The technology advancements resulted in to interconnectedness, digital transformation is driving enterprises and small business equally, cities and homes are becoming smart, cars are becoming driverless and currency is becoming virtual. Almost everything we need in life is available at the tip of finger.
What we used to see in sci-fi films like Matrix in 1990 and 2000 is becoming reality and very soon if we are not changing the way we are looking at security will lead us the situation as Lukas said in German thriller You are wanted “One day they will hack the whole city”
The question is what needs to be changed and where to start?
In this article, we will try to answer these two important questions…
First and far most, we must stop looking at security in silos – network security, application security, cloud security, IoT security, Identity Access management, security testing, secure code reviews etc.
Holistic Security Architecture
The security architecture should be designed and managed around the organization’s Crown jewels that is data. The security should follow the data to its entire life cycle. From the generation of the data till it is properly destroyed. The new posture—comprehensive, strategic, and persistent
Business Centric top-down approach to security, rather than technology centric. The cyber risks are no more technology risks, they are business risks. The best example is Equifax shares in market plunged 18.4% within hours of data breach declaration, weeks to come price went down from $143 to $100; The cyber risks now need to be addressed as a business risk. The involvement of the CxO level in risk assessment will help to get support not only from budget level but from acceptance, implementation and management level.
“Know your enemy and know yourself and you can fight a hundred battles without disaster.” – Sun Tzu
Security is no more operations and monitoring but it should be treated as a management. An operation is a reactive approach, once you get alert and you work on it. This approach is no more going to work as the attacks are becoming subtle, for example, DDoS attacks supposed to be considered for utilizing large bandwidth and lasting for a long time, this is not the case anymore, the latest targeted DDoS can easily slip through the detection tools as it consumes less bandwidth but make sure that application of interest is down for short time to plant a malware. These kinds of attacks can be detected by managing security proactively. Security Operations Centers (SOC) should be transformed to Security Intelligence Centre (SIC). We should start including Analytics tools as a part of Security Intelligence Center. These Analytic tools capture data from network, applications, entities and users to create behaviour patterns and have the capability to perform real-time analytics on the collected data to identify anomaly at early stages of cyber kill chain.
It not the question if we will breach, we need to manage security to detect breach at early and design the incident management processes to recover faster.
Defensive to Offensive Approach
So far, the cybersecurity approach is always defensive, attackers are utilizing the latest technologies like AI and ML to identify the weakness and design targeted attacks. The probability of attacks pass through the enterprise defence system and effectiveness of the malicious payload has increased drastically. To counter this, cybersecurity analyst should utilize the tools to simulate the attacks and identify the vulnerabilities, test the organization defensive system for effectiveness and how your IT infrastructure reacts to the malicious payloads. The analyst should test the IT infrastructure as the whole container and not in silos to identify which attacks are passing through your defence before attackers get to know about it.
Threat hunting is proactively searching for the attacks and stopping them before they get materialized. According to Gartner threat hunting typically fall into three major investigation initiator categories. First hypothesis-driven investigation, such as knowledge of a new threat actor’s campaign based on threat intelligence, second investigations based on known IOC (Indicator of Compromise) triggers, which spur threat hunters to look deeper into a specific system’s activities and third analytics-driven investigations where threat hunters can utilize the data provided by security analytics tools
The attackers need to find only one exploit but security team needs to identify and close all possible loopholes.
Many times, security is still considered as a set of walls they will put up or tools that will scan their code at the end and make them safe. Security is the responsibility of everyone on the software engineering team, which includes the business, development, QA and operations staff
We are hearing the statement “security by design” for a long time. Now when we are at the edge of “Microservices”, “function as a service” it is important to start looking at security in a holistic way.
We need to adopt DevSecOps, making security as a part of application development is not a new concept but the DevOps where development and operations team are working closely and increased damage to the business due to the software breach has pushed DevSecOps in the mainstream. DevSecOps promotes the culture that takes security seriously. The enterprises want to launch products faster and the software testing for vulnerabilities before release or wait for the breach in production can cost organizations heavily. Including security during the entire life cycle of software development is the only option software development team has.
“Security should not just be a focus at every stage of the application lifecycle; it must be automated” – Amit Khanna, senior vice president of technology at Virtusa
Industry and Cross-Industry Sharing
Within security industry specifically, openness and the concept of sharing insight on threats with anyone outside an organization is an awkward proposition. This mindset needs to be changed and organizations need to work closely with their trusted partners and digital security experts to develop ways of sharing insight and data on new cybersecurity threats without sharing valuable industry knowledge with their competitors.
The standards such as STIX and TAXII are vital to the future of cybersecurity developed by The MITRE Corporation and the US Department of Homeland Security, STIX and TAXII are free, open-source standards that enable cyber threat data to be rapidly and easily shared in real-time.
Last but not the least, the security of IoT device – IoT utilization in verticals like healthcare, manufacturing, and national critical infrastructure needs to be taken seriously, the ethical guidelines and security standards need to be developed and made as regulatory requirements to avoid the war-like situation if these devices are compromised.
To summarise, Security risk should be considered as a business risk and we need to look at security in a holistic way. Security should be included as a part of application development. Security testers should start testing enterprise defences utilizing offensive testing tools. Attackers are working in collaboration under the dark web. The collaborative approach should be taken to share of industry-specific threats data to avoid the war-like situation.