Dear Ramey: What Can We Do to Minimize the Target on Our Back?

7/13/2021

Answering burning questions from victims of cyber events.

DEAR RAMEY:

We haven’t experienced a breach or unauthorized access — at least not that we know of — but recent news headlines have my company concerned and wondering how we can minimize our chances of becoming a cyberattack victim?

— SECURITY WORRYWART

DEAR SECURITY WORRYWART:

Let me commend you on how you structured your question. To begin, many organizations aren’t usually aware of cyberattacks occurring, generally because of minimal cybersecurity practices or the stealth of threat actors. What’s more, you used the word “minimize” instead of prevent.

Cyberattack prevention isn’t possible unless you disconnect your computers from the internet and return to the old-fashioned paper and pencil. Today, with more and more businesses increasing their internet connectivity, especially with more remote employees and migrations to the cloud, the chances of a workable paper and pencil solution, from my perspective, are zero.

And yet, while you can’t necessarily prevent a cyberattack, you can take several immediate — and incremental— actions to improve security.

What’s key to remember is that any and every security program must continually evolve and mature over time. Threat actors will always find a way around security defenses, creating a vicious cycle: You improve security, threat actors improve attacks; you improve security defenses again, threat actors improve attacks again; and so on.

Immediate actions you can take to improve security

• • Purchase a cyber insurance policy. Insurance companies provide policy holders with lists of pre-approved professional service providers, including data privacy attorneys and cybersecurity companies. They encourage their insureds to connect and establish relationships with these companies before an event occurs to enable the quickest response when one does occur.
    Prior to an investigation, both the attorneys and cybersecurity companies will prepare a contract, outlining services, terms, and fees. By onboarding a data privacy law firm and cybersecurity provider prior to an event, you will also minimize the overhead of contractual negotiations and allow the cybersecurity company to familiarize itself with your network and security controls and understand the types of data your organization may store or process. Essentially, proactively building a relationship and establishing contracts will reduce the time to investigation by at least 24 hours, if not more.
    Additionally, the cybersecurity companies and law firms may be able to provide recommendations to further secure your information and minimize the impact of a cyberattack.

• • Deploy an Endpoint Detection and Response (EDR) solution. Not all EDR products are created equal and thus, it’s important to find one that leverages artificial intelligence, connects to a centralized cloud console, and generates alerts. Gartner has evaluated, ranked, and published findings on EDR technologies, with Crowdstrike, SentinelOne, and Carbon Black consistently ranking in the top five for their ability to detect and mitigate numerous advanced threats.
  • Engage a managed service — or three. Security as a service is a popular choice to outsource certain or all security functions. You’ll find many Managed Security Service Providers (MSSPs) that offer 24×7 Security Operations Centers (SOCs), Virtual Chief Information Security Officers (vCISOs), and Managed Detection and Response (MDR) teams.
    • • Enhance visibility with a SOC-as-a-Service. SOCs are vital to every cybersecurity program. They provide visibility into network activity. They are the first line of defense to detect and respond to abnormal activities and escalate as necessary to incident response teams. Without visibility, cybersecurity programs cannot detect and respond quickly to stop threat actor activity within networks.
      • Consider a vCISO. Many regulations and laws require organizations to establish a cybersecurity program and identify an individual as their chief information security officer (CISO), arguably the most critical position within the cybersecurity program because this person sets the vision, strategy, and risk tolerance for the organization. Many large organizations assign a single individual as the CISO. While smaller organizations may not need a full-time CISO, they are often required to have one due to certain regulations or laws.
        For both large and small organizations, a vCISO from a service provider organization can act as a security advisor. Small organizations get the benefit of a CISO at a fraction of the price while remaining compliant with regulations. For larger organizations, a vCISO can provide expert guidance on industry trends and cybersecurity programs.
      • Monitor and mitigate with MDR. MDR can function much like a SOC while also providing incident response services. Many MDR services focus on a single product — for example, Crowdstrike and SentinelOne allow clients to add an MDR service to their EDR solution subscriptions. Crowdstrike’s Overwatch and SentinelOne’s Vigilance are MDR services that will monitor their respective EDR deployments to detect and quickly mitigate threats. In some instances, they may even remediate the threats to computers.
  • Implement a 3-2-1 backup strategy and test frequently.
    • • Have three (3) copies of your data. One (1) production copy and two (2) backup copies.
      • Create the two (2) backups on separate media. Copy one (1): Tape or online storage. Copy two (2): cloud storage. Also strive to ensure that onsite backups are not accessible on the production network or administered with production credentials. Leverage segmentation and a separate untrusted domain for backups.
      • Have one (1) copy offsite. Send one copy of the backups offsite, for example, to a secure storage facility or a cloud provider.
      • Test restoration frequently. Once a month or quarter, verify that your backups are valid and establish metrics on how fast you can restore critical applications. In the event of a ransomware attack or physical destruction to a data center, assume the need for simultaneous recovery of multiple servers and terabytes of data as part of the testing exercise. The goal of the test is not only to determine if the backups are viable, but also to determine real life metrics in the event of a catastrophic disaster so the business can plan accordingly.

Longer-term planning to improve security 

• • Perform a security assessment to establish the current baseline of your cybersecurity program. Once you establish the baseline, prioritize the gaps to enhance the program. The enhancements should be time-lined and built into your organization’s roadmap. Also consider realistic enhancements. Small changes over time can be more valuable than a single major change that could disrupt business operations.
    • • While the security assessment should be rated against an industry framework like the NIST Cyber Security Framework (CSF), COBIT, or ISO 270001; security consultants performing the assessment should also leverage knowledge of threat actor techniques, tactics, and procedures (TTPs) or the MITRE ATT&CK framework. Leveraging just the industry framework may leave your organization vulnerable because some of the requirements are “check the box” exercises. Leveraging attacker TTPs or the ATT&CK frameworks will assist with identifying a granular view of security controls and how threat actors can bypass them.
  • Establish a cybersecurity program roadmap. Review the roadmap yearly based on findings from security or risk assessments, industry trends, and lessons learned from cybersecurity event investigations.
  • Implement a culture of security throughout your organization. Emphasis of the security culture should start with the C-suite and extend to the board (if applicable) and employees. Employees should see the executives speaking and actively participating on security topics. Encourage employees to engage in security topics with leading by example. Bring the “see something, say something” to life.

Security isn’t a one-time investment 

These recommendations are just the start for any cybersecurity program. Your organization must make the conscious decision to continually invest in security and provide the resources your program needs every year.

Stop thinking of security programs as expenses. Rather, I encourage you to think of them as self-funded insurance programs. They are meant to detect and mitigate threats quickly — and before they can disrupt your business operations and negatively impact your brand and reputation.

 

 Arete IR Director Stephen Ramey is here to answer burning questions from victims of cyber events. If you have a question, please don’t hesitate to reach out at [email protected]. Arete wants to help by sharing our insight and experience.