How fear, uncertainty and doubt feed the false belief that security breaches can’t be avoided
Coming off the heels of the Facebook breach news, it might sound downright crazy to suggest that breaches can be avoided. But no organization is destined to be a victim of ransomware or a denial-of-service attack. For too long, the industry has adopted the misguided mantra, “It’s not if but when you’ll be breached.” John Pescatore, director of emerging security trends at SANS Institute, suggested it’s time to put that mantra to rest.
According to a recently released white paper published by the SANS Institute and sponsored by Balbix, there is a silver lining to the number of breaches reported in the daily headlines. It’s simple math: If the numbers coming out of the Identity Theft Resource Center (ITRC) are correct, three companies a day are victims of a breach.
Yet, Pescatore said, “There are more than 18,000 companies with more than 500 employees in the U.S., meaning about 17,000 of them will have avoided a breach requiring disclosure in 2018. Some companies will simply be lucky enough not to be attacked or may suffer only minor incidents. Many more will avoid or limit business damage by implementing security processes and controls to proactively identify and remove or mitigate vulnerabilities.”
In short, there is indeed an if factor in breaches, and companies that have avoided being the victim of a wide-scale attack have, in large part, relied on four proven techniques to fend off attackers.
Strategies Proven to Work
For the math lovers, Pescatore said that there is one risk equation that has consistently proven true year over year:
Risk = Threats x Vulnerabilties +/- Action
Part of action demands that security teams make a choice on a prioritized cybersecurity framework. “Security teams don’t control the threats. Attacks will always occur—on the attacker’s schedule and using increasingly sophisticated delivery mechanisms and evasion techniques,” Pescatore wrote.
That’s why security teams need to choose what to focus on first. It’s worth recognizing now that nobody is ever going to get all the resources they need, so rather than sprinkle a little something into lots of different buckets, choose the three to four buckets that are key to the business. “Choose the critical business assets that you can continuously monitor. Successful programs in preventing breaches are able to do as much as possible to minimize damage,” Pescatore said.
Who’s Watching What?
The expression, “You can’t protect what you can’t see,” is true, which is why one proven strategy that works to prevent breaches is instituting continuous monitoring of assets.
“Periodic vulnerability scanning may be compliant, but it’s almost never sufficient. The use of a mix of network-, host- and credential-based assessment tools on a continual and automatic basis is generally required to assure completeness, accuracy and “freshness” of inventory and vulnerability data,” Pescatore wrote.
When security teams know the business operations and can map those to IT assets, they are better positioned to protect the most business critical systems.
Putting Threats into the Context of Business
It’s important for CISOs to remember that the board is there to judge the direction and strategy of the business and make sure that risk is being reduced. That’s why it’s critical that CISOs can justify their actions with a defendable framework that evidences a strategy. The real-world threats must be mapped to the business.
“When vulnerabilities are mapped first against active threats that exploit those vulnerabilities and then by criticality to business operations, security teams have been able to justify the need to take immediate patching, reconfiguration or shielding actions. To deal with limited personnel skills and availability, tools that support or automate analysis can be leveraged to prioritize actions by risk,” Pescatore said.
Successful security teams understand that threats evolve, so their focus is on making the connections to the business so they are able to show reduced risk.
Developing and Updating Playbooks
There is a growing need for the security operations team to think not just about stopping or remediating an attack but also about how to avoid breaches coming in. While they need to look at all of the infrastructure and prioritize protections to prevent an attack, Pescatore said, “The term playbook has generally been associated with incident response processes where techniques and procedures are documented to ensure that actions taken after the detection of an incident are repeatable and complete.”
That’s why playbooks need to be dynamic and maintain accurate risk assessment. Analysts compile all of their expertise in the playbooks so they have documented steps with details of what should be done in the event of an incident. “That same concept has proven effective for exposure reduction, breach avoidance and damage minimization,” Pescatore said.
Organizations that are quietly succeeding against security threats, Pescatore believes, are those that have the processes and tools that allow them to know about external threats and understand their vulnerability so they can do something before the threats reach them.