Organizations that don't fully understand the current cybersecurity threat landscape can find it difficult to figure out the right course of action, let alone build robust security programs.
The challenges are amplified when people put money against cybersecurity initiatives without understanding the threats they are dealing with or what problem they are trying to solve, said Michael Speca, president at security services company Ardalyst, during the Mandiant Cyber Defense Summit earlier this fall. Security leaders should rethink common cybersecurity myths and re-evaluate how cybersecurity fits into their current risk mitigation approaches, he suggested.
“There are too many choices, all overwhelming, and making either grandiose promises or narrowly focused, inapplicable options - that’s a recipe for really not knowing what to do,” Speca said.
Secure vs. Not Secure
One common misperception is to think of the organization as being secure or not secure, Speca said. Security is not a once-and-done thing, and there is no one-size-fits-all approach on what organizations need to do.
"You would never argue that your house or your office is either secure or not secure. You would understand that there are different levels of security to your physical property," Speca said.
Consider a warehouse filled with inventory.
"First thing you are going to think about is, well, how valuable is that inventory? How much is it worth protecting?" Speca said. "Second thing you are going to think about is what are the types of people who are going to be interested in trying to steal that inventory or damage that inventory? And then you would ask yourself questions about what kind of measures do you need in order to prevent or limit the ability of someone who wants to damage or steal that property from getting to that property?”
Cybersecurity also involves thinking about which threats are likely and which ones are important.
"You need to understand whether or not your organization is up against a nation-state actor that's trying to steal state secrets, or is the main risk cybercriminals that are going to try to target you for a ransomware attack? Or is the main concern simple vandalism defacement of your website? Speca advised.
Cybersecurity is a continuum, Speca said. After identifying the different kinds of threats that could disrupt the environment, it is important to set up countermeasures to handle such situations.
Disrupt the Kill Chain
Attacks may seem sudden and unexpected, but most of the time they tend to be the culmination of a long chain of events, Speca said. An adversary needs to take a number of steps to compromise the network and steal the valuable information.
“Hackers need to understand their targets, they need to figure out entry points into their targets, and also how to move around the space of their targets to identify assets that are worth compromising,” Speca explained.
Defenders don't need to out-hack the attackers. The kill chain has several different points where defenders can stop the attackers. This is where knowing the environment and understanding what countermeasures are available is important.
"If nobody's guarding the door, no matter how many locks you put on the door, someone's eventually going to be able to break it down,” Speca said. "So you need people who are paying attention to what's going on with your cybersecurity program.