The Evolving Role Of Cybersecurity Operations In A Rapidly Changing World

Today’s evolving cyber threat landscape poses a significant challenge to organizations around the world. With the emergence of nefarious AI-powered threats and state-sponsored entities, the security industry finds itself at a crossroads. From sophisticated cyberattacks to internal vulnerabilities, threat complexity is escalating and creating pervasive and multifaceted risks. This environment requires innovative solutions, prompting a shift in traditional security paradigms towards a more integrated, data-driven approach.

Security Silos No More

The days of siloed security operations are behind us. Cybersecurity is now a critical conversation occurring at the highest levels of business and being intricately woven into every facet of operations. Amidst this paradigm shift terminology has evolved, moving from ‘security’ to ‘risk and resilience.’ The emerging lexicon underscores the strategic role comprehensive security must play in safeguarding an organization’s bottom line.

As this transformation in business security gains momentum and efficacy, it indicates a positive evolution in security practices. It also emphasizes the necessity for security professionals to possess a keen understanding of business dynamics. Security strategies now demand a holistic view that spans the entire organization and IT infrastructure, to not only protect against threats but enhance business activities and demonstrate tangible value from investments in security technologies and solutions.

Navigating Internal and External Threats with Agility

The current security landscape is exceedingly complex. Organizations must contend with external hackers and internal employees who misuse resources (consciously or unconsciously) or engage in nefarious activities. The adoption of zero-trust models and emphasis on identity threat management in the face of these risks exemplifies a shift towards more sophisticated, data-driven security practices. These approaches not only defend against known threats, but also anticipate and mitigate potential vulnerabilities from within.

Security operations have pivoted as a result, and are embracing business intelligence tools and data to shape priorities, strategy, and decision-making. This shift away from traditional methods reflects the growing sophistication of enterprise security leaders, and their adeptness at translating data into actionable insights.

Beyond Traditional Defenses: Embracing Comprehensive Security

Modern security has evolved from a peripheral concern to a central element of strategic business planning. The harsh reality is that companies can now face closure due to a security breach, as demonstrated by numerous unfortunate instances. This shift signifies a transition from conventional security protocols to a comprehensive security model that integrates every facet of organizational operations. This model surpasses mere defense against attacks; it aims to establish an ecosystem where security is deeply ingrained in the fabric of business processes. Through such integration, organizations enhance their ability to effectively anticipate, respond to, and recover from cyber threats.

The Elusive Cybersecurity Nirvana

Technological advancements, such as artificial intelligence (AI) and machine learning (ML), have revolutionized security monitoring. These technologies enable organizations to detect and respond to threats more efficiently by analyzing vast amounts of data to identify patterns and predict potential security incidents. Comprehensive security encompasses a multifaceted approach that extends beyond these technological defenses to include policy, governance, and human factors. It blends business acumen with security expertise, integrating solutions into an interconnected system that supports business continuity and creates value.

Yet achieving this cybersecurity excellence, or “Nirvana,” can be challenging. Some organizations lack the staff or strategy needed for effective implementation. Partnering with external service providers can bridge these gaps, as partners can embed a cybersecurity culture across the entire IT stack, beyond just the outer defensive layers. While many vendors focus on point solutions, organizations should seek partners capable of managing the entire stack from data and infrastructure to embedding security and compliance throughout the organization.

Building a Resilient Future

In today’s cyber world, security operations are constantly in motion, and the need for a holistic, adaptive security strategy has never been more pressing. As organizations navigate the intricacies of the threat landscape, cybersecurity success will be defined by an emphasis on risk and resilience, alongside a proactive, data-driven approach. This integration of security monitoring services within a comprehensive security framework represents a pivotal shift in how organizations approach cyber defense. By seamlessly combining advanced monitoring capabilities, strategic planning, and a profound understanding of business operations, organizations can establish a resilient security posture. Such a posture not only safeguards against existing threats, but anticipates and mitigates future challenges.

To achieve success organizations must also embrace humility in acknowledging their limitations and seek assistance from comprehensive security providers. Avoiding the temptation of siloed point products, organizations should prioritize partnering with providers capable of managing the entire stack. This collaborative approach ensures a cohesive and robust defense against the dynamic landscape of cyber threats.

Looking for support in combating all the internal and external cyber threats your organization faces? Contact us to get started.

 

This article was originally published in Forbes.

Election 2024: Championing Proactive Cybersecurity To Fortify National Security

The 2024 election presents a pivotal moment for national security, particularly through the lens of cybersecurity. Amid widespread discussion on the perceived shortcomings of United States presidential candidates, a policy domain with the potential for broad consensus emerges: cybersecurity. This issue transcends political divisions, posing a universal challenge to advocates of peace and democracy across the political spectrum. It offers a unique opportunity not only to unite with allies, but to extend olive branches to global adversaries through cooperative efforts.

As we explore our national priorities and hopes for the future, the forthcoming election brings the significance of cybersecurity policies to the forefront. It demands that candidates clarify their positions on adopting proactive cybersecurity measures. Cybersecurity is not only central to national security dialogues, but increasingly impacting our day to day activities, requiring we delve into the specific policies, practices, and technological innovations that define an advanced cybersecurity strategy. This strategy is crucial not just for presidential hopefuls, but for gubernatorial, mayoral, and congressional candidates. Related discussions should underscore the critical need to employ technology and foster policy-led partnerships to develop a robust digital infrastructure, which is proactive, resilient, and ready to tackle the cybersecurity challenges of tomorrow.

