In part two of this blog series on aligning security with business objectives and risk, we explored the importance of thinking and acting holistically, using the example of human-operated ransomware, which threatens every organization in all industries. As we exited 2020, the Solorigate attack highlighted how attackers are continuously evolving. These nation-state threat performers use an organization’s software supply chain against them, with the attackers compromising legitimate software and applications with malware that installed into target organizations.
In part three of this series, we will further explore what it takes for security leaders to pivot their program from looking at their mission as strictly defending against technological strikes to one that focuses on protecting valuable business assets, data, and applications. This fulcrum will enable business and cybersecurity leaders to remain better aligned and more resilient to a broader spectrum of attack vectors and attacker motivations.
What trouble do we face?
First, let’s set a quick baseline on the characteristics of human-operated cyberattacks.
This diagram illustrates commonalities and differences between for-profit ransomware and espionage campaigns 😛 TAGEND
Figure 1: Comparison of human-operated attempt campaigns.
Typically, the attackers are 😛 TAGEND
Flexible: Utilize more than one attack vector to gain entry to the network. Objective driven: Achieve a defined purpose from retrieving your environment. This could be specific to your people, data, or applications, but you may also merely fit a class of targets like “a profitable company that is likely to pay to restore access to their data and systems.” Stealthy: Take precautions to remove evidence or obfuscate their ways( though at different investment and priority degrees, ascertain figure one) Patient: Take time to perform reconnaissance to understand critical infrastructures and business environment. Well-resourced and skilled in information and communication technologies they are targeting( though the depth of ability can differ ). Experienced: They use established techniques and tools to gain elevated privileges to access or control aspects of the manor( which awards them the privileges they need to fulfill their objective ).
There are variations in the attack style depending on the motivation and objective, but the core methodology are similar. In some styles, this is analogous to the difference between a modern electric car versus a “Mad Max” style vehicle assembled from whatever spare parts were readily and inexpensively available.
What to do about it?
Because human attackers are adaptable, a static technology-focused strategy won’t provide the flexibility and agility you need to keep up with( and get ahead of) these attacks. Historically, cybersecurity has tended to focus on the infrastructure, networks, and devices–without necessarily understanding how these technological elements correlate to business objectives and risk.
By understanding the value of information as a business asset, we can take concerted action to prevent compromise and restriction hazard exposure. Take email, for example, every employee in the company typically uses it, and the majority of communications have limited value to attackers. Nonetheless, it also contains potentially highly sensitive and legally privileged information( which is why email is often the ultimate target of many sophisticated attacks ). Categorizing email through only a technical lens would incorrectly categorize email as either a high-value asset( remedy for those few very important items, but impossible to scale) or a low-value asset( remedy for most items, but misses the “crown” jewels in email ).
Security presidents must step back from the technological lens, learn what assets and data are important to business leaders, and prioritize how teams spend their period, attention, and budget through the lens of business importance. The technical lens will be re-applied as security rights, and IT teams work through answers, but looking at this only as a technology trouble runs a high risk of solving the wrong problems.
It is a journey to fully understand how business value translates to technological assets, but it’s critical to get started and make this a top priority to end the everlasting game of’ whack-a-mole’ that security plays today.
Security presidents should focus on enabling this metamorphosi by 😛 TAGEND
Aligning the business in a two-way relationship:
Communicate in their language: explain security threats in business-friendly language and nomenclature that helps to quantify the risk and impact to the overall business strategy and mission. Participate in active listening and learning: talk to people across the business to understand the important business services and information and the impact if that were compromised or violated. This will provide clear insight into prioritizing the investment in policies, standards, develop, and security controls.
Translating learns about business priorities and dangers into concrete and sustainable actions:
Short word focus on dealing with burning priorities:
Protecting critical assets and high-value information with appropriate security controls( that increases security while enabling business productivity) Focus on immediate and emerging threats that are most likely to cause business impact. Monitoring changes in business strategies and initiatives to stay in alignment.
Long term decide direction and priorities to make steady progress over period, to improve overall security posture:
Zero Trust: Create a clear vision, strategy, plan, and architecture for reducing risks in your organization aligned to the zero trust principles of presuming breach, least privilege, and explicit verification. Adopting these principles shifts from static controls to more dynamic risk-based decisions that are based on real-time detections of anomalous behaviour irrespective of where the threat deduced. Burndown technical debt as a consistent strategy by operating security best practices across the organization such as replacing password-based authentication with passwordless and multi-factor authentication( MFA ), applying security patches, and retiring( or isolating) legacy systems. Merely like pay for a mortgage, you need to make steady pays to realize the full benefit and value of your investments. Utilize data classifications, sensitivity labels, and role-based access controls to protect data from loss or compromise throughout its lifecycle. While these can’t wholly capture the dynamic nature and richness of business context and insight, they are key enablers to guide information protection and governance, restriction the potential impact of an attack.
Establishing a healthy security culture by explicitly practicing, communicating, and publicly modeling the right behavior. The culture should focus on open collaboration between business, IT, and security colleagues and utilizing a’ growing mindset’ of continuous discover. Culture modifications should be focused on removing siloes from security, IT, and “the worlds largest” business organization to achieve greater knowledge sharing and resilience degrees.
You can read more on Microsoft’s recommendations for security strategy and culture here.
To learn more about Microsoft Security answers visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
Read more: microsoft.com