By: Chris Clements, VP of Solutions Architecture, Cerberus Security
Breaches and ransomware happen, but until an attack detonates, all predictions about breach damage and fallout are educated conjecture. One can’t be completely certain of the consequences of an event until it plays out. During in-depth risk modeling, however, security teams identify their systems’ dependencies and interdependencies with other systems, providers, clients, and so on. What this means is that at any given time, organizations carry the risk of potential events that could affect their operations, or even an entire supply chain, depending on the nature of each threat. This scenario is termed a cascading or correlated failure, as a breach or other kind of threat spreads from ground zero to clients, partners, and suppliers.
The Whole Supply Chain is Affected
Your organization doesn’t even have to be the source of the problem in this scenario. You may just be part of someone else’s cascading failure. Supply chain risk moves in every direction that data moves in a business process flow and may even have tertiary risks or outcomes. Often, organizations view their risks as unique to their own environments, failing to think through bigger scenarios or potential future outcomes. For example, it’s hard to imagine that Starwood Hotels had any concept of the downstream impact their corrupted systems would have on the future acquirer who integrated with their systems. On this side of the breach and failures, however, Marriott Corporation (the eventual acquirer) would undoubtedly encourage organizations of all sizes to think through your supply chain risks very carefully at every stage. No one wants their brand debilitated by the mire of regulatory violations, lawsuits, fines, and loss of consumer trust for years to come.
Whether your organization is the source or just part of the chain, the implications are the same. A breach event will manifest risks, cascading throughout the supply chain until that breach is effectively identified and stopped by the affected organization who has an effective cybersecurity strategy for identifying and stopping attacks. Often, no one in the ecosystem catches the attack until it’s too late, at which point regulators, investors, clients, and suppliers must all be notified and tend to whatever resulting issues they have. Depending on the scope of the attack, liability and business fallout will continue to be at issue well after the point when the breach has been remediated at ground zero (think Solar Winds).
Where is the Failure in Most Strategies?
Modern attacks are stealthy, often surgical, specifically designed to escape detection by most security tools and processes, including antivirus, SIEM, and tool-specific configurations-plus-alerts. Such tools are implemented as part of best practice – or even to meet compliance requirements. But these technologies each have their limiting factors. Antivirus tends to be signature-based and will not detect actions such as the installation or use of known-good tools. However, even when behavior-based endpoint protection is in-place, it is most often not being managed or overseen by around-the-clock cybersecurity experts. Nor is it tied into effective SIEM deployments. Most SIEM implementations lack 24x7x365 analyst oversight, manned by 8-5, M-F employees. Further, they are most often dependent upon the availability of other internal teams to log in, understand how viable these alerts are, identify malicious activity, and provide enough information that 8-5 security teams can then correlate what they have learned with other alerts that may be sitting in their inboxes.
Such operational and data silos, in combination with slow processes, are the primary reasons attackers utilize stealthy tactics that will not be easily identified, layering in various actions across different systems in your environment, so you will not detect their presence until it is too late. When your teams are finally able to put together a solid understanding of the scope of an attack, threat actors will likely already have exfiltrated the data they want, planted malware in your most vulnerable spots, and/or corrupted or deleted backups. It’s no wonder why so many companies choose to simply pay ransoms, and why other organizations risk total loss when they have been attacked.
Most People Are Still Paying the Ransom…
According to a recent article in Forbes, ransomware attacks hit 80% of organizations worldwide in 2021. Of those, 60% paid the ransom. One can conclude that the mechanisms in-place were insufficient to protect these organizations from attacks so severe that they were left with no other viable choice. One also may guess that there were a lot of uncomfortable conversations in boardrooms last year, as internal teams worked to explain why, even though the company had invested in potentially expensive cybersecurity tools, they still experienced such catastrophic failure in the face of attack.
…Better to Avoid it Altogether
The long and short of this widespread problem is that that if you can reduce the impact, or better yet avoid the breach in the first place, your organization – and board/investor relationships – will be in a much better position to simply continue business operations and growth.
What internal teams need is a way to pull their tools and siloed data together, rapidly correlating data across systems that are often left out of the mix. Pieces to the big picture exist within data silos and tools across your environment. Extended Detection and Response (XDR) integrates with your tools and systems across SaaS and PaaS platforms, operating systems, endpoint protection tools, DNS, firewalls, and more, pulling all the data together rapidly. XDR then uses static AI, machine learning, and automated playbooks to give 24x7x365, certified cybersecurity experts a clear picture of what’s happening in your environment in just a few minutes. The result is that attacks are stopped and detected in an average of 5 minutes, allowing your internal IT and security teams to continue focusing on the important projects they already have on their plates.
XDR reduces the time it takes to identify and remediate an attack in your environment from an average of 287 days (Ponemon, IBM 2022) to under 6 minutes. In cases where automation can stop the entire attack, the average is less than 3 minutes – around the clock, including evenings, weekends, and holidays.