Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/7/2021
01:00 PM
Hitesh Sheth
Hitesh Sheth
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Rethinking Cyberattack Response: Prevention & Preparedness

The SolarWinds incident is the starkest reminder yet that complacency can exact a terrible price.

There is something inherently wrong with the current culture surrounding cybersecurity incident response.

Business leaders almost invariably approach incident response in two steps: prevention, then pain. Buy a Band-Aid and hope your cut does not get infected. Paint over the water spots on your ceiling and pray the house inspector won't find mold when you sell.

Related Content:

Security Operations in the World We Live in Now

Special Report: How Data Breaches Affect the Enterprise

New From The Edge:What You Need to Know -- or Remember -- About Web Shells

It's almost human nature to fall into the magnetism of procrastination. And when the inevitable happens, and organizations get breached, they go directly to crisis management mode — how do I minimize the impact of an attacker already within my network? How can I effectively and quickly address any events that could damage our reputation?

The critical and often overlooked step in the equation is preparedness.

As a business leader, you have to be prepared for anything (including, apparently, a global pandemic). Your ability to adapt is as important as your ability to lead. Prepared leaders plan for just about every scenario, from business disruptions and outages to employee misbehavior and natural disasters. But while most executives are tied up preparing for the "worst case" on the broader business landscape, a lot of the onus for safeguarding customer and partner data falls to the chief information security officer (CISO).

A Dangerous Disconnect
Vectra recently surveyed 1,112 security professionals working in mid- to large-sized organizations that use Microsoft Office 365. A key finding:

[A] high level of confidence was revealed amongst security teams in the effectiveness of their own company's security measures: nearly 4 in 5 claim to have good or very good visibility into attacks that bypass perimeter defenses like firewalls.

However, management-level respondents and practitioners such as security operations center (SOC) analysts had strikingly more pessimistic impressions of their organizations' overall ability to defend against an attack. This disconnect is dangerous. If there is a false impression about your team's ability to combat hackers, they are likely not armed with the necessary tools to succeed. Going one step further, if your SOC team is not prepared to act at the first sign of a breach, they may be far more likely to grow complacent about the evolving threat landscape.

Another component to bolstering your SOC team's preparedness level is empowering them to be constantly vigilant of new types of attacks. With knowledge comes power, and with the abrupt shift of many organizations to the cloud and the adoption of mass remote work, the threat of cyberattacks has heightened; new methods are uncovered every day. The recent Microsoft Exchange breach is another potent reminder that no application, network, or data center is invulnerable. This incident will trigger migration discussions in more IT departments, but they should be measured and strategic. If organizations recoil from on-premises solutions and jump blindly into Microsoft 365 or something like it, they might simply trade one set of threat factors for another.

The Growing Risk of Not Preparing
Attackers increasingly work laterally through a succession of infected devices en route to their goal or establish footholds throughout the network to exploit whenever they choose. Enter SolarWinds.

The SolarWinds incident is the starkest reminder yet that complacency can exact a terrible price. Too many organizations remain overinvested in old-school perimeter defense solutions despite mounting evidence of their deficiencies. And, as companies become more reliant on data storage and software-as-a-service (SaaS) solutions outsourced to the cloud, vulnerabilities may grow.

We still don't know the full scope of damage done by the SolarWinds incident and may never know. It's safe to say some remnants of the malware remain at work today, still undetected. To most users, the SolarWinds incident is of greater concern than your average credit card or health record heist. A critical infrastructure attack of this nature has far broader implications for everyday life. It could conceivably paralyze your train system or airport, compromise your energy grid, or affect your bank's transaction networks. President Biden has called for new spending on cybersecurity, which is a good start, but we truly need a national action plan to prioritize better detection of SolarWinds-class attacks.

I urge business leaders worldwide to use this moment in history to rewrite the conventional wisdom and hasten large-scale change to a more effective cybersecurity strategy. We've known for years about the virtues of robust network monitoring and rapid detection of inevitable breaches. SolarWinds should be remembered as a trigger for a better security posture, not the first in a series of cyber calamities that could have been prevented if we had only been prepared.

Hitesh Sheth is the president and CEO of Vectra. Previously, he held the position of chief operating officer at Aruba Networks. Hitesh joined Aruba from Juniper Networks, where he was EVP/GM for its switching business and before that, SVP for the Service Layer Technologies ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Kinsey_twelve
50%
50%
Kinsey_twelve,
User Rank: Author
4/9/2021 | 6:39:02 PM
Enjoyed the content
Really enjoyed this.  An ounce of prevention is worth a pound of cure as the saying goes.  As the landscape continues to change, prevention is evermore critical. 
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...
CVE-2021-2299
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful atta...