Assumption of Breach: A New Approach to Cyber Security

Transcription

1 Assumption of Breach: A New Approach to Cyber Security An Atrion White Paper 2016 Atrion, Inc. All Rights Reserved.

2 Assumption of Breach: A New Approach to Cyber Security A Look at the Threat Landscape Perhaps no area of technology has received more attention from the public, media and organizations in recent years than cyber security. With federal agencies like the Office of Personnel Management and major banks like J.P. Morgan having been victimized by damaging attacks, IT leaders and executives have been forced to take notice of a threat landscape that seems to grow more perilous each day. In the wake of these high-profile incidents, the media s messages have been clear: if organizations with nearly unlimited resources can be compromised, data breaches are inevitable for nearly every business. But that narrative does not tell the whole story. It is true that the threat landscape has made it essentially impossible for organizations to keep every threat out, contends Josh King, Technical Director of Security at Atrion. The days when simply buying the best firewall on the market served as a comprehensive security strategy are gone forever. But although the sheer volume of attacks means that some number of breaches are inevitable, with the right people, processes and technology in place, a resulting crisis is far from a foregone conclusion, he adds. So what does this mean for organizations? What changes do they need to make to adapt to modern security challenges? The first step is a change in mindset; businesses must now operate under the assumption that at some point, a breach will occur. Put a different way, before an organization begins to think about what tools to adopt or strategies to implement, it must first shift its mindset from assumption of protection to assumption of breach. As SC Magazine, a publication for IT security professionals, stated in a recent article, Companies are still prioritizing protection over detection despite the fact that preventative capabilities alone are fundamentally incapable of stopping today s cyber threats. In that same article, the magazine refers to a recent RSA survey of more than 400 security professionals that found that 75 percent of companies have significant cyber security risk exposure. In the following pages, this white paper will examine how that change in philosophy can help shape an effective organizational cyber security strategy. This document will also detail how adopting a layered approach to security that focuses on turning three key elements people, processes and technology from vulnerabilities to strengths can help an organization achieve positive outcomes such as: Vastly reducing the number of breaches, often by several orders of magnitude Protecting critical systems, applications and data Avoiding costly downtime Retaining customer confidence and protecting brand reputation Avoiding the consequences of failing to comply with industry regulations 1 ASSUMPTION OF BREACH: A NEW APPROACH TO CYBER SECURITY

3 COMPANIES ARE STILL PRIORITIZING PROTECTION OVER DETECTION ASSUMPTION OF BREACH: A NEW APPROACH TO CYBER SECURITY 2

4 The First Element: People The first of the three security elements crucial to any organization is its people. The individuals who can potentially impact security fall broadly into four groups: IT practitioners: An organization s internal IT team interfaces with various technologies every day. Depending on the size of the organization, it might have one or in rare cases a few IT staffer dedicated to security, but in most cases it will be one responsibility shared among many others. If we look at the current threat landscape as a battlefield, IT practitioners are your soldiers; they need high-quality training to be effective, specifically on how to operate security systems and solutions that the organization has purchased, says King. In most instances these individuals will also be charged with leveraging the organization s processes and technologies, so it is critical that they have the requisite training and knowledge to do that effectively. Employees: These are the workers who use business applications as part of their day-to-day responsibilities. They are not IT professionals and likely aren t thinking about cyber security other than when they hear about a high-profile breach on the news. For that reason, these people are an organization s most significant vulnerability and must be protected by security systems and educated about threats. Former FBI Computer Intrusion Unit Head Don Codling recently said at a seminar that Savvy, well-meaning employees can be fooled into doing something to allow attacks access to company networks. He cited an example in which an employee clicks an that appears to be a subpoena from his or her personal attorney. Without an understanding of what to look for, employees can become a seemingly insurmountable vulnerability. But those same well-meaning employees, if educated properly, can turn from a major weakness into a tremendous asset. Leadership: These are IT directors, members of senior leadership and even board members. These are the people who must not only help create the vision, but also generate buy-in from the rest of the organization. If leadership is disinterested in security or worse, fails to abide by the procedures they help create a program has little chance to succeed. A company s leaders must also avoid fostering a culture of blame around cyber security. Too often, especially in recent years, breaches have led to firings or resignations from C-level executives. While some incidents may warrant personnel changes, in many instances the best thing an organization s senior leaders can do is pull together and determine how to remediate the situation and ensure it doesn t happen again. Third-party consultants: Between managing technologies and infrastructure; identifying qualified candidates to hire; conducting daily operations; and dealing with governance and compliance challenges, security can be expensive and time-consuming. Consultants have become an increasingly important part of a security strategy, because for most organizations, investing in an entire security team is just not feasible. Security consultants can help augment internal teams and bring valuable experience to a security infrastructure project or incident. They can also free up internal IT staffers to focus less on run tasks and more on forward-facing security initiatives. 3 ASSUMPTION OF BREACH: A NEW APPROACH TO CYBER SECURITY

5 In the introduction to Hewlett Packard Enterprise s 2016 State of Security Operations, Chris Triolo, Vice President, Security Product Global Services writes: Staffing and training continue to be the foremost challenge of the modern security operations center (SOC). This is paving the way to hybrid staffing models and hybrid infrastructures that require less in-house expertise. As a result, highly skilled security team members can then be utilized for a more specialized hunt and analytics-focused work. The Second Element: Policy Policy is a critical element of security in large part because it functions as the bridge between people and technology. A robust security policy is comprised of several critical components, including testing and optimization, risk management planning and incident response. Incident response, in particular, is an example of how security policy should ideally function, because it is essentially the barrier between an organization and chaos in the wake of an incident. 81% 45% 34% Organizations that have an incidence response plan. Organizations that either never practice responding to a breach, or wait more than two years between run-throughs. Organizations confident that their response plan was effective. ASSUMPTION OF BREACH: A NEW APPROACH TO CYBER SECURITY 4