Advocating for Proactive Cybersecurity Measures

Advocating for proactive cybersecurity measures is pivotal, as is emphasizing prevention over reaction. This approach entails several critical policies and technologies, which candidates can champion in their platforms:

  • Comprehensive Risk Assessments: Regular, in-depth evaluations of government and critical infrastructure networks are essential to uncover vulnerabilities and anticipate threats.
  • Early Adoption of Emerging Technologies: Commitment to the latest advancements, such as Artificial Intelligence (AI) and Machine Learning (ML), is crucial for predictive threat analysis, anomaly detection, and orchestrating automated responses.
  • Strengthening Cyber Hygiene: Advocating for stringent cyber hygiene practices across both government entities and the private sector is vital. This means ensuring regular software updates, implementing strong password policies, and conducting thorough employee training programs.

The value of AI and ML in supporting the shift from reactive to proactive cybersecurity cannot be overstated. By integrating these technologies into national cybersecurity strategies, candidates can support key activities:

  • Automated Threat Intelligence: Leveraging AI to sift through global threat data enables the anticipation and neutralization of cyberattacks with real-time defense mechanisms.
  • Behavioral Analytics: Utilizing ML to scrutinize network behavior allows for the identification of anomalies that could signal potential threats, facilitating early intervention.
  • Enhanced Incident Response: AI enhances the development of rapid and more effective response strategies, significantly mitigating the repercussions of any breaches.

Safeguarding Porous Cyber Borders

Protecting against the permeability of cyber borders necessitates a multifaceted approach that combines technology with human insight. This approach is underpinned by a commitment to a robust security culture that acknowledges our collective responsibility in upholding high security standards through:

  • Education and Awareness Programs: Enhancing cybersecurity knowledge at all levels of education and providing continuous training for both government personnel and the general populace.
  • Encouraging Responsible Innovation: Promoting the integration of ethical considerations and security measures in the development of new technologies and digital services.

Despite the internet’s borderless nature, the definition and protection of cyber borders are imperative. Candidates should advocate for international collaboration and frameworks that extend cybersecurity efforts beyond national boundaries, including:

  • Global Cybersecurity Alliances: Strengthening alliances with global partners to facilitate the exchange of threat intelligence, share best practices, and orchestrate coordinated responses to cyber incidents. This initiative should also consider building cybersecurity partnerships with political adversaries, potentially as a cornerstone of future trade agreements.
  • Regulatory and Legal Frameworks: Developing comprehensive laws and international agreements aimed at bolstering cross-border cooperation in cybersecurity operations and the prosecution of cybercrime.
  • Public-Private Partnerships: Encouraging a synergistic relationship between government agencies and the technology sector, leveraging the latter’s innovative capabilities and responsiveness to effectively address cybersecurity challenges.

Prioritizing Cybersecurity to Secure our Digital Future: A Call to Action for Candidates

As we approach the 2024 election, the importance of cybersecurity cannot be overstated. The outlined strategies and policies represent a blueprint for national resilience in the face of digital threats to our banking sector, our health care sector, and even our emerging electrical vehicle sector.

This is a call to action for the top presidential candidates to prioritize and articulate robust cybersecurity platforms. By choosing a proactive cybersecurity approach, emphasizing comprehensive risk assessments, leveraging AI and ML technologies, promoting global cooperation, and fostering a culture of security, candidates can demonstrate their commitment to safeguarding our nation’s digital infrastructure.

This commitment will not only enhance national security, but provide voters with a clear basis to assess which candidate is best equipped to navigate the complexities of our modern cyber landscape. It’s imperative for leading figures to embrace these principles, showing preparedness to lead and protect, as so many of our future innovations are at stake. As voters, we must demand dedication to cybersecurity from our future leaders, recognizing that the safety of our digital future hangs in the balance.

Need to better prioritize cybersecurity within your organization? Contact us to get started.

 

This article was originally published on Forbes, please follow me on LinkedIn.

Balancing Transparency and Practicality Amidst CISA Call for Enhanced Cyber Incident Reporting

The Cybersecurity and Infrastructure Security Agency (CISA), led by Director Jen Easterly, made a compelling case for increased cyber incident reporting in late 2023. While the intent behind this initiative is commendable – and the need for improved cybersecurity measures evident – it’s crucial to critically assess the proposed approach and its potential implications, as it could become a double-edged sword for organizations.

The Urgency of Cyber Incident Reporting

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) due to the escalating scale, sophistication, and impact of cybersecurity threats. Organizations, critical infrastructure, and governments continue to face looming risks across the digital landscape, and timely detection and response are pivotal in mitigating the damage caused by cyber incidents.

Easterly’s push for mandatory incident reporting aims to address this challenge by fostering transparency and information sharing among organizations. The rationale is that by collecting and analyzing data on cyber incidents, CISA can offer better guidance and support to organizations, enabling them to bolster their defenses and respond more effectively to attacks.

This much-needed initiative has been anticipated for some time, signifying a union between the private sector and national organizations. However, the adoption of such a standard is a journey that must acknowledge certain realities.

