Take a step back to reflect where are we now and where we should be heading to in the next (and many more) tranches of getting to implement the RIGHT security. We need to build security PIVOT to stay in the cyber chase with the adversaries.
If you have been reading up regularly on security news, security chase will continue to be a constant struggle. We need to maintain pace and put in more effort to make sure the attackers do not intrude easily due to our silly mistakes and poor hygiene (e.g. using weak passwords, having non-patched system etc).
(e.g. Marriott breach est of 500 millions guest, Supermicro suspected with spychip implanted in motherboard, Facebook exposed 6.8 millions user's private photos etc)
IDENTIFY THE CHANGE DRIVERS
Before we can move ahead, we need to know what are the major change drivers that are going to slow us down to achieve the RIGHT security for our organisation. To keep up with the cybersecurity chase, we need to stay agile and stay prepared on these changes.
Digitalisation waves - Mortar and brick services are transforming the way of running a business by going digital. This means services are available on the internet at the fingertips. This also invites and inadvertently increases the attack surface. Data breach and non-compliance to data protection regulation has to be an organisations priority to-do list.
Smart & Operational Technology - The emergent of the internet of things (IoT) opens up a larger portfolio for Smart Cities to deliver one-stop integrated services to the customers in the area of Automotive, Health, and Learning. OT is another area that is closely associated with industrial control systems which are no longer perceived to be isolated and safe from sabotage attack (e.g. threat actors, GreyEnergy have emerged). Supplier chain security is a growing concern (look at Supermicro).
Cybercrime threat - Traditional antivirus applications against virus and trojans infection are no longer sufficient. New sophisticated threats have emerged such as cryptocurrency mining ransomware. Another new threat is on cryptojacking which works stealthily in the background making use of your machine to chunk out high processing of cryptocurrency; the only sign you can notice is slower performance or lags. These highly lucrative endeavours by cybercriminals will continue and they will also be targeting your bitcoin and cryptocurrencies stored in your eWallet.
Compliance to regulation - Cyber regulation development focuses not just on protecting personal data. and safeguarding privacy, protecting the critical infrastructure is next in the top priority list. Ensuring availability of the CI is of utmost importance and lapses in adopting good security practice is going to put the organisation taking charge of the CI in serious legal liability for failure in putting in the correct protection measures.
BUILD YOUR SECURITY PIVOT
These change drivers are going to be a major headache for the security community if we continue to rely solely on our traditional way of running security. We need to push ahead and transform our security effort to take an active stance. To do that, I suggest we can consider building (and using) Security PIVOT at multiple levels (from system, data, process, operational and people) to maintain high readiness against the cyber threats.
Project TO Platform as a Service - No longer will increasing on-premise resources (scale up) remain a cost-effective option for running new projects. The management will be asking for a more sustainable and smaller footprint to buy more servers and computing power. Operational costs need to reduce and reach out to users (and smart devices) has to expand. Scaling Up resources will not reduce the total cost of ownership significantly.
- Approach - Push beyond on-premise hosting of services to scale out tapping on externally managed services such as cloud infrastructure. Think about a highly scalable and available ready platform with API supported services to provide agility, at the same time securing the micro-services (the successor to running modular application services).
- Things to Watch out for - Remember to engage the development team and end-user and be able to measure up to their expected experience and be no worse off when leveraging the Cloud services.
- AWS, Google and Azure are major players that have already built in several security components to provide a secure experience;
- Developers can reuse exposed API methods to maintain multi-factor authentication and perform key management tasks, without slowing their development efforts;
- End users are assured with strong data sovereignty compliance. Only authorised personnel are granted access and the provider can produce on demand audit reports to demonstrate their continuous compliance through the various security regimes e.g. CSA, SOC 1/2/3, ISO 27017 and more.
Information TO Intelligence services - Valued services need to provide timely information to keep pace with the real-time demands of the end user. They are always online to stay updated and get ready answers to their questions. To differentiate from the security competitors, more actionable information should be provided to keep the user ahead of the cyber chase. Threat intelligence is an integral enabler in a truly proactive security strategy.
- Approach - Security providers gain a vantage edge over others if they can provide in-house "intelligence" services that preempt the customer on an imminent targeted attack on their business. Threat reports and assessment are produced regularly to allow services to be secure more robustly and stay prepared of the next emergent cyber threat.
- Tool / Resource - Vulnerability disclosure programs (check out HackerOne's bug bounty) and threat intelligence services (check out RecordedFuture service that complied with Continuous Diagnostic and Mitigation standards)
- Things to Watch out for - Running your own bounty program by inviting the ethical hackers is never advisable. Engage and talk to the professionals such as the HackerOne to gain better knowledge and insight about what this exercise is all about.
It is not just the payment of bounty services as you will be receiving and acting promptly to close up all vulnerabilities discovered by third-parties. Managing these third parties' expectation can be a challenge and in the worst case, counter-effective if you mishandled the engagement - leave it to the expert to manage that for you and focus on the core work to maintain a high level of cyber hygiene.
