Cybersecurity 2.0 - 4D (Digital Defense, Detection & Deception)

Umesh Yerram, Vice President, Chief Data Protection Officer, AmerisourceBergen

Umesh Yerram, Vice President, Chief Data Protection Officer, AmerisourceBergen

Background

Cybersecurity is a board room topic for most of the companies as a single cyber event can cause significant negative business impact, in some cases, resulting in bankrupting the company. Even after making significant investments, companies remain vulnerable to sophisticated cyber threats.  Sophistication of threat actors, persistence of nation state actors, disruption due to digital transformation and shortage of cybersecurity skills are making it very challenging for organizations to defend their business against continuous onslaught of cyber-attacks. Most of the cybersecurity teams have become good at detecting the known threats but unfortunately, as every breach indicates, it’s the unknown threats that cause significant damage.

Cybersecurity 2.0

The cybersecurity frameworks that served us well to detect and respond to known threats needs to be updated to address the unknown threats by including a key new capability – prediction.

This cybersecurity 2.0 frameworks should be based on not only protective, detective and response principles but also include three new key principles – promptitude, protraction and prediction. Promptitude in rapid detection& response so that threats and vulnerabilities are detected & responded in near real-time. Protraction for making it difficult for threat actors to find and steal sensitive data even if they penetrate the network. Predicting new unknown threats and zero-day attacks by gathering and analyzing internal and external intelligence along with constantly testing the defenses. 

Historically, cybersecurity teams gathered selective log intelligence generated within the enterprise due to resource constraints or due to technology limitations. For cybersecurity teams to build predictive capability, every bit of log intelligence generated within the digital enterprise should be collected and used to not only protect, detect, defend and respond to threats but also to predict cyber-attacks. The new big data technology platforms can provide this capability in a cost-effective manner.

"As application development teams embrace agile methodology and release digital products & enhance to those products on a frequent basis, cybersecurity teams should partner with those teams to perform thorough security testing of those products and enhancements without impeding their release schedule"

Today cybersecurity teams, especially the cyber command center (CCC) analysts can benefit from having access to all the log intelligence generated within the enterprise and external threat intelligence to be more effective. Using proven emerging technologies like user entity behavior analytics (UEBA), to analyze the vast amounts of log intelligence collected daily will enable cybersecurity teams to accurately detect threats -with minimal false positives – and predict anomalous behavior. Security orchestration & automation response (SOAR) capability will enable cybersecurity teams to automate playbooks for known threats and increase response promptitude.

Threat hunting should be a key capability within cybersecurity portfolio to proactively detect and defend the enterprise. UEBA and policy driven detection do very good job detecting known and unknown threats, but continuous threat hunting processes will help identify any threats that were missed. Threat hunting using MITRE framework can create a repeatable process to conduct hunting activities with defined goals. Threat hunters can also perform live forensics for ongoing cyber investigations and play a key role during incident response process.

Gathering threat intelligence with high fidelity, curating that intelligence specific to your enterprise and using that intelligence to identify threats should be automated to enhance your detection and defensive controls. Using the threat intelligence to sweep the environment for potential threat(s) as a one-time activity is not enough. In fact, cybersecurity teams should try to understand how the new threats can make their way into their environment even if they are not present at the first glance.

Breach and attack simulations (BAS)can play a key role in helping cybersecurity teams to understand how the latest threats can enter their environment and move laterally. Performing automated breach simulations using latest threat intelligence can help drive continuous improvement of not only preventive and detective controls but also predictive capability. Using BAS data along with attack reduction surface data will help predict what kind of threats enterprise is susceptible to, how those threats can exploit known vulnerabilities. Red Team testing or purple team testing are still a tremendous value add but BAS capability will provide an agile way to test the defenses in a continuous and economical way.

Understanding the attack surface and reducing it significantly will enable the cybersecurity teams to focus on the right areas and be more productive. There is no better way to reduce attack surface than diligently patching all systems regularly on an ongoing basis. Lot of enterprises have challenges adhering to regular patching cycle due to lack of resources or to minimize business disruption. However, leveraging the threat intelligence and using risk-based approach to patch all systems is critical to maintain robust security posture.

As application development teams embrace agile methodology and release digital products & enhance to those products on a frequent basis, cybersecurity teams should partner with those teams to perform thorough security testing of those products and enhancements without impeding their release schedule. CCC analysts should leverage enterprise infrastructure & application vulnerability data, application security testing data and external threat intelligence to appropriately implement defensive measures to address the gaps in the security posture.

It is a matter of “when” and NOT “if” an enterprise will experience a sophisticated cyber-attack. Threat actors, other than nation state actors, have limited time and resources to launch sophisticated attacks to exfiltrate sensitive data or disrupt business operations. The more difficult you make for the threat actors to find sensitive data or systems once they penetrate the networks the better you can deter and disrupt their efforts. Therefore, protraction is a key defensive capability and Deception is a perfect capability to achieve that. In addition, deception capabilities will increase your defensive and detection capabilities by providing high-fidelity alerts for cybersecurity teams to launch full fledge incident response activities.

Conclusion

With digital business disruption, proliferation of data outside of traditional IT infrastructure and sophistication of threat actors, cybersecurity teams should update their framework and embrace emerging technologies to address new emerging sophisticated threats. Protective, detective and robust response capabilities remain key to protecting the enterprise but developing predictive capability will be critical to how enterprises combat emerging cyber threats in the digital age.  

Weekly Brief

Read Also

Retail Perspective on Enterprise Risk Management (ERM)

Retail Perspective on Enterprise Risk Management (ERM)

Francisco Fuentes, Vice President of Risk Management, Tailored Brands
A Deep Dive Into ERM Framework

A Deep Dive Into ERM Framework

Joseph Iraci, Managing Director Financial Risk Management and CRO for the Broker Dealers and FCM, TD Ameritrade
From Passive to Active Cybersecurity Risk Management

From Passive to Active Cybersecurity Risk Management

Frederic Lemieux, Ph.D. Director, Master’s in Cybersecurity Risk Management, Georgetown University
Sometimes Life is a Sprint And not a Marathon

Sometimes Life is a Sprint And not a Marathon

Carlos Rodriguez, Director of IT Security & Risk, Citizens Property Insurance Corporation
The Health And Safety Prong Of Risk Management

The Health And Safety Prong Of Risk Management

Lance Norris, CSP, HSE Director, Redi Services LLC
How to build a better Information Security Program

How to build a better Information Security Program

Jennifer Rosario, CISO, Spreedly