The Potential Challenges

There are several potential challenges associated with mandatory cyber incident reporting that merit consideration:

  1. Compliance Burden: Requiring all organizations, regardless of size or industry, to report every cyber incident can create a significant compliance burden. Smaller organizations with limited resources may struggle to meet reporting requirements, diverting their attention and resources from other cybersecurity efforts.
  2. Data Security Concerns: Sharing sensitive information about cyber incidents raises concerns about data security and privacy. Organizations may be hesitant to disclose details of a breach that could expose them to legal or reputational risks. Striking a balance between transparency and data protection is a delicate task.
  3. Potential for Misuse: The information collected through mandatory incident reporting could be misused if not handled carefully. It might inadvertently provide cybercriminals with insights into vulnerabilities, tactics, and targets. There is also a risk of sensitive information being leaked or exploited by malicious actors.
  4. Reporting Fatigue: An influx of incident reports could overwhelm CISA and other relevant agencies, potentially leading to delayed response times or a backlog of cases. It might also result in “reporting fatigue,” where organizations hesitate to report incidents due to perceived complexity and time requirements.
  5. Resource Allocation: Organizations must allocate resources judiciously, focusing on threat prevention, detection, and response. The additional administrative and reporting burden could divert resources from proactive cybersecurity measures, and potentially leave organizations more vulnerable to attacks.

At this stage, the proposed initiative appears to have shortcomings in addressing these risks. It’s crucial to carefully consider the potential drawbacks and unintended consequences of such a mandate.

The Way Forward: Collaborative Solutions

Effective collaboration is essential for fostering a productive partnership between Government and Industry, with several key steps:

  1. Education and Training: Both government and industry can invest in training programs to build a highly skilled cybersecurity workforce and facilitate a better understanding of each other’s needs and constraints.
  2. Shared Frameworks: Developing standardized frameworks for incident reporting, threat intelligence sharing, and vulnerability disclosure can simplify processes for both sides and reduce legal concerns.
  3. Seamless Communication: Enhanced communication channels between government agencies and tech companies can streamline the flow of information. Regular dialogues and joint exercises can enhance mutual understanding.
  4. Incentives and Support: Governments can offer incentives, such as tax breaks or grants, to encourage the tech industry to invest in cybersecurity. Public-private partnerships can also be formed to bolster collective defense.
  5. Transparency: Promoting transparency in decision-making processes and prioritizing it in incident reporting when it doesn’t jeopardize national security can support these efforts.

Genuine Concern: Bureaucracy Vs. Security

The call for increased cyber incident reporting by CISA is driven by a genuine concern for national cybersecurity and the safety of critical infrastructure. Striking the right balance between transparency and practicality is, however, key. While incident reporting can enhance our collective understanding of cyber threats and responses, it must be implemented in a way that doesn’t unduly burden organizations or compromise data security. Moreover, it should be accompanied by robust support mechanisms, including guidance on what and how to report, as well as resources to help organizations bolster their cybersecurity defenses.

In the ever-evolving landscape of cybersecurity, collaboration between government agencies and private organizations is crucial. However, achieving the right balance between security, privacy, and compliance is a complex challenge that requires careful consideration and ongoing dialogue among all stakeholders involved.

This article was originally published in Forbes, please follow me on LinkedIn.

Anatomy of a Comprehensive Security Response

The frontlines of current cyber threat conditions are an interesting combination of rogue threat actors, state-sponsored groups, and Advanced Persistent Threats (APTs). Their intrusions are characterized by stealth, patience, and slow burn endeavors that are well-funded towards their missions. Namely, these threats are focused on evading detection, reconnaissance, and weaponization in a specialized sequence of escalated changes. Even with multiple layers of technical protection, activities still occur on the most privileged networks. This is an account of how a recent incident in a protected environment was uncovered through diligence and forensic review.  

If you could visualize a successful cyberattack in review, you would see that the journey is a lot like skipping across stones in a river. Here, we are going to dissect such an attack.  The object of cybersecurity protections is to review every stone and successfully stop attacks at every possible point. Uncovering threats can rely on automated detection, artificial intelligence, and alerting to varying degrees. However, information uncovered from these scenarios requires analysis and a threat disposition by actual trained and qualified human beings. 

Anatomy of the Incident 

Let us dissect an actual security incident, so we can gain an appreciation of what it takes to mitigate these millions of incidents that happen every day.  

  • In the pre-dawn hours of a recent morning, the Ntirety Security Operations Center (SOC) received the first of series of behavioral threat alerts for an endpoint system within a client’s environment.  
  • The alert triggered a disposition of a potential network ransom event. 
  • An immediate investigation into this system was launched where it was discovered that a portion of the files on the system were encrypted. 
  • The investigation further showed that the operating system was functional, with no observable impact. 
  • Tier 2 SOC personnel initiated an immediate network containment action to isolate the threat and prevent any possible further lateral movement. 
  • Tier 2 SOC personnel continued to scan logs and immediate network connections for signs of further propagation. As the investigation continued, these findings were negative.  
  • The SOC initiated a Root Cause Analysis and determined that the initial Point of Entry for this ransomware attack initiated from an unpatched, externally facing server that DID NOT have standard security products installed 
  • This server was scheduled for decommissioning. Further, an administrator account for this system had been exploited and had been using a weak, 8-character password that had no history of updates. 
  • The affected server was completely compromised, with evidence of complete system encryption.  
  • A ransomware note and additional tracking evidence showed the attack was most likely Crylock ransomware, a new variant of Cryakl ransomware.  
  • Further investigation uncovered that the attacker(s) were able to log in and install software to maintain remote persistence on the server.  
  • System and Security event logs were unable to be recovered, indicating the logs were scrubbed. 

With the successful compromise in place, the attack attempted to escalate, moving laterally to the endpoint system where our detection tools were able to catch it before any further damage could be done.  

As an epilogue, the customer received guidance and recommendations towards decommissioning the server as soon as possible, wiping and imaging the affected workstation, network isolation, strong password enforcement practices, and installation of our advanced security tools throughout all systems in their environment.  

The Comprehensive Response 

Client environments have all kinds of interesting facets to them that can affect overall security. Sometimes there is a bit of baggage, such as a legacy operating system or application that has no available updates or is tied down to legacy by means of licensing, contract, or a functional gap. That legacy OS was the first problem. Missing security tools were the next issue.  

