How to Build an Adaptive Security Culture
By Bruce Cowper, SecTor
If you do not ADAPT, you do not Survive. It's A Principle That Runs throughout Nature and Business - and IT's Just as True in cybersecurity. Security teams Need to BE as adaptable in Their Technological environments as animals are in Their Natural Ones. Often, though, security practitioners are rigid, slow moving and unresponsive.
Things Have to change. It's Time for an Adaptive Approach to Security. This Is True especially now. Since The early 2000s, cybersecurity Threats Have been accelerating.
In 2000, US-CERT logged twenty-One Thousand Seven Hundred Fifty-Six cyberattacks. The Biggest Causes of such incidents AT The Time; Denial of Service attacks, BIND Domain name System software vulnerabilities and The LoveLetter worm. The First botnet HAD only surfaced A year Before, and Windows XP Would not Ship Until A year Later. Social Media did not EXIST.
Today's Threats Have Expanded in Number. In 2009, PwC Recognized 3.4 Million Cyber incidents. Last year, That Number hit 42.8 Million, Representing A 66 percent CAGR over five years.
They Also Have deepened in complexity and Type. Cybercrime Is A Commercial Operation. Zeus malware Is Being repurposed to Attack Specific Vertical Markets. Exploit Kits are available off The shelf, and Even mainstream websites Can BE Made Malicious .
Cyberattackers always Look for Advantage The next, Which typically involves exploiting new Technologies. BECAUSE Systematic Innovation Is in The Technology Sector, They Have Plenty of feedstock.
You do not Fight A multi-headed, Fast-Moving Enemy by freezing. You Adopt A Culture of adaptability, Able to bend and Flow, and counter new Kinds of Attack as They emerge. As Bruce Lee famously put SO: "Become like water."
This culture of adaptive security breaks down into three parts, which map broadly to the three phases of a cyber-incident: before, during and post-attack.
Not so Rigid Risk Management
The First and preventative Part of this Strategy focuses on risk Management. Many risk Management teams take A Rigid and overly structured Approach.
One common mistake Is to Focus on Security Features product. Relying on A Security Appliance to cover All of your Bases May SEEM like an Easy win, But May you find That The Security Capabilities of those Solutions do not Match The Needs of your Organization.
These Needs are Changing as The Technology Changes. Ten years ago, departmental managers Would not Have HAD recourse to Cloud-based Applications such as analytics and CRM. Now They May well Spend Their Own Budget on those Services.
These dissolve Technologies The Traditional perimeter-based Security Model, Creating new Threat vectors. Risk Management and Security Infrastructure Design must BE Fluid Enough to Absorb Them, Which MEANS That cybersecurity teams must BE Willing to Their Perceptions Mold Around Them.
Make No Assumptions
The Second Part of an Adaptive Security Strategy Looks AT How The Organization ACTS When an Attack Is Underway. The First rule Is to Admit your Own vulnerability? Assume you Will BE AT breached Some Point. Acknowledge That Even The Best risk Management Will not make you invincible.
Avoid Making assumptions That Will blind you to Potential Threats During, Agents this Phase. Your cybersecurity Team May Have A tailored Response to Specific Threats, assuming That They are The Most Likely. If you ignore those Threats That you Never Thought Would occur, you May BE Caught unawares and end up taking longer to resolve an attack.
Blindness Can MANIFEST Itself in Other Ways, TOO, particularly When looking AT How you Respond to an Attack Across Different Components of your Technology architecture. Many Systems Directly Affect MANY others. If your Active Directory System Is Compromised, for Example, That May Touch Other Systems such as Human Resource Applications, Access Control Layer Or Collaboration software. Your Response Team must BE Able to Explore These Systems as Quickly as an ATTACKER does.
That Can Challenging BE, BECAUSE companies Tend to Create Organizational Silos Around These Systems That Can STOP Response teams Thinking laterally about Them. Sometimes, Different teams Can Even BE Dedicated to Specific parts of The Technology Infrastructure, Which Can Restrict Cross-System visibility.
Update Your Response and Test
FINALLY, There's The Post-Attack Phase. This Is Where your Team Gets to plug The hole That an ATTACKER exploited. This Is Where an Adaptive Security Strategy Comes Into ITS Own. Running A Post-Incident Review Is One Part of this Process. Security teams can then secure the hole that was exploited and also look for similar vulnerabilities elsewhere in the infrastructure.
The other part of the process is updating the risk management process and the response "playbook" with information gleaned from the attack, so that your company's security is hardened and the response team better equipped to cope next time.
IT's Also Important for Organizations to Test themselves once Fixes Have been Applied, to prove That They Have Adapted. A "War Games" Approach Can BE Useful here, with hired attackers specifically Setting out to Gain Access Via The SAMe Attack vector.
Doing All of These Things Will help companies Close The Circle by Positive Feeding information back Into The Security Process. This Is Where an Adaptive Security architecture Comes Into ITS Own.
Building Security into Organizational Culture
These pointers Will help you Build more Operational and Tactical adaptability Into your cybersecurity Operation. These are Great for Short-to-Mid term Challenges, But There are Longer-term, more Strategic lessons Learned here to BE, TOO. Security Threats Will Just morph as dramatically as Technology does. How Can you ADAPT to These Changes;
Explore The EXTENT Security to Which Is Built Into your Organizational Culture, Rather Than Being merely bolted on. Includes appointing this Security Staff AT A Strategic, Managerial Level and secure driving processes (such as secure software Development and Procurement secure) throughout The Company. Engaging Employees Properly and systematically with user Security awareness Training That Actually Works Is Also A Crucial Part of The Equation. After All, companies are not Just Collections of processes? They're Also Built from People.
All The Technologies That underpin those processes, and Which are Used by those People, are Going to change Even more dramatically in The next FEW years Than They did The last FEW. Mobility, Cloud computing, The Internet of Things and The Digital Supply Chain are Going to Evolve and Work Together, in Unison. It's All Speeding up, Which MEANS That your cybersecurity Practice Will Need Bruce Lee-like skills. Are you Ready to Become like Water;
Bruce Cowper Is A Founding Member of The Security Education Conference Toronto (SECTOR), Which Runs Oct. twenty to twenty-one, 2015.
Source
Source
