Next generation of risk management meets the next generation of IT solutions
August 2017 | SPECIAL REPORT: TECHNOLOGY RISK MANAGEMENT
Financier Worldwide Magazine
August 2017 Issue
Introductions can be awkward and by anyone’s measure the latest meeting between security technology and global cyber attacks – Wannacry and NotPetya – left some businesses’ infrastructure in tatters. Powered by publicly disclosed nation-state developed malware, some businesses came out on the losing end of the ‘introduction’. Clearly, those businesses are not only doing a reassessment of their existing risk mitigations against cyber threats, they are probably asking some tough questions from their vendors and security teams, about why so many fail.
If businesses expect to meet the current and future cyber threat landscape, it is time to take a hard look at the business risk along the lines of confidentiality, integrity and availability (CIA) and start mapping some technology products, internal process and internal procedures against those risks. At the macro level of the business, the question to ask is: what is the most important aspect of security that needs immediate attention? Depending on your industry vertical or the functions that put the money in the bank, you may find your business risk moves across the spectrum. It would be a rare business which places 33 percent into each category; surely one, or two of the business risks weigh more on the minds of the owner, executive board or shareholders.
Understanding the risk to the business aligned to these three pillars of security should begin to inform where the majority of risk mitigation spend should lie. Interestingly, most processes, procedures and technology the business invests in are aligned to preventative controls around CIA and that fact has made the business worse off when those preventive controls are anything less than 100 percent. The business’ belief that it is secure is usually shattered when a modern piece of malware makes it inside the organisation. The excuses then flow: “The Anti-Virus product did nothing. Our user training programme did not prevent it. Our mail scanning product failed to remove the attachment, etc.” But, it does not have to be like that.
Pretend data or system breach is way better than real data or system breach. Depending upon how your business aligns to the worst-case breach along CIA lines can move the conversation to a solution focused on the detection of an incident potentially impacting the business’ CIA. This is the next generation of risk management solutions that detect an event which, if not acted upon, can lead to a catastrophic impact on the business.
If your business has invested in several layers of preventative technology and you escaped the latest round of cyber attacks, plaudits should go to the security operations centre (SOC) team and management. But, be mindful. American Educator Randy Pausch remarked: “You can’t get there alone. People have to help you, and I do believe in karma. I believe in paybacks. You get people to help you by telling the truth, by being earnest.” Keep this in mind. The near miss of the latest global ransomware attack may have had nothing to do with your technology choices or internal process and internal procedures. Patient zero of the potential outbreak in your office may have been away on vacation when the deadly attachment or malicious web link arrived in his or her inbox.
So, what is next generation risk? Next generation risk is multi-faceted and almost completely manifests as a result of being online in some capacity. Email, hosted services, your connections to partners, employees working at home or on the road and your business-to-business relationships all contribute to next generation risk. It is no longer reasonable to discuss risk in terms of your business – it extends to the internet and all your customers and partners. It does little good to focus on building fortifications on top of a volcano which could go active at any time.
It is time to think worst-case scenario. What happens if your firm has an unauthorised disclosure? What happens if a critical life safety system is tampered with? What happens if the e-commerce website goes down for hours or days? This is next generation risk thinking – what series of events could occur which lead to catastrophic impact? These are hard questions to answer when your business may be built upon a third-party hosting or several service providers. Next generation risk is mitigated by resiliency and the key to mitigation lies in understanding ‘what just happened and how could we have prevented it?’
That is where the new generation of risk mitigation solutions arrive to present detective capabilities when it comes to business CIA risk. Any practitioner knows that understanding a risk requires context and analysis. If the biggest risk is the confidentiality of your customer relationship database (CRM), because you are an online marketing firm, then it is time to protect it, detect any risk to it and, if broken, recover it – that is where your risk mitigation spend needs to be focused.
In the examples below, a number of typical security solutions found in many organisations are described.
Vulnerability scanning. Always found in the top mitigations against cyber criminal drive by downloads and malicious adds and web links is patch management. Finding and patching out-of-date software is a perfect opportunity for an automated tool. Exploit kits, cyber criminal software, relies on out-of-date software to infect endpoints. Given recent SMB V1 attacks utilised by WannaCry and NotPetya, vulnerability management has become an organisation priority.
Distributed denial of service (DDoS) protection. Many businesses are now investing in technology to protect from a DDoS attack which renders external access to the internet or access to hosted or cloud services impossible. If the business cannot survive a prolonged outage from the internet, DDoS protection is highly advised. Cyber criminals are using vast armies of compromised Internet of Things (IoT) devices and hijacked systems to flood business with unwanted traffic. Frequently, attempts to extort a ransom are attempted in advance of a DDoS attack.