From there, we have an unpatched public-facing system, weak and unmanaged privileged passwords, and an open network hop that allowed the attempt to laterally propagate. You can call that an unfortunate mix of vulnerabilities that could have led to a major problem.  

However, comprehensive practices came through in the detection of anomalous events at the first point possible. Our SOC sprang into action, according to plans, and we were able to fully ascertain this situation and prevent any further incidents. You can see how one unprotected system the potential for significant impact has, but by layering detection and response throughout the environment, we can mitigate the unknown.  

The goals of the Ntirety SOC and application of comprehensive security principles have common targets. We are focused on minimizing the impact of incidents and breaches on our client organizations. To minimize impact, we are focused on responding to incidents quickly and reducing the time it takes to detect and enact our responses. By effectively remediating security conditions and maintaining security baselines throughout our client environments, we work towards preventing major incidents from occurring.  

Detection, analysis, investigation, and remediation are some of the milestone capabilities of our comprehensive defensive systems. In the current and future climate of threat conditions, this is the best available path to uncovering the unknown, to reveal hidden threats and adversarial activities, and to identify attacks before they scale.  

Why Security Maturity is Necessary for Your Business

A security maturity model is a set of characteristics that represent an organization’s security progression and capabilities. According to CISOSHARE, Key Processing Areas (KPAs) in a security maturity model are practices that help improve a security infrastructure 

These KPAs include:  

  • Commitment to perform  
  • Ability to perform  
  • Activities performed  
  • Measurement and analysis of the results
  • Verifying the implementation of processes  

Levels of security maturity range from 1 to 5, with the lowest level of security maturity being one and the highest level of security maturity being five. Various industries lie within these levels, depending on their security needs. The retail industry typically falls under Levels 2 or 3, manufacturing falls between 3 to 5, while Fintech and Healthcare are between levels 4 and 5 due to the high levels of compliance needed in these industries.  

Ntirety details these levels of security maturity by detection, response, and recovery times:  

  • Level 1 (Vulnerable)  
  • Time to Detect: Weeks/months  
  • Time to Respond: Weeks  
  • Time to Recovery: unknowable
  • Recovery Point: unknowable
  • Compliance: None  
  • Level 2 (Aware & Reactive)  
  • Time to Detect: Days
  • Time to Respond: Hours
  • Time to Recovery: 1-2 Days
  • Recovery Point: <2 days data loss
  • Compliance: Internal Objectives

  

  • Level 3 (Effective)  
  • Time to Detect: Hours  
  • Time to Respond: Minutes  
  • Time to Recovery: Hours  
  • Recovery Point: <24 hours data loss
  • Compliance: Internal & 3rd party  

 

  • Level 4 (Compliant)  
  • Time to Detect: Minutes  
  • Time to Respond: Minutes
  • Time to Recovery: Hours
  • Recovery Point: <6 hours data loss
  • Compliance: Internal & 3rd party  

 

  • Level 5 (Optimizing)
  • Time to Detect: Immediate
  • Time to Respond: Immediate
  • Time to Recovery: Immediate
  • Recovery Point: <15 min data loss
  • Compliance: Internal & 3rd party  

How Ntirety Helps With Security Maturity: 

With over 20 years of industry experience, Ntirety understands how to support a business’s cybersecurity maturity needs and follow the necessary processes to ensure a smooth transition into IT transformation.  

For a company to appraise their security maturation with Ntirety, the first step is to have a conversational assessment with our team to determine the security gaps in your business’s cyber infrastructure. Our team can see where your business lies in the security maturity framework and compare it to your goals by answering some questions. Whether it is a particular industry vertical that your company falls under, you are adopting best practices within your IT infrastructure operations, or it is a board mandate, we can help formulate a plan based on your business’s needs.  

Following an assessment, the Ntirety team can detail how to improve Protection, Recovery, and Assurance. Ntirety’s Guidance Level Agreements (GLAs) can help improve these areas by optimizing availability, security, performance, and costs. Ntirety is committed to securing the “entirety” of your environment through solutions that identify, inventory, and protect the entire target environment. Ntirety’s Compliant Security Framework covers the security process from establishing your security design & objectives through protection, recovery, and assurance of compliance to your security requirements.  

One mistake we often see with companies is the idea of doing it themselves being a safer option. While resourcing a cybersecurity solution internally may seem more manageable, it can be far more costly and take away from other essential business functions. Here are the top 7 reasons to outsource security:  

  1. Finding and maintaining a talented SIEM/SOC team is expensive
  2. The benefit of trends and detection of other customers
  3. Accessing more threat intelligence and state of the art technology
  4. Long-term Return on Investment
  5. Outsourcing lowers the Risk of conflict of interest between departments
  6. Enhancing efficiency to concentrate on your primary business
  7. Scalability and flexibility 

For more details on securing your cyber infrastructure, watch our most recent webinar and schedule an assessment with us today. 

Building An Industry Response To Ransomware

While your business may have a disaster recovery plan in place, it is equally if not more important to proactively put security measures in place to defend your cyber infrastructure from ransomware and similar threats. The following piece is by Ntirety CEO Emil Sayegh originally published in Forbes. 

 

Building An Industry Response To Ransomware 

The term ransomware will often trigger a detectable response in even the most hardened security professional, especially as the industry sees an 800% increase in cyberattacks in the early days of the Russia-Ukraine war. This well-known digital blight carries so much impact that the appropriate response to the word itself is justified. Year after year, we can see that the rate and scale of ransomware attacks are skyrocketing, and recent attacks on Samsung and Nvidia illustrate an even more rapid acceleration —thankfully, the response to ransomware is also on the way up. One of the actionable ways that the threat is being addressed is through proposed legislative acts. 

