In today's increasingly crowded threat landscape, it can be difficult to determine which threats companies should prioritize. For those who are stuck, it's helpful to consider what major organizations are worried about and the steps they're taking to combat those types of attacks.
This was the premise behind "Preparing and Responding to a Breach," a panel that took place at last week's RSA Conference in San Francisco. Security leaders from Starbucks, Microsoft, WhiteHat Security, and SecurityScorecard discussed the lessons they learned from the many breaches that took place in 2019 and how they plan to learn from these incidents to defend against threats of the future.
Last year brought 5,283 security breaches, said moderator John Yeoh, head of research for the Cloud Security Alliance, kicking off the panel. Organizations collectively lost 7.9 billion records, he said, and incidents indicate "the same things that are happening over and over again." What types of attacks were most frequent, he asked, and what did organizations learn from them?
"As far as types of attacks we see, [they] generally tend to either be application security attacks, phishing attacks, misconfiguration of cloud environments, these kinds of things," said WhiteHat CTO Anthony Bettini. And while these threats are old news to security pros, his fellow panelists agreed they are also the ones organizations should have at top of mind for defensive strategies.
"The reason you keep hearing about phishing from speakers like us … it's not because we want to bore you with repetition," said Microsoft's cybersecurity field CTO Diana Kelley. "It's because phishing still works." Application vulnerabilities, misconfiguration, and phishing are the three areas where attackers are having the greatest success, which is why they should be prioritized.
Some leaders, like SecurityScorecard CISO Paul Gagliardi, are most worried about how attackers use the data they steal. "One thing I often see is the somewhat sophisticated criminal groups are starting to use the aftermath of breaches to do even more targeted social engineering or phishing attacks at scale," he explained. "It's not just the fact a breach occurred; it's that all of our company's data is somehow in there."
Credential reuse is a primary concern for Starbucks global CISO Andy Kirkland, who spoke to a concern prevalent in the retail and hospitality industries. "Whenever these credentials become available, we become a place where people want to see if they work," he said. The sharing of usernames and passwords across multiple platforms is "a big thing to watch" for companies. Cloud misconfigurations, which Kirkland calls "the rebranding of shadow IT," are another worry.
"Just about anyone can get an S3 bucket and do whatever they want with it; potentially put whatever they want in there," Kirkland noted. The onus is on security professionals to identify these instances within an organization when they happen.
Practice, Practice, Practice
Panelists spoke to employee and customer training strategies, tabletop exercises, and other steps they take to better prepare for security incidents. One key takeaway was the importance of working employee training into the corporate culture for everyone. As organizations change over time, and new people are onboarded, there will be gaps in cybersecurity knowledge.
"I have to take cybersecurity training at Microsoft just like everybody else," said Kelley. "We don't just assume because somebody has a title, they get to be exempt from that training." She advised annual or biannual security training for all employees. "Psychologically, humans are much better at learning when we've got a little bit of an adrenaline pump." If an employee is caught getting phished, they may remember to be more cautious next time.
"The best training is in-the-moment training," Kirkland emphasized. While some trainings are done for compliance, the unexpected phishing emails deliver real learning moments.
He also advocates tabletop exercises with all executives in order to plan for cyberattacks. Senior execs schedule a four-hour block during which they create an entire breach narrative. Sometimes, he said, it's the first time in a while that leadership has come together to decide how they would respond to a security incident – and the results have had an effect beyond cybersecurity.
"The decisions, and the things that they've learned in those tabletop exercises, have informed the way that we respond as an organization to all manner of incidents; not necessarily those that were cyber-related," Kirkland said. Learning how business leaders collaborate "is not only educational for them; it's educational for you as a security professional," he added.
Tabletop exercises should inform a standard operating procedure for cyberattacks, said Kelley. Whether it's online or printed, every business should have guidance on how employees can escalate potential incidents and how they should respond to them. These procedures don't need to be 100% accurate – after all, every breach is different – but they should provide basic information on which internal and external organizations (cloud providers, law enforcement) need to be notified.
"You'd be surprised, with these kinds of activities, how easy it is to forget what needs to be done," she explained. If an employee doesn't know the right information or can't access it, they may have no idea how to move forward in the right direction.
Practitioners also pull lessons from previous security incidents: to inform annual trainings in incident response and business continuity, Gagliardi goes back into historical breach data to assess what security looked like before an incident. Breach disclosure is mandated under HIPAA and GDPR, he pointed out, and there are thousands of breaches that aren't publicly reported but are just as significant. Businesses "can get a lot of value" in lessons from these events.