2020 Cyber Security – Strategy Considerations
With the new financial year, Cybersecurity strategy and budget discussions are now in the finalising stage at enterprises. One of the key considerations in these discussions is the past (mainly previous year) data on cyber activities.
2019 was a year with so many cybersecurity incidents, tougher regulatory penalty enforcements, state-sponsored campaigns, government public sector targets, and lack of confidence among constituents.
Some regions and industries seem to be paying for release post ransomware, account take over, and similar campaigns – success like this is motivating (financially) adversaries to advance further. The regional political situation is also triggered a large set of campaigns.
In the current state, Cyberspace will continue to be turbulent on 2020 and for next few years.
Few key considerations while preparing, to tame and manure the tides ahead.
Darker internet traffic:
Almost 80% of the enterprise network traffic is now encrypted, which may further increase to around 90% in the next few years. Adversaries are using this channel for the activities and extrusion. One of the fundamentals of effective security is to have adequate visibility and control on its traffic but these encrypted traffic is incrementally adding more blind spots.
To ensure traffic visibility enterprises enforced, point-based decryption solution and then enhanced to centralized network-level decryption. Now the push for encryption for better security and privacy is strong and soon some vendors may enforce non-decryptable technology so that others (security vendors) cannot decrypt the traffic. Few DLP vendors are facing such constraints with a browser.
Armour gallery:
Roughly around 1500+ established security vendors (only a few making profits) are currently in the market, selling its point solutions to enterprises. An enterprise security team manages an average of 18 - 30 different hybrid isolated technologies in their IT estates, which are isolated, independently, and managed separately.
Considering the requirement of indicator sharing between controls, rapid configuration enforcement, ease of management, resource skills with each product knowledge, optimisation, centralised visibility – enterprises need to consider consolidation of point solutions to platform technologies, integrating multiple technologies from preferred vendors forming a common solution for detection and defence.
Quality of resources
Mindset, attitude, observation, business acumen and technical skills of a cybersecurity resource is much different from other IT resources since cybersecurity professional is not performing routine activities with similar assumptions or considerations most of the time. The business requirement, vulnerabilities, threat environment, adversaries keep changing, decisions and response required in a limited time frame.
Lack of quality resources (developers, users, IT admins..) with security mindset continues to be a constraint. Best possible automation, orchestration, avoidance of false positives with accurate, actionable threat intelligence, reduction of threat surface is essential to sustain.
Cloud-first and then the Cloud-Only.
With cloud-first strategy over the last few years, most of the new IT estates now, is built in the cloud and legacy environment are shrinking – leading to Cloud only approach. This also led to a reduced number of IT resources with environmental context, stringent contractual clauses, additional regulatory mandates, lack of visibility, control and a false sense of security.
With higher cybersecurity incidents involving cloud environment, mostly due to misconfigurations, lack of accountability/transparency, bad architectures, dump assumptions, and targeted campaigns, both at provider and customer environment, will trigger the risk of ‘all eggs in one basket’. In the coming years, cyber strategists will recommend ensuring hybrid environments to ensure resilience, assuming cloud-only is risky and not fully trustworthy.
Omissions, Oversights, and Errors
Higher privileges, non-standardized approach, need for speed and agility, fewer validation checks, and lack of sensitivity - leading to Omissions, oversights, and errors by IT users - will continue to be disastrous. The root cause of most of the cyber incidents in the last few years is the reflection of this. This now one of the topmost risk in the Cyber world.
Privilege limitation, avoidance of reusable components from public domains, adequate control across all channels, and validation toll gate to be enforced as part of the agile models
Regulations and Liabilities
Changing business models, its technology environment, threats, and incidents – regulations and contractual liability clauses and enforcements are getting stringent. GDPR and penalties enforced recently is a direct reflection of its seriousness. Accountability and liability for security and privacy incidents are getting stricter, including jail terms for the accountable person.
Privacy accountability is still a grey area - is it the Privacy Officer (if such position available in that enterprise), DPO, CRO, CISO, CIO, COO accountable to take the responsibility in case of a privacy breach? CISO’s to document and publish their roles and responsibility on privacy to ensure effectiveness, authority, and to avoid being scapegoat when things go wrong.
IPV6, 5G, IOT, OT
All these technology adoptions are now getting into the enterprise IT landscape and are going to change existing norms. Security controls, process, and skills for this technologies to integrate in the mainstream is lacking with in the internal security team.
IPV4 address is running out, and at some point in time soon, a full-fledged or hybrid addressing system with IPV6 going to exist rather than current IPV6 to IPV4 translation mode. Traditional log collections are based on IPV4 addressing structure; many security handlers not sure how IPV6 based log correlation going to co-exist mainly in event correlation.