A First Try: Ransomware Disclosure Act 

Among the most significant legislative measures proposed in the last few months is the Ransom Disclosure Act. On the surface, this governmental initiative, like many other initiatives, seems like a great idea, until you dig into it. The provisions in the act create a 48-hour window in which a company that has paid a cyber ransom must report various details about that payment. The disclosure mandate includes information on the amount paid, the date of the occurrence(s), the type of currency used, and any available data about the parties that made the ransom demand. This information is then sanitized by the U.S. Department of Homeland Security (DHS) and published on a public website. Still unquantified are the prospective penalties of non-compliance with the Act. 

From an enforcement perspective, it cannot be denied that there is a deficiency of active data that could assist in criminal implications and recovery. Rapid, detailed information can make a big difference in the ability for governmental agencies to step in, tracking funds and potentially being able to seize ill-gotten proceeds. 

For example, there was a partial but significant ransom recovery that occurred after the ransom payment in the case of the Colonial Oil Pipeline event. The Colonial incident was a major attack that had considerable national impact and publicity. Due to the publicity, federal agencies were involved in the response, and the partial financial recovery speaks for itself. Should similar actions be the response framework for all attack incidents? There are many practical points to debate in the matter, starting with whether the governmental authorities have the mandate, resources and capability to pursue these cases adequately and in a fulsome way. 

Disclosure Flaws 

While we all want actionable intelligence to maintain a level of awareness, the public aspects of this Act are cause for some legitimate concerns. Over the course of events, as they are publicly disclosed, it is possible that the proposed DHS site could amount to a ransomware leaderboard. This could add the unintended effects of increased ransoms, increased ransomware cybercriminal participants, increased volume of attacks and increased severity of successful attacks across the board. Here are some key flaws in this proposed reporting requirements by DHS: 

  • Public disclosure could result in the creation of successful ransom intelligence that cybercriminals can use by correlating data. It is possible to unintentionally disclose industry information, date, and time information, ransom amounts, and preferred payment methods. Even with the company names redacted from this base of information, cybercriminals can glean the identity of the biggest “scores” from public news, service information, and countless methods of dark web underground chatter.
  • The collection of information proposed in the act only focuses on the impact of the attack upon targeted companies. Once published, an incident could serve as a reference point for unknown public and financial repercussions.
  • Compliance and the roll out of a reporting program could lengthen the duration of disruption, extending the time needed to return to operations.
  • There doesn’t appear to be a history of successful piloting of such a system, including the impact on an industry.
  • Rival global cyber-gangs could derive intelligence from successful attacks, and fine tune their strategies.

What About False Security? 

Starting with Cyber-liability insurance, beware of a false sense of security. Ransom payments should be exceedingly rare and even nonexistent. This should never be part of a response plan even if you have cyber liability insurance, but these principles somehow persist. Publication of these flawed decisions serve to highlight the prevalence of unfortunate planning and a perceived lack of available ransomware responses. 

Numerous industry reports show that there is a false sense of security in ransom payment. Close to half of the companies that pay ransoms discover that their recovered data is corrupted. As we saw in the case of Ukraine, suspected Russian hackers used wiper code to completely destroy key data in banks and key governmental organizations. If, during the course of the attack, data made its way outside the company, that data is now “out in the wild” and there are no ransom-backed guarantees about what happens to that data. Further insult to injury, reports show that most organizations that are hit once with ransomware and pay a ransom will experience a second, likely-related ransomware attack. 

Bad Ideas and Good Ideas 

On the frontlines, organizations must continue to break free of the mentality and false sense of security that relies on outdated security such as cybersecurity insurance, vulnerability scanning, signature detection, and VPN systems. Instead, companies that are prepared to prevent ransomware threats must implement security measures that are comprehensive and full spectrum across the data center, cloud, endpoint, and applications. 

Actions against ransomware gangs such as the arrest of the REvil gang by Russia, and the extradition of the alleged REvil Ukrainian Hacker from Poland are a good thing, but insufficient if done as one-time events, as more sophisticated gangs will quickly pop up. Reporting programs such as what is proposed in the Ransom Disclosure Act have the potential to provide great advantages for a new breed of cybercriminals. This information should be privileged as the public focus carries too many unknown implications. Public information should instead be focused on identifying information about the attackers when available and figuring out their apprehension and prosecution. More detailed information should be passed on only to a group of private companies that are entrusted to fight cyber-criminals, while protecting the privacy of the victims. 

This First Step is Critical 

Time will tell what becomes of this proposed measure and how much traction it will gain. It is an indication of an important first step into these matters. With some tweaking and industry partnership, it could possibly be the right step in the right direction. 

In any case, the industry will continue to drive towards improvements in the defense and prevention of ransomware incidents but needs proper Governmental leadership. This type of partnership between industry and government is the best path for prevention of incidents in the first place. 

As we build up these improvements, organizations will be looking at both next level and first level steps to address these novel and continued threats including threat model strategy, multiple-layer security, advanced anti-ransomware technology suites, and behavior-based incident detection. While many of these disciplines are needed now, the cybersecurity talent drought persists driving a need for outsourcing and security partnerships. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn.

