Organizations today are subjected to meticulously scoped, expertly developed and targeted attacks by nation-states and criminal groups. Given how public large-scale data breaches have become, cybersecurity has become a household term. But this new normal means no one rests easy.
Emerging from the shadows of the news coverage of devastating breaches in retail, government, healthcare and finance, is the need for government agencies to think about their role and how to better withstand a breach that compromises proprietary information and could threaten critical infrastructure.
Organizations—particularly their enterprise security teams—are working tirelessly to keep attackers out, to mitigate the damage perpetrators cause and to innovate for the future. Cybersecurity has become a new battlefield with an endless number of attacks ahead.
Like a real battlefield, where adversaries are using all types of weapons, hackers are also using innovation to develop new attack methods and even build new variants of tried and true methods like SQL injection attacks. The threat landscape that organizations have to deal with is all-encompassing and evolving consistently–malware-based attacks (rootkits, ransomware); zero-day’s and APT’s; code injection attacks and nation-state attacks, who are now attacking multinationals–meaning it’s not just espionage.
In the past, cybersecurity was about building a bigger wall to keep criminals out—we’re no longer living in that world because the network perimeter has become ubiquitous. A new security mindset is required. We have to shift to thinking not “if,” but “when,” it happens.
A recent Gartner report, Six Principles of Resilience to Address Digital Business Risk and Security, underscores the situation at hand and categorizes a new macro trend as of 2015: the growing capacity and sophistication of digital adversaries to breach our defenses and cause major business disruptions in business operations. There should be no doubts that we need to act now.
Applying a targeted military-style strategy
Government agencies (and all organizations) need a strategy that maps to the tried and tested military strategy of resilience to defeat the cyberworld’s adversaries on multiple levels. The primary objective is protecting the agency while preserving continuity and IP. No longer can you think about winning every cyber battle—instead, it’s about proving long-term that your organization doesn’t have to succumb to methodical, targeted attacks if resiliency sits at the core of the fundamental security strategy.
National Security Agency Director and Commander of US Cyber Command Admiral Mike Rogers, helped draw the parallel of how important it is to focus attention on being more cyber-resilient in the face of emerging threats last year. As a 30 year-plus veteran of the Navy, he pointed to the military and says they do not abort their missions in the face of resistance, but instead they accept they will sustain a certain amount of collateral damage without laying down their arms.
The comparison here is how, in the past, and even still today, many security and IT teams simply “nuke and pave” machines that become infected—essentially taking them offline and/or wiping them entirely. This is the equivalent of inviting more attackers to attack, as they ultimately have visibility into machine status if they are sophisticated and persistent enough.
This outdated process across thousands of infected endpoints starts to drive costs and resources astronomically. In fact, the average security organization faces over 17,000 security notifications today, with typically the ability to only investigate about 700. At that point, they’ve already burned 395 incident response man-hours. This means security incident handling has become an expensive proving ground for incidents to either go uninvestigated, investigated for too long … or for incidents to proliferate as advanced threats.
What it comes down to is that attackers got in because current tools weren’t detecting their presence. Simple.
Achieving victory in a battle or a war requires showing resiliency in the face of fire, and prevailing despite enduring some level of loss along the way. The cyber equivalent of this is actually accepting that an attacker might penetrate your network, but being able to rapidly detect their presence and counter their techniques with the capability to quarantine the threat to mitigate its effectiveness, ultimately closing the doors to further infiltration.
The resiliency model: absorption, containment and real-time offensive
Establishing a model built on resilience must focus on three key elements: absorption, containment and a real-time offensive. Cyber resiliency is a mindset and a foundation for building a security strategy and a model that stands up to the most aggressive, well-planned and persistent attacks.
Absorbing the initial onslaught is the first step to recovery. For example, when an attacker establishes a beachhead into a targeted system, they are staging the attack before it is actually carried out. The next step is containing any further infiltration or damage, as the attacker kicks off the malicious activity. Being able to quickly and efficiently discover the attack is critical.
Third, agencies need to have the capability to enact an offensive thrust. This can mean capturing an adversary’s evasion or disabling techniques, or simply launching a targeted malware campaign right back at them, often called “hacking back.” The legal risks could far outweigh the rewards with this approach making it more practical to protect your data and increase the level of visibility you have into your network and safeguarding the proprietary information.
Here’s a closer look at these three pillars:
Absorption – When an attacker enters the network and takes control of the Operating System, an organization must be able to “absorb” the blow, quarantine the attack and catch it all in real-time. A simple attack that might go undetected doesn’t have to deliver a knock-out blow to the organization just because an attacker penetrated the perimeter, hacked the network layer, or even briefly gained access somewhere in the operating system.
Containment – Regardless of the attack (for example, the launch of malware into a target system or the detection of attacker either on the network or inside the operating system), new advanced technology helps contain that attacker. You might call it isolating the host or even quarantining systems, so whatever the attacker is attempting to do is prevented from executing, spreading and infiltrating other systems.
Offensive – An agency that’s proactive can help minimize collateral damage and ultimately get more predictive. Gartner analysts noted that, “IT risk and security leaders must move from a singular focus on trying to ‘prevent’ compromise to acknowledge that perfect prevention is not achievable, and the organization needs to be able to detect a compromised IT environment and to react faster.” For example, combining real-time operating system-level behavioral threat detection with in-memory threat analysis helps give better visibility into how your adversary is targeting you and will better prepare you.
Earlier this year, Rogers participated in the New America Foundation’s forum, “Cybersecurity for a New America: Big Ideas and New Voices,” where he pointed out that history has shown us that every crisis or confrontation in the last several years has had a “cyber dimension” to it (for example, what we saw in Georgia, Iraq, Ukraine, etc.). This proves that crisis/military confrontation doesn’t contain an isolated cyber component, rather, it demonstrates that cyber is going to be a fundamental component of how wars will be fought and won.
How can we prepare for this new reality?
Cybersecurity, above all industries, has to remain innovative because adversaries are arguably trained better, more sophisticated and driven by financial compensation.
The good news is that where there is innovation, there is investment. The industry recognizes the need for talented cybersecurity professionals to continue to foster growth and advanced technology.
As a result, cybersecurity is dominating technology investment. According to AGC Partners’ Security Market Update of August 2015, information security financing activity exploded in 2014, outpacing the prior two years combined. With 200 total financings in 2014, there was a 58 percent year over year growth over 2013—an indicator that more investment is necessary to fund the defenders so they can catch up and begin to outmaneuver the attackers.
The future is bright for new technologies and innovation in cybersecurity to defeat agile adversaries. However, this is only if organizations are willing to embrace the fundamental shift toward becoming more resilient at the core, with technology that reflects the advancement of capabilities to be far more effective in the cyberwar.
Neal Creighton has more than a decade of experience in the cybersecurity industry. As president and CEO of CounterTrak, Creighton leads fundraising efforts, having raised $45 million for CounterTack to support next-generation endpoint security innovation.
As co-founder, president and CEO at GeoTrust, Creighton lead a $24 million financing round, and selling GeoTrust to VeriSign for $125 million. Other ventures Creighton has spearheaded include GeoTrust spin-off ChosenSecurity, acquired by PGP, Corp. (now Symantec), and AffirmTrust LLC, acquired by Trend Micro.
Creighton serves on advisory boards for OneID and the Army Cyber Institute, is Chairman of Robly, and speaks regularly at industry conferences including RSA, Gartner Security & Risk Summit and America’s Growth Capital.
Creighton is a graduate of the USMA at West Point, and holds a JD and an MBA from Northwestern University.