime is growing in both complexity and scale. And there's not one particular approach that can eradicate all risks.
"The ongoing evolution of the cyber landscape and our growing dependence on technology means data protection is front-of-mind for businesses of all sizes, sectors and geographies," says Lorenzo Grillo, managing director of Cyber Risk Services at professional services firm Alvarez & Marsal.
Focusing only on containment, or only on defence, isn't the right answer for appropriately aligned, successful cyber-risk management
"A business's ability to immediately detect an attack and then efficiently and effectively respond to it is crucial in order to mitigate possible financial, reputational or compliance devastation.
"Nevertheless, companies shouldn't make the mistake to completely shift from defending to managing an attack, just because the market is going in that direction."
Grillo is a panellist at Computing's Cyber Security Live event on Thursday 21st November, on a panel discussing this very topic. He believes that organisations should take a holistic approach to cyber threats whereby they "implement all the counter-measures needed to alleviate the business risks related to cybercrime".
He continues: "Those security counter-measures must be prioritised in terms of risk, taking into consideration the company's risk appetite.
"Some of them could mitigate the likelihood of cyber threats (for example, ‘defending controls', such as cryptography and strong authentication) or lessen the business impact of an attack (for example, ‘containing controls', such as implementing a Security Operations Centre or securing cyber insurance)."
Entered the Security Excellence Awards 2019?
Another way to bolster security strategies, according to Grillo, is to implement a risk-based cyber operating model. To do this, organisations must define clear governance, which starts with the board of directors and senior management.
Good security is built in layers and security needs to be considered in all aspects of an organisation
He adds: "Doing this creates a well-defined separation of roles and responsibilities within the various entities involved in managing the cyber risk (finance, risk, operations, HR, IT, CISO/CSO, compliance) and identifies the right security investment in accordance with the company's risk appetite.
"Focusing only on containment, or only on defence, isn't the right answer for appropriately aligned, successful cyber-risk management."
Containing attacks
Cyber resilience depends on both prevention and mitigation of attacks, argues Kevin Murray, senior threat research analyst at Webroot. He tells Computing: "Blocking ransomware, for instance, is important, but a business should always keep a backup just in case. Good security is built in layers and security needs to be considered in all aspects of an organisation."
To contain an attack, the steps will vary depending on the type of breach and the size of the organisation. Murray says: "The steps involved in containing an attack vary depending on the nature of the attack. Steps taken to contain a data breach might involve limiting access, implementing password policies or informing victims. As well as trying to stop intrusions, businesses should imagine worst case scenarios and plan for them."
As part of this, cyber security must be layered, advises Murray. "Perimeter defence and staff training are both preventative security measures. Restricting user access, tracking network and user behaviour are all parts of mitigation while backups and cyber insurance are part of disaster recovery," he says.
With cyber criminals constantly developing ways to bypass security systems, new defence approaches and solutions are always emerging. ‘Zero trust' is a security model that aims to strengthen the identity-verification process. But can such solutions provide the required security?
‘Zero trust' is a security model that aims to strengthen the identity-verification process
"Zero trust is preferable in some environments. The more chaotic environments, where controlling access and perimeter is tricky, are more suited to a ‘zero trust' model. However, there will be a trade-off of convenience and speed for the end user in these environments," says Murray.
Containing attacks successfully also comes down to ensuring they are detected earlier and defended against with greater efficiency. Murray says: "There have always been attacks, so to assume we will have a future without them is naive.
"The general state of business cybersecurity is so poor that businesses should first focus on lifting themselves out of that state, as criminals will always go after the easy targets first.
"Simple steps, like securing RDP [remote desktop protocol], will instantly make your business much less likely to suffer attacks while user education of user account policy reviews might be longer term projects."
He says that detecting attacks quicker involves improving threat research, particularly speeding up the time of file and URL analysis.
Murray adds: "URLs and files will only stay active for a short window of time so security companies need to be fast and focused for admins they need to put systems in place that are not just secure but they should also offer proper reporting. Swimming in too much detail is a big obstacle when it comes to detecting attacks so solutions that smartly prioritise the data they report are essential."
Minimising the risks
Nathan Howe, director of strategic transformation (EMEA) at Zscaler, agrees that adopting a zero-trust network access (ZTNA) approach can help to minimise the risks associated with legacy systems, in particular, and contain attacks with greater success.
"ZTNA radically changes the access model through its software-defined perimeter approach. The classic approach of TCP/IP connectivity, which connects the user to the network, is abandoned," he says.
Opening up to the cloud... but not devoting yourself to modern security technologies at the same time, creates a false sense of security
"Instead of placing the user in the entire enterprise network, the ZTNA model establishes an outgoing connection from the application to the user. As this approach is policy-based, only the authorised user gains access to his application. Because this connection model no longer relies on the internet, no attack vector is offered."
What's more, the model is relatively straightforward to implement, Howe claims: "ZTNA is easy to administer, and provides peace-of-mind for companies that VPN systems will no longer be a risk. Also, once the policies that determine the authorisation of access rights are created for a user, organisations no longer have to worry about the risk factors of unpatched hardware systems."
Looking ahead to new dangers, he urges businesses to rethink and review their approach for enabling remote access to the corporate network or the cloud. "The reverse tunnel model of the software-defined perimeter is no longer safe," he tells Computing.
"Opening up to the cloud and benefiting from its flexibility, but not devoting yourself to modern security technologies at the same time, creates a false sense of security. This new infrastructure, where applications are found both within the enterprise network and multi-cloud environments, requires new security models."
Sadly, cyber crime is not only very real, but it is booming - driven in part by nation states like North Korea. Furthermore, attackers can be driven by a variety of motives and even organisations that think themselves insignificant and of no interest to anyone else can be targeted.
Although it's important to implement appropriate safeguards to stop cyber attacks from happening, criminals of all shades are always finding new ways to bypass them. So it's critical that organisations are also equipped to contain attacks when they do happen.
Don't miss the in-depth discussion in this - and several other - practical sessions at Computing's forthcoming Cyber Security Live 2019 event on Thursday 21st November in London. Attendance is FREE to qualifying IT leaders and IT pros, so reserve your place now, before they all go.