Application white listing. This technology has been included in the Windows Operating System since Windows 7 and Server 2008. Microsoft calls this technology AppLocker and there are also other similar technologies available in the marketplace. The concept is to expressly authorise applications to run on endpoints and prevent anything else from running. This is also one of those technologies which has been highly effective against cyber criminal Trojans and credential stealing malware which are frequently installed on endpoints as a result of compromise.
Business continuity and disaster recovery. Backup is the must-have business security solution and forms the majority of the availability solution for most business. With the rise of crypto-locker payloads, robust backup has become the primary and last-ditch way of avoiding paying a Bitcoin ransom. Backup provides a business with a wide-range of recovery options from user mistakes and contractor or staff error. More sophisticated products also include virtual recovery options to bring the business systems online if physical hardware is damaged.
Endpoint anti-malware technology. This has been the de-facto go-to standard for business information security. Sadly, even with advanced sandbox, heuristic and behaviour based capabilities, it would appear from industry analysis of cyber crime these products as a risk mitigation strategy leave a business wanting and minimally protected. Clearly, some vendors are better than others, but the consensus opinion is more layers are required than even the most advanced anti-malware products
Data loss protection. Data loss prevention (DLP) technology sets up many rules about how users can interact with files and data in the organisation. Although the technology has advanced over the years, with the advent of cloud services and cloud storage DLP has struggled to manage these remote locations. Perhaps the most difficult part of a DLP solution is the initial configuration and identification of where the data is located in the organisation. Adjustments of the rules of a DLP system can be an arduous task.
Multi-factor authentication. Robust user identity services such as multi-factor authentication go a long way toward ensuring the integrity of systems and providing a robust audit trail of authenticated access. These are must-have features in the case of regulated finance or healthcare industries. When combined with a password manager, these technologies make it difficult for cyber criminals to leverage stolen user-ID and passwords.
Email protection. Email filtering is one of the fastest growing security technologies and aptly so. It is estimated that 60 to 70 percent of data breaches and ransomware outbreaks can be directly attributed to a malicious phishing email. Although the technology is not flawless, it extends the perimeter of defence often to the cloud or a dedicated appliance and provides a good chance of intercepting malicious email before it arrives at an endpoint and tempts a user.
Firewall and network architecture. Network segmentation to prevent lateral movement by cyber criminals who have gained unauthorised access to a workstation or to contain the spread of ransomware has become a necessary mitigation step found in many businesses. The traditional role of firewalls was to prevent bad things from making their way into the network. Now the emphasis is on controlling what can make it out to the internet from inside the network. This is due to how cyber criminal remote access trojans (RAT) work. Once established they RAT tunnels out to the command and control infrastructure. Taking an aggressive approach to controlling outbound data on ports and services in addition to restrictions on inbound data flows establishes the firewall as another security layer.
Digital forensics and incident response (DFIR) capability. Malicious activity or risky behaviour can manifest in many ways. DFIR capabilities provide the business with the assurance that policy and procedures are being followed and the deployed security technology is working. For example, if the business has decided that USB drives are not authorised for use, a DFIR platform should detect when files are written to such a device. The value of a DFIR capability in an organisation is simply that it will give you the ‘who, what, why, when and how’ of a security incident. This capability quickly allows the business to respond appropriately by knowing the facts of a security incident. By knowing the facts, the business can make the right decision and also be alerted if the incident jeopardises compliance requirements.
Security incident event monitor (SIEM). SIEM solutions do have a powerful role in an organisation for compliance purposes and in identifying sudden changes in network behaviours. If the organisation has a multitude of business critical IoT devices, then a SIEM collecting firewall and switch information may be the only way to ensure the integrity of those IoT devices.
Identity and access management technologies. These provide an excellent integrity layer as this is focused primarily on ‘who’ is accessing ‘what’ and applies rules to this access. This becomes important under compliance regimes applicable to healthcare such as the Health Insurance Portability and Accountability Act (HIPPA) legislation in the US. Certainly, this is a data focused approach which is driven by a user’s ‘need to know’ requirement for data access. These systems do a great job of access control, but provide little assurance that the data is not being misused in other ways.
Delivering security mitigations is not only about choosing security technologies. Robust security is provided by the alignment of process, procedures and technology to keep the revenue flowing. Choose the technology wisely, but make sure it is aligned to your largest CIA risk, and balance it with the process and procedures the staff must follow.
Ian Thornton-Trump is head of security at ZoneFox. He can be contacted on +44 (0) 845 388 4999 or by email: firstname.lastname@example.org.
© Financier Worldwide