Freight Trains, Russia-Ukraine, Log4J And Supply Chain Attack Madness

The current conflict between Russia and Ukraine has undeniably captured the attention of countries all around the world. Our thoughts and prayers go out to the people of Ukraine, and we hope that there will soon be peace. It is crucial that we promote cybersecurity best practices always, but especially now as cyberattacks have increased drastically due to this conflict. This piece by Ntirety CEO Emil Sayegh was originally published in Forbes on February 1, 2022.  

 Freight Trains, Russia-Ukraine, Log4J, And Supply Chain Attack Madness 

We have all seen the images of the train tracks in California littered with boxes due to the systemic attacks by organized gangs of criminals. These attacks on our supply chain left train tracks resembling third-world garbage dumps as cargo containers were being raided with impunity, leaving a heap of strewn boxes in their wake. The train attacks delayed much-needed shipments to stores with empty shelves, as well as essential packages needed by businesses and consumers from all walks of life, at the exact moment when all of us were trying to deal with the resurgent Omicron virus. 

In the same way that physical attacks on trains have been on law enforcement minds, cyber-attacks against the software supply chain are on many cyber security professionals’ minds. These threats are perhaps not as visible, but nonetheless are a sleeping national disaster if left unchecked. A variety of factors have created a growing and consistent attack vector for the enterprise to deal with, especially considering the Russia and Ukraine geopolitical tension. Rumor is that if the US imposes sanctions on Russia, Russia will retaliate by mounting a concerted cyber-attack on US supply chain infrastructures. Regardless of the geopolitical situation, we are on the horizon of a hyper-escalated future of supply chain attacks, and it is critical that security strategies focus on comprehensive security and not point solutions.  

A Very Big Attack Hammer 

The enterprise is still stinging from recent high-profile supply chain attacks such as the SolarWinds breach. It did not take long for this threat condition to evolve. Successful attacks against SolarWinds caught significant attention in a supply chain attack that allowed the hackers to further select and target some of SolarWinds’s specific client targets such as Microsoft, FireEye, and US government agencies. Later, a ransomware attack against Kaseya, an IT management software tool, disrupted operations for many managed service providers and their clients. Even more recently, even more commotion emerged when a vulnerability was found in Log4j, a ubiquitous but obscure piece of monitoring software. The trend of one attack to many victims is a theme that continues in the headlines.  

What has happened in these and many other cases, is significant. By compromising the virtual supply chain, criminal threat actors have managed to breach centralized services, software, and platforms to get a foothold into target organizations causing considerably more damage than the California physical train attacks, and without even getting out of their chair. Once there, the cyber threat actor goes on to widespread infiltration of customers and clients of the original victim. For the attacker, one successful breach means that the economy of impact can be scaled out to hundreds, even thousands of victims, saving time and effort making it more lucrative, and less risky than physically raiding freight trains. 

Simple Attacks, Big Results 

Even scarier, most of these incidents happen through very basic attacks. While many of the high-profile attacks were sophisticated in their planning and execution, the technical measures used to achieve the attacks were not sophisticated at all. These attacks exploit common weaknesses including: 

  • Certificate comprise
  • Open-source vulnerabilities
  • Exploiting unpatched libraries and executables
  • Compromised accounts
  • Exploited firmware
  • Malware and Ransomware
  • Phishing

Further, with an arsenal of well-established and easily consumable nefarious methodologies, most cyber supply chain attacks are easily replicated. Simple and cheap, the characteristics of novel supply chain attacks are a significant problem that is bound to grow because as you will see, cyber chaos success begets imitation, and it will not be long before significant numbers of cybercriminal groups get on board the supply chain attack train.  

Standing Up to the Threats 

The ultimate takeaway from this growing threat breaks down to a highlight of focus. First, recognize that every organization and industry are stacked up against very different challenges. Then, recognize that slowly, the supply chain industry is working to update systems and platforms to help address this threat – using the latest dynamic principles of comprehensive security in a cloudified age. These organizations must escalate their efforts to defend their products in a coming storm of activity. There is a staggering amount of interdependence between all the components of a cyber supply chain. These companies must also position themselves to provide rapid response when needed, on behalf of their clients.  

Protect Your House 

As individual as organizations can be, every organization has a unique digital supply chain. We are all in this boat together, and so we must also focus on analyzing and protecting against these threats. We have built upon services, platforms, software, and other digital components that came from somewhere.  

The prescription for these threat conditions is a comprehensive security strategy and implementing the protections of continual analysis, introspective monitoring, and integrity enforcement of our own digital systems as well as the realm of digital outside our clouds that have been allowed into the organization. Focus on threat modeling, adaptive strategy, and risk-focused assessment. Increase security presence, monitoring, and controls at every phase of the software life cycles as well as throughout the library of digital platforms and tools. 

The Must-Do Mission of our Times 

There is no excuse for enterprise systems to linger unpatched, unreviewed, and unmonitored or for security systems to depend on outdated missions and technology. Considering the technology and services available today, actionable security data must be “in-the-moment” because stale information can only provide weak, ineffective and potentially misguided benefits. Preparation for the unknowable means investment in technology, investment in people and investment in robust services that can blunt these nefarious threats. 

The historical precedent is out there. The significant breach events have occurred. It cannot be ignored that the market for simple attack tools and methods are cheap and easy to implement, and are actually much easier than a freight train heist. Everybody likes a winning program (including hackers), and a boon of cyber disruption success means that shifting attack efforts onto the supply chain will continue to be a top mission. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn.

The Imminent Death And Rebirth Of Cyber Insurance

For insurance companies, it is important to predict all possible outcomes within their realm of protective services. This is not the path cyber insurance has followed, making it somewhat unreliable.  The following piece, The Imminent Death and Rebirth Of Cyber Insurance, from Ntirety CEO Emil Sayegh was originally published in Forbes. 

