Turning Back the Clock: Cybersecurity Lessons from Ben Franklin
The secret to effective cybersecurity has been known for almost 300 years and came to us from Ben Franklin.
That is, “An ounce of prevention is worth a pound of cure.” Very powerful words when you look at the challenges facing most organizations today.
We live in turbulent times, especially in the Cyber Realm. As society becomes more and more dependent on technology and interconnectedness, we are faced with an unavoidable number of vulnerable products (software and hardware) with a wide range of exposure and transfer of cyber risks across service providers, vendors and customers. Combine that with growth in the number and sophistication of cyber threat actors, and you have a recipe for potential disaster if more urgency and rigor aren’t applied to organizations’ cybersecurity programs. This alarming trend is also compounded by several other factors: an increase in work from home employees (i.e. increased attack surface and increased triage time), unacceptable adversarial dwell times and an enormous talent shortage.
Several recent reports are very alarming. For example, the average dwell time (the time from when an adversary compromises their victim’s network to when they are detected) is 207 days, and it can take over 70 days to contain the impact. Another alarming trend noted in a survey of SMB CEOs is only 7% were concerned that a cyber break was very likely when 67% of SMB organizations were actually targeted in the last year. One may think that this is due to a lack of urgency or care about cyber breaches, but looking at the data further, many of these organizations do not have a dedicated cybersecurity professional to raise awareness and educate the company. The cybersecurity workforce gaps will continue to grow as demand for talent, driven by new and more advanced threat actors, continues to outpace supply.
Organizational IT transformation and consolidation, done with or without CISO involvement, will also exacerbate the problem. Consolidation and transformation of IT resources will save money in the near term but putting all of your eggs in one basket, so to speak, not only puts your organization on the adversarial radar, it also increases the potential scale and scope of a breach. One may ask, if cyber threat actors are able to live in victim networks for months and these victims are of all sizes, industries, and levels of cybersecurity maturity, what can be done?
I can tell you what not to do, “More of the Same,” because it clearly isn’t working.
The term “rise of the threat actor” has been used for quite a while and unfortunately threat actors’ impact haven’t plateaued. What has plateaued are the cyber defense programs of many organizations. Sadly, the goals of most organizations don’t go beyond being compliant with stagnant and outdated concepts while threat actors have no rules and are constantly evolving. Also, many CISOs (some are lucky) spend a lot more of their time focused on trying to get senior buy-in to protect their cybersecurity program budget, or addressing challenges in recruiting, retooling and retaining their workforce.
Cybersecurity solutions have evolved from endpoint anti-virus (AV), then firewalls, then Network Intrusion Detection Systems (NIDS), then Host Intrusion Detection Systems (HIDS) Intrusion Prevention Systems (IPS) then NW based Sandboxes, then EDR solutions, then Next Generation Firewalls then Advanced EPP and so on. Adding more stove piped solutions that don’t expose data, don’t provide rich context, only adds to the noise and despite buzz words, rely heavily on a team writing signature/threat intel rules and trying to deploy them to customers faster than threat actors can act.
Despite organizations implementing these solutions over the years, adversaries have still been incredibly successful. The two biggest problems are poor first move detection and inability to find and triage the events that matter from all of the noise efficiently in time to usurp attacks. More focus has been placed on curing the impact of a breach rather than more effective prevention.
Many CISOs continue to focus on achieving compliance and deflecting liability rather than solving the problem by being more secure and enhancing an organization’s cybersecurity maturity. Now is the time to Turn the Tide, and not continue to revert back to the old way. The old way takes a reactive posture focusing too heavily on post-breach detection (Second or Third Move detection). Adversaries are more capable than ever, have more reasons to be destructive (deploying wiper software, ransomware or worse), and have more opportunities brought on by an expanded attack surface. We need a sense of urgency to proactively deal with this growing challenge. Trying to cure the impact of cyber-attacks after the damage has been done only makes them more impactful, expensive and potentially catastrophic and unable to recover from. Collecting an insurance policy or passing on the liability of a breach to another third party doesn’t cure the problem or make the impact go away. CISOs and their security teams can turn back the clock on attackers by adopting a proactive approach to cybersecurity. Leveraging tools that give them First Move alerts and visibility into novel threats before they can enter into a network and spend weeks to months, causing significant to catastrophic damage. An ounce of prevention in cybersecurity is truly worth a pound of cure.
In our next blog in the series, we will discuss several ways CxOs and board members can help ensure their organization is being proactive in dealing with cybersecurity and not solely focused on checking the box for compliance.