Verification TO Validation checks - Current vulnerability scanning on the host, application and networks reveals known gaps but attackers are going beyond these low hanging fruits. They are not only actively discovering open holes, but they are also moving inwards, moving laterally across the networks, searching out victims to gain administrator rights and eventually using these rights to penetrate into the backend critical infrastructure hosting the "gold mine" - database of sensitive information.
- Approach - Consider tapping on ethical hacking (or some may term as Red Teaming). The best offence is a good defence. RT is a full-scope, multi-layered attack simulation designed to measure how well a company’s people and networks, applications and physical security controls can withstand an attack from a real-life adversary.
- Tool / Resource - Red team assessment checkup (take look at the Mandiant's Red Team)
- Things to Watch out for - RT differs from the common vulnerability scanning as it should not only be automated by tools (~20%) but also employed manual test (~80%) by the human testers who will deep-dive, and conduct advanced penetration.
- Always make sure the rule of engagement is confirmed before moving ahead on the exercise.
- Unannounced checks should be approved by the management and the blue team should not be given any tip-offs. The exercise is not to finger point the blue team's weakness but to exercise and enhance their existing processes.
- Critical services should stay intact and penetration tests must not bring down them. Scope for RT must be made clear too as it can include social engineering (onsite, telephone, email/text, chat) and physical intrusion (lock picking, camera evasion, alarm bypass), especially for the larger organisation.
Operate TO Orchestrate actions - Day to day operations and manual maintenance changes are not going to be sustainable with those transformations into digital services. The systems need to maintain a high resiliency level and this is inadvertently also going to strain your existing lean manpower leading to more human mistakes due to fatigue. The company is farther behind the technology curve having to just continue to procure and implement a disparate security solution that is siloed and not integrated to provide a one security situation picture.
- Approach - Technology automation has to include orchestration of response to mitigate detection with minimal human intervention so that the first defence layer is ready to provide time for the necessary gap & impact assessment to be conducted comprehensively. Security teams can remain informed of all current vulnerabilities and can efficiently evaluate the possible risk of each vulnerability in order to take proper risk mitigation actions and respond promptly. DevOps security orchestration is another area to explore further as infrastructure implementation goes into employing ‘infrastructure as a code’ approach.
- Tool / Resource - Security Orchestration, Automation and Response (SOAR) as an integrated solution (expand the existing SIEM implementation to build in workflows), tap on "template-driven" infrastructure deployment (re-using ready image templates)
- Things to Watch out for - DevOp can be summed as continuous development and integration which goes beyond simply just a merger of the silo team of development and operation staff.
- Operational processes need to be built into the application development environment to provide a tighter integration. Codes changes can be seamlessly tested and released into the operation in modular form.
- No longer a waterfall is sufficient; Agility is achieved through build-release sprint activities in the new application lifecycle
- Injection of security checks in DevOps lifecycle also sometimes refers to DevSecOps. This to make sure speedy releases can still address all surfaced vulnerabilities before the code is released into production.
Threat TO Trustworthiness driven - So far, we have been looking at external threats and attackers from the outside-in defence perspective. But we are missing one important piece for a complete threat coverage of the organisation. They are the internal threat factors. Outsourced third parties and privileged users are personnel that may abuse their administrative powers leading to disastrous data breaches.
- Approach - An inside-out defence is needed. Beyond just the "trust but verify" paradigm, stakeholders need to act and make a decision by knowing the trust level of the reported activity and triage the anomalies (from the norm) for immediate attention.
- Things to Watch out for - For an effective insider threat program, a dedicated team has to be built and made up of the right mix of experienced senior personnel from the security, IT operations and even HR in the organisation.
- Ultimately, the management will be expecting beyond the “What?”; “Where?”; and, “Who?” from the Insider Threat program - minimally having the deterrence measures being put in place to prevent and detect early any potential data leakage attempts.
THE ONLY CONSTANT IS CHANGE
There is no perfect security and practically not possible to sustain any 100% fortified high wall to prevent all sort of cyber attack. Be pragmatic and adopt the RIGHT security by building the PIVOT in your environment to keep you ahead in the cyber chase. Below are supplemented consideration to beef up your security plans.
- Build your security plan to have clear and concise security objectives.
- For example, identify a cybersecurity framework to safeguard the confidentiality, integrity and availability of the information and services.
- Establish the baseline security measures and define quick wins for stakeholders.
- For example, complete elimination of obsolete operating systems and applications and adopt a vulnerability management program to keep patch compliance on a constant watch.
- Develop wins that will collectively also improve the skill set of the staff and increase the organisation security awareness.
- For example, adopt a phishing campaign to keep users prepared and ready to spot red flags on phishing emails and reduce the number of victims falling for spear phishing and social engineering
- Build ring fences to protect against internal threats
- For example, reduce unnecessary network connectivity by segregating connection from the administrative and critical business system. Ensure audit trail and logs all security and system error are monitored and reviewed constantly by a system owner with support by a centralised security operations centre.
I hope this article has been a useful read for security awareness (and your next security planning).