don't let the bad guys drive the strategy

Don’t let the bad guys drive the strategy

If you are working on something related to cyber-security, you may feel you are wandering through a minefield. Are you doing enough? Are you doing the right things? Are you having the expected result for the money you invest? And even more relevant: Can you do more? What more?

These questions are fully justified. Just following the news in the media and our own companies, it is easy to come to a slightly scary insight: As cybersecurity, information security, and it-security, budgets and investments are increasing, we all get the impression of an even higher increase of the number, complexity and impact of related incidents.

A management team needs to focus on three words: number, complexity, and impact.

  • Cyberattacks have become more and more complex and sophisticated. Phishing is still the most “active” attack vector with new and more sophisticated ways like BEC.
  • The vast majority (more than 80%, in most cases around 90%) of successful cyberattacks have one thing in common: the human factor at the beginning of the attack.

The Assume Breach strategy: a backseat role for security.

Most companies and their cyber security providers have defined a strategy known as Assume Breach strategy, meaning that our starting point for cybersecurity is that we have already been breached.

A tremendous, good job has been done using this strategy. This job should go on and become even better, indeed. But it is not enough. Why?

–  Having a starting point that assumes the breach means that the “defence line” is closed to the assets to be protected (regardless of whether it is data, hardware, Software etc.), which makes every fault in the security shield critical as bad actors come very close to the main assets.

–  The approach of assuming being breached is very reactive, always in the backseat letting the bad actors drive the cybersecurity development vehicle.

  • We base our technologies on this fact: Intrusion detection systems (already breached), antivirus (updated after the well-known attack), etc.
  • This leads to security solutions built in different layers. Each layer focuses on protecting against a failure in the previous layer and ends up with very technical complex solutions that are hard to support and update.
  • Also, not being able to minimise risks before reaching the critical line of defence results in a vulnerability easy to explode between the time a vulnerability is discovered and its technical solution (zero-day).

– Most security solutions are based on two main lines of products:

o  Software and Hardware products. The number of solutions is increasing tremendously regarding new products and functionalities. Let’s be honest: It is almost impossible to have enough money for each one of the solutions that a company should need. Most of them focus on niche functionality and overlap each other. Each of them requires a large amount of money per year, making the business case for customers impossible.

o  A CV-based product where curriculum vitae are sold based on the experience and knowledge of the individuals, and that does not leave a long-term knowledge transfer or strategy to the customer. Marketing and value proposition are mostly based on “extreme customer cases” facing very dangerous malicious actors.

  • If the job is more systematic, it is based on technical expertise implementing complex solutions to secure the line closest to the assets.
  • The other CV-based product line is based on the ability to implement and manage information security standards or related management systems.

o  There is a fact to add: the need for more available resources with the right competence, experience and knowledge is becoming more extensive as more organisations increase their cyber security efforts. As security relies on resources and the lack of resources is a fact, the security approach becomes more and more standard, focusing on general terms and solutions, almost like giving all patients the same pills, which makes the work of malicious actors easier.

The new scenario created by Digital Transformation

The assume-breach approach is based on technical competence and technology solutions combined with a management system for information security. However,  digital transformation has moved the security perimeter out of the technical perimeter. This circumstance exposes new digital space vulnerabilities that become visible to malicious actors outside the company perimeter.

The new digital reality makes two aspects of security even more exposed and, therefore, more critical for the safety of the company: the supply chain and the human factor.

Both areas are not managed in a suitable security manner by information security systems.  IT-security professionals limit their “managing” to simple actions without measurement or the systematic way in time as security is:

The supply chain is managed by questionaries once per year, far away from what a systematic security way of working is. It is a snapshot of the moment that needs to follow a better risk or security process.

The human factor is managed by awareness training with no accurate follow-up based on KPI etc. In other words, we do not address human vulnerabilities. We try to say we do something. And we know the result of this work.

This means that important aspects of security used by malicious actors today to perform sophisticated attacks are managed in a very security-poor way and based on snapshots, questionaries and actions without measurements that are far from the heart of any security thinking: security is a systematic way of working trying to minimise the risk exposure of the organisation and its consequences.

So, this digital transformation has affected the type and nature of vulnerabilities as well opening a new risk and threat landscape to companies and organisations: The one outside the actual perimeter, outside IT assets (databases, servers, applications, cloud services etc.), the one having an own life in the digital space; blogs, social media, black-markets, trading forums for hackers etc.

