Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Hitesh Sheth
Hitesh Sheth
Connect Directly
E-Mail vvv

Rethinking Cyberattack Response: Prevention & Preparedness

The SolarWinds incident is the starkest reminder yet that complacency can exact a terrible price.

There is something inherently wrong with the current culture surrounding cybersecurity incident response.

Business leaders almost invariably approach incident response in two steps: prevention, then pain. Buy a Band-Aid and hope your cut does not get infected. Paint over the water spots on your ceiling and pray the house inspector won't find mold when you sell.

Related Content:

Security Operations in the World We Live in Now

Special Report: How Data Breaches Affect the Enterprise

New From The Edge:What You Need to Know -- or Remember -- About Web Shells

It's almost human nature to fall into the magnetism of procrastination. And when the inevitable happens, and organizations get breached, they go directly to crisis management mode — how do I minimize the impact of an attacker already within my network? How can I effectively and quickly address any events that could damage our reputation?

The critical and often overlooked step in the equation is preparedness.

As a business leader, you have to be prepared for anything (including, apparently, a global pandemic). Your ability to adapt is as important as your ability to lead. Prepared leaders plan for just about every scenario, from business disruptions and outages to employee misbehavior and natural disasters. But while most executives are tied up preparing for the "worst case" on the broader business landscape, a lot of the onus for safeguarding customer and partner data falls to the chief information security officer (CISO).

A Dangerous Disconnect
Vectra recently surveyed 1,112 security professionals working in mid- to large-sized organizations that use Microsoft Office 365. A key finding:

[A] high level of confidence was revealed amongst security teams in the effectiveness of their own company's security measures: nearly 4 in 5 claim to have good or very good visibility into attacks that bypass perimeter defenses like firewalls.

However, management-level respondents and practitioners such as security operations center (SOC) analysts had strikingly more pessimistic impressions of their organizations' overall ability to defend against an attack. This disconnect is dangerous. If there is a false impression about your team's ability to combat hackers, they are likely not armed with the necessary tools to succeed. Going one step further, if your SOC team is not prepared to act at the first sign of a breach, they may be far more likely to grow complacent about the evolving threat landscape.

Another component to bolstering your SOC team's preparedness level is empowering them to be constantly vigilant of new types of attacks. With knowledge comes power, and with the abrupt shift of many organizations to the cloud and the adoption of mass remote work, the threat of cyberattacks has heightened; new methods are uncovered every day. The recent Microsoft Exchange breach is another potent reminder that no application, network, or data center is invulnerable. This incident will trigger migration discussions in more IT departments, but they should be measured and strategic. If organizations recoil from on-premises solutions and jump blindly into Microsoft 365 or something like it, they might simply trade one set of threat factors for another.

The Growing Risk of Not Preparing
Attackers increasingly work laterally through a succession of infected devices en route to their goal or establish footholds throughout the network to exploit whenever they choose. Enter SolarWinds.

The SolarWinds incident is the starkest reminder yet that complacency can exact a terrible price. Too many organizations remain overinvested in old-school perimeter defense solutions despite mounting evidence of their deficiencies. And, as companies become more reliant on data storage and software-as-a-service (SaaS) solutions outsourced to the cloud, vulnerabilities may grow.

We still don't know the full scope of damage done by the SolarWinds incident and may never know. It's safe to say some remnants of the malware remain at work today, still undetected. To most users, the SolarWinds incident is of greater concern than your average credit card or health record heist. A critical infrastructure attack of this nature has far broader implications for everyday life. It could conceivably paralyze your train system or airport, compromise your energy grid, or affect your bank's transaction networks. President Biden has called for new spending on cybersecurity, which is a good start, but we truly need a national action plan to prioritize better detection of SolarWinds-class attacks.

I urge business leaders worldwide to use this moment in history to rewrite the conventional wisdom and hasten large-scale change to a more effective cybersecurity strategy. We've known for years about the virtues of robust network monitoring and rapid detection of inevitable breaches. SolarWinds should be remembered as a trigger for a better security posture, not the first in a series of cyber calamities that could have been prevented if we had only been prepared.

Hitesh Sheth is the president and CEO of Vectra. Previously, he held the position of chief operating officer at Aruba Networks. Hitesh joined Aruba from Juniper Networks, where he was EVP/GM for its switching business and before that, SVP for the Service Layer Technologies ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
4/9/2021 | 6:39:02 PM
Enjoyed the content
Really enjoyed this.  An ounce of prevention is worth a pound of cure as the saying goes.  As the landscape continues to change, prevention is evermore critical. 
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file