enterprisesecuritymag

Cybersecurity 2.0 - 4D (Digital Defense, Detection & Deception)

By Umesh Yerram, Vice President, Chief Data Protection Officer, AmerisourceBergen

Umesh Yerram, Vice President, Chief Data Protection Officer, AmerisourceBergen

Background

Cybersecurity is a board room topic for most of the companies as a single cyber event can cause significant negative business impact, in some cases, resulting in bankrupting the company. Even after making significant investments, companies remain vulnerable to sophisticated cyber threats.  Sophistication of threat actors, persistence of nation state actors, disruption due to digital transformation and shortage of cybersecurity skills are making it very challenging for organizations to defend their business against continuous onslaught of cyber-attacks. Most of the cybersecurity teams have become good at detecting the known threats but unfortunately, as every breach indicates, it’s the unknown threats that cause significant damage.

Cybersecurity 2.0

The cybersecurity frameworks that served us well to detect and respond to known threats needs to be updated to address the unknown threats by including a key new capability – prediction.

This cybersecurity 2.0 frameworks should be based on not only protective, detective and response principles but also include three new key principles – promptitude, protraction and prediction. Promptitude in rapid detection& response so that threats and vulnerabilities are detected & responded in near real-time. Protraction for making it difficult for threat actors to find and steal sensitive data even if they penetrate the network. Predicting new unknown threats and zero-day attacks by gathering and analyzing internal and external intelligence along with constantly testing the defenses. 

Historically, cybersecurity teams gathered selective log intelligence generated within the enterprise due to resource constraints or due to technology limitations. For cybersecurity teams to build predictive capability, every bit of log intelligence generated within the digital enterprise should be collected and used to not only protect, detect, defend and respond to threats but also to predict cyber-attacks. The new big data technology platforms can provide this capability in a cost-effective manner.

"As application development teams embrace agile methodology and release digital products & enhance to those products on a frequent basis, cybersecurity teams should partner with those teams to perform thorough security testing of those products and enhancements without impeding their release schedule"

Today cybersecurity teams, especially the cyber command center (CCC) analysts can benefit from having access to all the log intelligence generated within the enterprise and external threat intelligence to be more effective. Using proven emerging technologies like user entity behavior analytics (UEBA), to analyze the vast amounts of log intelligence collected daily will enable cybersecurity teams to accurately detect threats -with minimal false positives – and predict anomalous behavior. Security orchestration & automation response (SOAR) capability will enable cybersecurity teams to automate playbooks for known threats and increase response promptitude.

Threat hunting should be a key capability within cybersecurity portfolio to proactively detect and defend the enterprise. UEBA and policy driven detection do very good job detecting known and unknown threats, but continuous threat hunting processes will help identify any threats that were missed. Threat hunting using MITRE framework can create a repeatable process to conduct hunting activities with defined goals. Threat hunters can also perform live forensics for ongoing cyber investigations and play a key role during incident response process.

Gathering threat intelligence with high fidelity, curating that intelligence specific to your enterprise and using that intelligence to identify threats should be automated to enhance your detection and defensive controls. Using the threat intelligence to sweep the environment for potential threat(s) as a one-time activity is not enough. In fact, cybersecurity teams should try to understand how the new threats can make their way into their environment even if they are not present at the first glance.

Breach and attack simulations (BAS)can play a key role in helping cybersecurity teams to understand how the latest threats can enter their environment and move laterally. Performing automated breach simulations using latest threat intelligence can help drive continuous improvement of not only preventive and detective controls but also predictive capability. Using BAS data along with attack reduction surface data will help predict what kind of threats enterprise is susceptible to, how those threats can exploit known vulnerabilities. Red Team testing or purple team testing are still a tremendous value add but BAS capability will provide an agile way to test the defenses in a continuous and economical way.

Understanding the attack surface and reducing it significantly will enable the cybersecurity teams to focus on the right areas and be more productive. There is no better way to reduce attack surface than diligently patching all systems regularly on an ongoing basis. Lot of enterprises have challenges adhering to regular patching cycle due to lack of resources or to minimize business disruption. However, leveraging the threat intelligence and using risk-based approach to patch all systems is critical to maintain robust security posture.

As application development teams embrace agile methodology and release digital products & enhance to those products on a frequent basis, cybersecurity teams should partner with those teams to perform thorough security testing of those products and enhancements without impeding their release schedule. CCC analysts should leverage enterprise infrastructure & application vulnerability data, application security testing data and external threat intelligence to appropriately implement defensive measures to address the gaps in the security posture.

It is a matter of “when” and NOT “if” an enterprise will experience a sophisticated cyber-attack. Threat actors, other than nation state actors, have limited time and resources to launch sophisticated attacks to exfiltrate sensitive data or disrupt business operations. The more difficult you make for the threat actors to find sensitive data or systems once they penetrate the networks the better you can deter and disrupt their efforts. Therefore, protraction is a key defensive capability and Deception is a perfect capability to achieve that. In addition, deception capabilities will increase your defensive and detection capabilities by providing high-fidelity alerts for cybersecurity teams to launch full fledge incident response activities.

Conclusion

With digital business disruption, proliferation of data outside of traditional IT infrastructure and sophistication of threat actors, cybersecurity teams should update their framework and embrace emerging technologies to address new emerging sophisticated threats. Protective, detective and robust response capabilities remain key to protecting the enterprise but developing predictive capability will be critical to how enterprises combat emerging cyber threats in the digital age.  

Weekly Brief

Read Also

Automate, Orchestrate, and Delegate

Automate, Orchestrate, and Delegate

Ian Hill, Global Director of Cyber Security, BAM
Becoming a Leader in Enterprise Security

Becoming a Leader in Enterprise Security

RANDY RAW, VP of Information Security, Veterans United Home Loans
How Blockchain can Support Future Industrial Evolution

How Blockchain can Support Future Industrial Evolution

Odile PANCIATICI, Blockchain Project VP, Groupe Renault
How Modernized Encryption Standards and TLS 1.3May Impact Your Security Strategy

How Modernized Encryption Standards and TLS 1.3May Impact Your...

Ben Schoenecker, CISSP, Director of Information Security, Hendrick Automotive Group
IT Security: A Practical Approach

IT Security: A Practical Approach

Christopher McCarey, Director of IT Security for Gila River Hotels & Casinos – Wild Horse Pass, Lone Butte and Vee Quiva

"Keeping it REAL with your Security Vendors"

Robert Pace - VP/CISO, Invitation Homes