I wanna get better

“A lot of security departments are swimming in the wrong direction,” says Raef Meeuwisse, Director of Cybersecurity at Cyber Simplicity Ltd. By this, Meeuwisse means that companies haven’t yet redirected the scope of their security programs—the tools, technologies, and processes—to reflect current threats. 

Those threats are coming faster and more furiously, and showing no signs of slowing down. The “mega breaches” are still occurring, even at companies big enough and with large enough budgets to adequately implement security. As these large, well-funded companies get hit with attacks, security teams across the globe are taking note and beginning to understand that a change in course is necessary. Unfortunately, change is not as imminent as the attacks, but Meeuwisse believes that over the last year companies have begun to acknowledge the need. A mind shift around protection strategies, at least, is taking place; security teams now accept that blocking every attack and attacker is unrealistic.

Because of mass media headlines, security teams, in general, are today garnering higher budgets to invest in cybersecurity. Yet companies “still have substantial gaps,” observes Meeuwisse. To be fair, along with the increase in numbers of attacks, vendors are stepping up to the plate and offering new defense technologies: Advanced secure desktop virtualization, “super intelligent” zero-day detection software, next-generation access control technologies. These are helpful tools, and many security teams are adopting the latest and greatest with their new budgets, but these tools’ efficacy relies on the premise that security professionals are protecting against the new, shiny, blinky things, not the obvious gaps afforded by most companies’ networks, applications, and devices.

And I’ve trained myself to give up on the past ‘cause

It’s easy to follow the latest trends, but the truth is, security continues to flounder on the basics. Many attacks are a result of spam or phishing, unpatched systems, code weaknesses, privileged admin accounts, and poor and shared passwords. Data is stolen because companies are failing to encrypt. Ransomware is incredibly popular and effective because organizations don’t maintain adequate backups. And with every new technology, every new defense type introduced, the attackers are better at finding the vulnerabilities than white hats are at eliminating them.

It’s a sad reality that attackers need only find one vulnerability in the whole technology stack to affect harm. Defenders, on the other hand, must cover all the bases and anticipate how and when the attacks might strike. It’s like a contractor building an entire house and the home owner noticing solely one small seam in the granite of the guest bathroom that doesn’t quite line up. It’s much easier to find the flaw than build every, minute detail perfectly.

In addition, Meeuwisse shares, most companies are still putting money into network defenses even though the real focus should be on data. “Progressive companies,” he says, “are starting to think more about and put more protection around the different layers—the applications, the devices, the data itself.” The network layer is traditionally considered the “primary layer” of defense, but the network is only one layer in today’s architecture. Investments have to be focused on these other layers—all of them. A nouveau defense in depth, if you will.

In a blaze of fear I put a helmet on a helmet

Even though companies aren’t quite there yet, Meeuwisse points out that a move by security organizations towards containment and control is proceeding: Improve the ability to quickly find and shut down attacks when they occur rather than try to stop them before they happen. Most security departments have taken the step to say “perfect security is impossible,” but familiarity with “how things are always done,” the speed of trends and attacks, and budgets and resources remain common constraints. New thinking about current threats is a step in the right direction, but it’s not enough. Furthermore, a “contain and control” method is a very good tool to have in the toolbox, and it has its place, but when it comes to systems that protect human health and safety, industrial control systems, and other physical assets, “find the exploit as quickly as possible” isn’t a reasonable strategy. The number of companies that currently need to consider human safety is limited, but as IoT becomes more the norm than the exception, this won’t be the case. Organizations need to truly evaluate, says Meeuwisse, the level of intrusion that’s acceptable. He adds that business models built on highly sensitive data, systems which can cause human casualties and/or ruin customer confidence (e.g., legal firms and hospitals), should consider “contain and control” a last resort. These types of businesses have to be significantly proactive about security, and must continually learn about the ever-changing threat landscape and adapt. “We can’t continue to think outdated concepts will work. Network defenses aren’t adequate,” warns Meeuwisse. “It’s the wrong perfect storm. Our gaps are getting bigger and we don’t have enough improvement to defensive techniques.”

I didn’t know I was broken ‘til I wanted change

Security teams need a learning curve that’s more rapid, like the attackers. The last 12 months have proven an awareness, but security’s actions lag behind. Threat levels have changed massively; the multiplication of cybercrime and shift in types of malware (ransomware, for instance) is at breakneck speed, and organizations need to start acting on the thinking that information is the new perimeter. “It’s the old perimeter,” jokes Meeuwisse, “We just forgot that it was.”