16 November 2016
Blogs by author: Ramy Houssaini , Vice President of Security Europe, BT.
You can’t win the war on cyber crime by waiting to defend yourself against an attack. Here’s why you need a more active approach to security.
No one is safe from a breach.
There’s a question about security that people ask me all the time — how many Fortune 500 companies have been hacked? The answer: 500.
Whether it’s a small or large breach (and whether the organisations themselves know it or not), every single one of them has been hacked.
Everyone faces the threat of cyber crime. You can spend a huge amount of money on your security, but hackers will still target and breach your network.
Four reasons your security fails.
Cyber defence is hard; complex threats execute over time, point solutions overwhelm the human ability to process; and responders are both outmatched and unable to scale.
Put simply, the fact that cyber criminals can breach the defences of any business in the world proves that your security is failing you.
This is a serious issue, which is why I covered it in my presentation at NIAS16 — outlining four key reasons for this universal failure:
1. A failure of imagination. Treating your cyber security as a Maginot Line is a self-fulfilling prophecy of disaster. By focusing on fortifying their perimeters, organisations often fail to imagine other ways to tackle hackers. This has led to cyber criminals out-innovating network defenders.
2. You create complex networks that are difficult to defend. Complexity is the enemy of security, and every new technology organisations bolt onto their infrastructure creates new vulnerabilities and makes it harder to keep out the hackers.
3. You’re too passive in your approach to security. The response to most breaches and disruption is passive defence. But battles can’t be won this way. It usually takes 200 days for an organisation to detect a breach. By that time, it’s far too late to take any positive steps to mitigate the impact.
4. You’re collaborating — just not enough. Information sharing does happen (especially in sectors like finance, where they know the outcome if they don’t), but most organisations are yet to engage in actionable collaboration.
You need to know your enemy.
So what’s the solution?
I believe the answer lies in extending the quest for information superiority to the cyber domain and enabling new forms of proactive patrolling and hunting.
To get ahead of the hackers, you need to be proactive rather than reactive. And that means investing more time and money into understanding your adversaries — collecting intelligence on their movements to figure out what they want and how they act.
Here are some advanced cyber hunting tactics which you could try:
- Anomaly detection — evolve anomaly analysis by increasing the velocity with which you absorb new intelligence.
- Spoil cyber staging areas — find the attacker’s beachhead. Attackers use these to launch sorties and attack other hosts.
- Cyber ‘clear and hold’ — the cyber equivalent of this counter-insurgency strategy is to maintain a high level of scrutiny on hosts that have been previously inspected for anomalous activity.
- Cyber ‘recon by fire’ — this tactic allows defenders to hunt for malicious activity by making (not so) subtle changes to the network, to draw out an intruder.
The thing is that all of this relies on information and collaboration. You need to move from simply sharing information to an approach that creates actionable intelligence you can use against cyber criminals.
An active defence offers better security.
Instead of sitting back and waiting for an attack, you need to go after attackers and disrupt their activities.
For me, this is not about ‘hacking back’. It’s, quite simply, about understanding your attackers and being able to disrupt them before it’s too late.
Your organisation needs to be a moving target, rather than a static one. That way, you can stop attacks before they even happen. And then, maybe, I’ll have to come up with a more positive response when asked about the Fortune500…