More devices going to be directly connected to the internet with 5G / IPV6 availability, layered security protection going to vanish in many such cases (ex. At home relevance of modem/router as aggregator and interface to the internet), security of each of this device becomes critical, compromise on any one of this device will have its impact.
IOT devices are getting connected, and being part of mainstream connectivity, most of these devices are built with NO security considerations and no industry standard exists. Vulnerabilities and risk associated could impact up-stream and down-stream of the IT ecosystems at enterprise level.
While CISO’s organization will have accountability, team is not fully equipped to handle this. Possibility of danger to individuals/humans exists with IOT compromises. If such a situation arises, CISO may be answerable to the deficiency in the defence. Time to start preparing to defend effectively.
Re-Architecture Digital transformation / cloud adoption
Digital transformation and cloud adoption started, as specific use case initiatives and scope increased with additional use cases, till it became large key projects. In none of these phases, revalidation of enterprise security network architecture was a major consideration, since change was incremental in nature.
The traffic pattern, visibility, scope, coverage channels, breadth of estate and controls at the enterprise level changed drastically with these transformations, it time to revalidate the enterprise architecture for its effectiveness and optimization. Mainly on the relevance of the existing layered security architecture, security event correlation infrastructure (considering all intrusion – extrusion points, hybrid environment).
Zero-Trust based architecture approach should be a priority consideration to be resilient.
Persona based security with identity of the user, system and information as the core should be the key consideration while validating and designing the approach.
Overall security budget and effectiveness can be improved, if the approach and focus is to Reduce threat surface and avoid potential attempts - rather than increase the controls and people to defend, keeping estate vulnerable and misconfigured.
Budget
The security budget in most of the enterprise is remaining almost the same as previous year or is getting reduced, but in reality, the security budget needs considerable increase now to stay relevant.
Few factors driving this increase
- Most vendors moved to the subscription-based billing model, also feature based billing which is costlier than traditional perpetual license models
- New form of attacks demanding newer technology control, coverage and scope
- Quality skill sets are becoming costlier
- Regulations and contractual compliance mandating new controls and certifications
- Cost and effort to Defend hybrid cloud environments is not just incremental to the existing activity but a whole new space.
Intelligence
Having actionable, relevant intelligence is critical for being proactive and resilient rather than being reactive and in firefighting mode. The scope of intelligence gathering and usage has considerably increased over the years.
Too many incidents in the recent past, led to so many credentials available in public domains for adversaries to access and weaponise. The enterprise security team should periodically validate their capability and time to detect such credentials in public and contain it before it gets misused — similarly, the presence of software codes, configuration files, sensitive files, vulnerabilities, network diagrams, specific campaigns etc.
With right intelligence and sensible use cases to consume it, enterprise maturity on defence improves considerably.
CISO
If the enterprises have technology landscape (business IT), not managed by CIO, and CISO is responsible for its security. CISO’s reporting should ideally move out of CIO. Else CISO will see his accountability and responsibility only from CIO’s lens and will miss its objectives. Organisational structure also depends on responsibility and accountability in the scope and industrial sector they operate.
Decisions on security control solutions taken outside CISO organisations by the influence of few vendors at senior management, will create half-backed controls and in-effective deployments. This risk has to be documented, and accountability signed off. Carrying this baggage will be a burden in the long run.
Time for differentiating CISO’s to evolve, differentiation should not be based on the specific vendor technology they bought or being among the vendor-sponsored award winner or for forwarding the maximum number of posts in social media BUT for the vision, best practices they developed, effective resilience approach they chose, the strategic direction they provided.
In the physical world, War Hero’s evolved based on their strategy and execution. Similar should be in Cyber World.
Attempt with this document is not to generalise the security posture across enterprises, but to reflect concerns and considerations echoed by various security leaders globally, met during my interactions as security strategist.
CISSP, CISA, PRINCE2, MBCI
4yAbsolutely agree that with the evolving threat landscape, a new breed of CISOs need to evolve. It is the CISO who reduces the threat surface that needs to be felicitated, not the one that buys the largest number of licenses. It is painful to see CISOs spending large amounts of money without understanding the problem they are trying to solve or even properly sizing and configuring the solution they purchased. They then struggle with implementation vendors trying to force fit the solution capability to their "ambiguous" problem space.
Program Manager
4yAgreed Sunil. But there is a need to provide fast & seamless enterprise services, but with effective security in place, which is the biggest challenge of today.