6 Because the various elements of cyber security are interdependent, preparation that fails to address all three of the elements will result in vulnerability. Even organizations that have dedicated security resources (and well-trained users) that can identify malicious threats and the latest and greatest technology breach will still occur at some point. Without an incident response plan, when that happens, the organization has no choice but to respond on the fly, which is problematic for several reasons. When that breach occurs it is human nature for panic to set in and panic leads to rushed decisionmaking and errors, King explains. Just the knowledge that there is a response plan in place helps keep your organization from descending into chaos. A documented plan also ensures that that organizations don t miss critical steps in the remediation process, because policy preparation forces the business to ask the most important questions that typically arise minutes after a breach is confirmed, such as: Who do I need to notify in my organization? What data was exposed? What technology or process should I use to determine if the breach is real? Will I need to alert customers? Do regulatory agencies or law enforcement need to be involved? It is also essential that any incident response plan be regularly reviewed, evaluated, practiced and updated. New threats emerge constantly, meaning a static, outdated policy will have little value once that inevitable breach takes place. Despite its importance, this area is still a blind spot for many organizations. Although a recent Experian survey found that 81 percent of organizations do have a response plan in place up from 73 percent in 2014 the same survey also found that 45 percent of respondents say their organization either never practices responding to a breach, or waits more than two years in between run-throughs. Additionally, only 34 percent of respondents were confident that their plan was effective. Drafting a response policy is a natural, solid starting point, but it should not be conflated with the finish line just like new technologies replacing legacy solutions, security processes must be continuously improved as well. The Third Element: Technology Security technology can be broken down a number of different ways; Atrion s philosophy on security breaks these solution areas into three distinct categories, or pillars : 1. Threat Security: This element focuses primarily on the threat and keeping the bad stuff out, says King. This is where organizations typically spend the majority of their security budgets, and for good reason; millions of new malware variants are released each year. Some examples of threat security technology include: Next-generation firewall Next-generation intrusion protection Breach detection and sandboxing security 5 ASSUMPTION OF BREACH: A NEW APPROACH TO CYBER SECURITY

7 WE HAVE TO HAVE A BETTER UNDERSTANDING OF WHERE OUR MOST VALUABLE INFORMATION LIVES 2. Asset Security: The focus here is on the actual assets IT organizations are trying to manage and leverage on a daily basis. This includes infrastructure, endpoints and user identity. The objective is to maintain the compliance of these elements with proper security policies and controls to give them the best opportunity for defense against malicious threats and misuse. Technologies that fall into this category include: Network access control Application and patch management Active directory compliance Continuous vulnerability management 3. Information Security: This pillar helps answer the Who, What, Where, When, How, and Why of critical information and data. Here the focus is on protecting what is important and determining what to keep within the organization rather than focusing on what to keep out. Such technologies include: Permission management Data identification and classification Data loss prevention Encryption Most organizations are at least familiar with threat security, as firewalls have long been top-of-mind during IT budget planning. Asset security technologies like Network Access Control (NAC) have also seen fairly widespread adoption especially since the boom of Bring Your Own Device (BYOD). Information security, however, is the area where many organizations simply aren t devoting enough of their budget or energy. If we are going to approach security with the understanding that some breaches will inevitably occur, we have to have a better understanding of where our most valuable information lives and how it is used so that we can better understand how we can protect it, King says. Data identification and classification technologies, for example, can locate sensitive information like credit card numbers and personal identifiable information (PII), and ensure not only that authorized users have access to it, but provide insight into how they are interacting with it as well. Additionally, with so many organizations now leveraging cloud services, information security is growing increasingly more challenging for organizations to get their arms around. When all important data and intellectual property lived inside an organization s four walls, information was easier to monitor. Today IT has to understand what data should and shouldn t live off-premises to effectively manage risk. But if we don t know what that information and data is to begin with it, we can t even begin to tackle that challenge. ASSUMPTION OF BREACH: A NEW APPROACH TO CYBER SECURITY 6

8 Moving Forward Former Cisco CEO John Chambers was famously quoted as saying that There are two types of companies: those that have been hacked, and those who don t know they have been hacked. Implicit in that statement is the notion that every organization, whether it knows it or not, has suffered a breach at some point; the difference between the two groups is that the organizations that know they have been breached are in a position to do something about it. Martin Roesch, Vice President and Chief Architect, Cisco Security Business Group, has asked his audience during several public presentations, If you knew you were going to be compromised would you do security differently? But for organizations that hope to protect themselves from serious damage, this question must become more than a thought exercise it must become the fundamental question that underlies a holistic approach to security. Only when IT leaders and organizational decision makers understand that can they begin to answer the fundamental question. 7 ASSUMPTION OF BREACH: A NEW APPROACH TO CYBER SECURITY

9 Assumption of Breach: A New Approach to Cyber Security An Atrion White Paper Modified CC images copyright Petras Gagilas, Greg Goebel, Tom Page, Michael Goodine on Flickr.com 2016 Atrion. All Rights Reserved. atrion.com ASSUMPTION OF BREACH: A NEW APPROACH TO CYBER SECURITY 8