 We wake up every day to a pattern of record ransoms being paid as well as record increases in cyber-insurance cost. The Bloomington School District in Illinois published its cyber-insurance renewal costs and reported a whopping 334% increase in premiums. Faced with challenges, it is common knowledge that businesses must continually evolve due to circumstances such as opportunity, missions, and risks. The cyber insurance industry is no different. In this climate of record ransoms and cyber incidents, these challenges are creating a shift in insurance market conditions signaling that cyber insurance will fade towards demise as we know it. While this seems like a bad thing, there is a silver lining in all this. 

 Mounting Ransom Costs 

We are living in the greatest period of data vulnerability in history. There are risks everywhere, all of which carry significant financial burdens including ransomware, downtime, compliance fines, and data loss. The global pandemic opened opportunities for threat actors to escalate their attacks and seize, causing dramatic increases in ransomware attacks alone. Amid the shifting security haze of 2020, the consumer GPS company Garmin paid a significant $10 million in ransom and the tales of ever-increasing ransoms go on. While the average cost of a data breach now hovers around $4.24 million, organizations routinely find their insurance only covers about 40 percent of the costs incurred due to a cyber incident.  

 The Trend was Not a Friend  

Cyber insurance is built on the careful analysis and management of risks in a present-day environment. It is unimaginable to think of a scenario where the cyber insurance industry is not challenged by the rising challenges and costs of cyber-crime now. Reported cyber losses continually reach into figures in the billions of dollars. Each month is a record now. Meanwhile, the historical loss data continues to shift according to changes and escalation of risks. There is a palpable element of unpredictability that does not work well for the cyber insurance market and those looking for coverage.  

One can reasonably wonder how the cyber insurance industry got this wrong. How did they miss this trend? After all, insurance relies on heavy predictive analytics based on historical data. Sadly, in this case, the historical trend was far from predictive. The calculus was based on historical patterns of small-time hackers or lone wolves looking to get a quick hack of a hit. However, in the last two years, all of this has changed at such a pace, that the cyber insurance industry was caught ill-prepared. What is now driving the acceleration of costs, attack volume, and social engineering are nation-state threat groups. These new hacker groups are incredibly well organized. Organizations of cybercriminals from around the world who are demonstrably sponsored or ignored by their respective governments. What this means is that in addition to financial gain to sustain their operations, the disruption of the target’s operations is also their constant and perhaps primary goal. Attacks on infrastructure, military, and business entities have been continually associated with outside countries, such as the SolarWinds attack discovered in 2020.  

One way of looking at this tells the tale of a dying industry, slammed by rising challenges and costs and a lack of interest to back cyber liabilities. For example, it is easy to draw a line between ransomware-related claims and capacity throughout the industry. As it stands, just a small sample of losses within the industry could quickly wipe out the premiums collected well ahead of time. This is classified as unbearable risk within the pool and in insurance terms, losses are not acceptable.  

 Indemnification and Comprehensive Security to the Rescue 

In addition to the array of risks, one must now consider whether the state of cyber insurance constitutes an additional risk to the organization. The stakes are high and legal conditions abound. New coverage and rising renewal rates are a major concern. Premiums are rising by 10 to 20 fold, and that is if a renewal is even available. Enterprises are left exposed, or have to pay exorbitant premiums. The answer lies in going back to the fundamentals of minimizing heavy reliance on cyber insurance through a comprehensive security framework. Comprehensive security frameworks provide better security outcomes and a better posture for the insured. Furthermore, enterprises can leverage the indemnification provided by their cybersecurity provider in lieu of getting their own cyber insurance coverage. However, in order to do that, organizations need to embrace a comprehensive security approach. There is no wiggle room on that. 

Comprehensive security approaches can manifest through full spectrum security programs that provide protection, recovery, and assurance services that minimize risks. 

  • Protecting data means protecting data everywhere, all the time— including the perimeter, malware detection, finding threats, ensuring encryption and access. 
  • The benefits of recovery include virtualized and ready-access redundancy/restoration of systems that are available in any type of disaster including a breach. 
  • Building out an assurance program means life cycle assessments of security, compliance, logging, and the integrity of compliance within a given environment. 

In a challenging threat and cyber-insurance environment, comprehensive security augments risk aversion and minimizes reliance on more stringent insurance scenarios. 

 A New Dawn for Cyber Insurance 

Cyber insurance has and will adapt to these conditions, and we will see this evolution include demands for improved cyber-hygiene and exclusions that will shield insurance companies from providing coverage when the insured fails to maintain high security standards. We see that in the home insurance industry when security alarms actually reduce the premiums. Similarly, the cyber insurance industry, while nascent, will mature. It has just emerged from two years of nightmare losses and a risk climate that was hard for them to anticipate. You can expect specific adaptations ahead and an emphasis towards better education and improved cybersecurity practices. The rebirth of cyber insurance is in the cards, but it will be in combination with proper, responsible security planning and comprehensive security strategy. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn

Security in a Non-Secure Environment

As a newly minted CISO, I have been injecting myself into the Ntirety environment, talking security at every corner of the company.  I come from a deep IT/security background where I have seen many companies fall prey to the ever-increasing cyber threat landscape.   

 Sad Tales Abound 

In my previous roles with Hewlett Packard Enterprise and the FBI, I would often speak with companies before and after they had been breached.  One of my saddest experiences was with a prospective SMB customer who was concerned about security in his environment but wasn’t sure where to start.  We discussed various options including the deployment of a Firewall or maybe a security assessment to help him determine where the “right place to start” was.   