This is the world where malicious actors are looking for you. Let’s put this in some questions.

o  Can we call Ransomware a commodity when you can buy it as a service on the Dark Web? So you can buy technical expertise to perform attacks at a low-risk level.

o  Why are hackers so interested in credentials still? Why do they trade with them, and why do they buy them?

o  There is a market for info-stealers. Why? Why do they trade with this info? Why is this used to bypass 2FA and MFA solutions? Are you, as a reader, aware of the situation for info-stealers in your organisation or which ones are being sold in the black markets?

o   The fact that you can buy access to devices, systems, networks etc., is a considerable vulnerability today, and always that needs to be managed proactively. Can it be proactive?

Moving forward to a Prevent Breach Strategy

I do not want to dig deeper into the vulnerabilities of the “Assume Breach” approach, but we can no longer be naïve and think that technical solutions are enough.

The reality is that if we want to move forward, really increase our defences or try to win the battle; we need another strategy: To secure good Intelligence to proactively anticipate the enemy’s movements to reduce their capacity to act and be able to win. This, in cyber security, is called the Prevent Breach Strategy.

This strategy works as a complement to the Assume Breach one. It aims to reduce the risk and vulnerabilities discovered in our previous points. In order to minimise the risk of digital vulnerabilities, social engineering, and supply chain attacks, these should be the primary goals:

  1. To move defence lines as far away from critical assets as possible by the early discovery of vulnerabilities outside the perimeter: such as info-stealers, credentials, digital exposure, etc.
  2. To introduce proactivity to the security program by scanning the whole spectrum of the internet, looking for those vulnerabilities exposed to malicious actors before they can be used.
  3. To manage digital vulnerabilities before they reach the perimeter so IT-Security teams can focus on the important tasks rather than be disturbed by too many tasks; In this way, we could have a very good picture of our attack surface, solve many possible problems and be less dependent on resources which are difficult to find today.
  4. To set a systematic way of working for the poorly managed areas of information security, such as the supply chain and the human factor.
  5. To focus on minimising “hot vulnerabilities”. Meaning the vulnerabilities used by malicious actors today to perform attacks: info stealers, misconfigured devices, credentials, digital footprints etc.

Sally’s way: applying Digital Intelligence to the same It Security Process

The best way to implement a “Prevent Breach” strategy to reach those goals is to have a data-driven approach using Artificial Intelligence, Machine Learning and Big-Data capabilities. This way, we implement the Intelligence methodology to the organisation’s security process. The Intelligence methodology should cover different aspects like Human Intelligence, Open-Source Intelligence, Breach Intelligence, Dark Source Intelligence etc. All this will require a good understanding of the Intelligence methodology, threat modelling, data gathering, structuring, categorising and analysing and, of course, a good set of sources to find the relevant data.

In other words, the key is to apply intelligence methodology to the traditional security process to find out, categorise and manage the exposed vulnerabilities outside the security perimeter (such as in the supply chain or human factor)

Keep in mind that Intelligence is not about data but about relevant data. For that, it is crucial to be familiar with suitable sources across the internet and the right way to model assets and categorise data.

The vulnerabilities that we at I am Sally can find out are:

  1. Technical vulnerabilities: Using Intelligence, we can build up an organisation’s security perimeter from the outside and find the technical vulnerabilities associated with it that malicious actors will also see.
  2. Human Vulnerabilities: We can automatise Human Intelligence to discover vulnerabilities at the department level and even at the personal level and automatically work with them (at a department or individual level) to mitigate possible risks.
  3. Digital Vulnerabilities: Advance vulnerabilities like Info-stealers in company devices, credentials, data leaks, black markets, insiders etc.

Using Intelligence allows us to have the same view as any malicious actor. Due to the data and tools that Sally has, we can make a comprehensive scanning of all those vulnerabilities that will help companies to increase their level of security in a much more effective way; We help companies to mitigate the vulnerabilities that malicious actors are using today and be proactive in their security work to reduce the vulnerabilities inherent to the digital way of life.

Only with Data-driven Intelligence can Security Teams manage the blind spots of the “Assume Breach” strategy and reduce the exposure to the real attacks of today: Social Engineering, supply chain and advanced and sophisticated attacks.

If you think that we could help you introduce a data-driven security approach covering the mentioned vulnerabilities to reduce the digital risk exposure of your company and want to do so in an easy and automatised way, don’t hesitate to contact us. We can tell you more.