In last week’s discussion around readiness and resilience, I introduced the concept of what it means to have “threat-informed” cybersecurity.
This week, I want to show you what that looks like in the real world – how it should drive you to challenge more assumptions, reduce your attack surface, and game out real-world scenarios.
Threat-informed Risk Assessments
When I get to the patching-strategy part of a risk assessment, organizations often answer in the affirmative, “Oh yes! Absolutely! We apply patching the week after Patch Tuesday.”
But when I do my technical analysis, I tell them, “Guys, you are literally missing thousands of patches across your environment. You installed it, but you didn’t make the required configuration changes to enable any of it.”
That’s a readiness fail.
When I get to the architecture part of a gap assessment with a client who’s intent on introducing an intrusion detection or prevention system, I often see it implemented in a way that makes the client blind to attacks. It’s often placed in the middle of an end-to-end encrypted connection, effectively blinding it to any attacks and eliminating any protection it might have offered — an obvious problem that the customer simply overlooked.
That’s a resiliency fail.
When I get to a tabletop exercise, we often don’t even get to step one before resiliency strategies fail. We talk. I say, “OK, scenario 1 is that an attacker bypassed your endpoint protection — what now?” And the client responds in disbelief, “If the attacker comes in, the antivirus is going to catch them.”
This, despite the fact that — time and again — experience shows that’s NOT the case.t That’s having way too much faith in antivirus. In fact, even excellent endpoint protection technologies can be bypassed trivially. That’s why more robust solutions incorporate behavioral alerting and human incident response around the clock – to account for situations where attackers are able to circumnavigate. But if you’re talking about something you installed on your machines to just work automatically, without contingencies, you’re in trouble.
That’s both a readiness AND a resiliency fail.
If you’re not ready to believe that there is a very real possibility that a cyberattacker will bypass your controls, you won’t be resilient enough to imagine what’s next, visualize your company’s overall attack surface, and figure out what can be done to limit that surface. Common terminology for this practice is attack surface reduction.
Top cybersecurity leaders and providers will instill in you an “assumed breach” philosophy by asking a myriad of diverse questions that add the layers of readiness and resiliency that will buttress against failure/attack scenarios. Things like this:
- How can we harden the attack surface to ensure this whole class of issues isn’t possible? (Ready.)
- What do we know we HAVE to leave exposed for business and/or functionality reasons? (Resilient.)
- What are our detection-response capabilities? (Ready.)
- What can we glean from system logs that indicate an attack is happening, and what other defense capabilities can we add to it? (Ready and resilient.)
A full in-house team or superior provider that’s highly diversified gives its clients an edge here, with different areas of expertise informing one another.
SOC as a Service
So, for example, a CISO Global SOC services client could elect to have their network’s defensive resiliency tested by our penetration testing department during a collaborative “purple team” exercise in which the offensive team (i.e., the “red” team) works hand in hand with the defenders (i.e., the “blue” team).
The SOC department will then not only quickly learn where they need to shore up the client’s defenses in a way they didn’t know to ask for, but the SOC department will be able to inform the penetration testers about how the SOC department defended the client against the staged attack — a synergy that wouldn’t be so seamless if the two departments weren’t parts of the same brand.
And it’s THAT kind of synergy that brings a whole new meaning to readiness and resiliency, where the client not only achieves both qualities through the expertise of a diversified cybersecurity provider, but the provider itself curates a suite of talents (readiness), reacts to the unique needs of its clients as those needs emerge (resiliency), and — with every exercise — incrementally improves its teams so that all future clients benefit, too.
Want to learn more about the steps you need to take to make your company ready and resilient? Let’s talk. Contact CISO Global, Inc. today.