 He was non-committal, and we departed the meeting agreeing to meet again in a few months to see where he was in his decision.  I was concerned because I felt his corporate network was exposed and the threats against his company were rising as his company became more successful and lucrative.  

 You can imagine my horror when his company was hit with a ransomware attack six weeks after our conversation.  I sent my corporate contact an email expressing my desire to help in any way. Could I have done more?  Could I have been more convincing?  I don’t know, but my desire is to assist every customer in any way possible. I want every customer’s environment to be more secure than when I first met them.   

 Basic Security First 

What is the proper order to assist a customer in an insecure environment?  It feels like a “Chicken-or-the-Egg” conversation – do we secure the environment and then do a security assessment, or do we start with a security assessment and then see what we need to secure.  I feel like I have come down in the camp of basic security first, then let’s assess.   

 One of the first conversations I have with any customer is a request for the customer to assess their  security on a scale from 1-5 with a 1 being almost completely insecure.  If a company rates themselves as a 1 or 2, that means they know they are not secure or very easy to compromise.  I feel like we should immediately discuss how to get them some form of security before talking about a security assessment:  At a minimum some firewall protection and maybe multi-factor authentication but in this case, my experience has shown that the low-hanging fruit security gaps become easy targets.   

 This may go against conventional wisdom, and I have often been the champion of the security assessment first, but I worry that by delaying any action on securing an environment, we may leave the door open too long for an enterprising criminal to exploit another company.  The thought of another company being victimized while I am trying to help them is too much.  Let’s move the minimum security bar higher in all of our environments and make the criminals’ job that much harder.

Cyberthreats Are Turning Assets Into Liabilities

For a business, assets are anything that can be marketed and sold, while liabilities are debts that must be paid. The sooner organizations understand the potential of company assets turning into liabilities, proactive action can be taken to protect the business. Board members, owners, CEOs, investors, and CFOs need to heed this call to action. Ntirety CEO Emil Sayegh discusses the importance of recognizing these dangers in this piece, originally published in Forbes, Cyberthreats Are Turning Assets Into Liabilities. 

Cyberthreats Are Turning Assets Into Liabilities

 In the world of business technologies, the prevailing pace of evolution is directly aligned with increased technology investments, yet security incident headlines reinforce how for a good chunk of that history, security was nearly an afterthought. Protecting the organization’s information assets was seen as something for IT to do while it focused on ensuring applications and storage were up and available. Well, cybercriminals apparently didn’t get the memo about whose job it was to protect data; they kept busy looking for ways into the network, stealing data, and holding hostage everything from (very) private pictures to financial records. Earlier this year, conference software provider Zoom found themselves in a position of misplaced trust and paid a hefty price to the tune of $85 million, following their repeated crashes in 2020. 

IT Assets and Liabilities 

Every organization has information technology assets on one side of the ledger and liabilities on the other side. In the simplest context, IT assets are properties of an organization that includes software and hardware. Users outside and inside the organization get value out of these assets and rely on their integrity and availability. The right technology, when used properly, is an enabler of business growth and profitability. Gaps in diligence and cybersecurity planning, however, can make these assets leap from one side of the ledger to the other into liabilities. The offenses can include gaps in training, ongoing support, upgrade planning, cybersecurity programs, user training, and more.  Liabilities are the weak points throughout the chain that affect the value of the asset to the business. 

Zoom Out 

Over the course of the global pandemic, Zoom became a household name – exploding in use by schools, students, businesses, and more. Due to lockdown restrictions, this tool filled a significant need, making things such as classrooms, weddings, memorial services, court proceedings, and fitness classes a new virtual possibility.  

The enormous spike in users increased attention on the program’s security and privacy flaws. Eventually, a class action lawsuit came along, alleging that Zoom violated users’ privacy rights. Zoom agreed to pay $85 million to settle the case. The allegations included sharing personal data with Facebook, Google, and LinkedIn, while allowing “Zoom-bombing,” the practice of hackers disrupting meetings with inappropriate language, pornography, and other disturbing content. 

Crossing the Line into Liability 

Executives are now on notice that they need to treat cybersecurity as a business risk. They need to know more than just how susceptible their organization is to attack. They also need to understand what is at risk, including its assets, and they must recognize when they become liabilities. That’s not always straightforward since companies often use the same technology for both corporate and personal tasks. A recent survey by research firm Gartner found that 29% of employees in organizations with end-user devices allowed workers to connect their own personally owned devices (including laptops, tablets and smartphones) to the network – with less than half of them restricting access solely to business or work purposes.  

A comprehensive approach to cybersecurity should include monitoring software updates across the entire business, not just for IT systems but every aspect of the commercial software supply chain, from development through deployment onto production networks.  

Protecting software assets and products of an organization requires a comprehensive security approach. This includes building a plan upon the components of a proactive security foundation and practices which start with four steps that can create a more secure cyber infrastructure:  

  • Identify threats through an audit
  • Secure your application environments through a ground up security solution including Secure DevOps and Zero Trust
  • Set up a recovery mechanism in case of a hack
  • Build an assurance program that enables future compliance and resilience

Zoom In 

Clients of Zoom and other similar software services must recognize the inherent risk contained in the practices of the service they choose to implement. Organizations can satisfy regulatory requirements for preventing or minimizing data breaches while also mitigating their vulnerability footprint through proper implementation of security measures for software.   

In addition, security teams have to start working with business units across the enterprise on how they manage vendor relationships. In order for InfoSec experts to do their job properly, they need to scrutinize all third-party components that are introduced into systems – whether that’s commercial off-the-shelf software or any type of service that gets connected. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn.