The most recent ransomware attacks should make every executive in every company take notice, and be worried.
Last week, I spoke at a cyber event and came with a message: the continued focus on legacy endpoint and network security is almost worthless. As cyber attacks become more sophisticated, our reliance on legacy ‘castle and moat’ theory to protect the enterprise is continually proving that we are spending money and time on the wrong issues. Every company should raise defenses, but design for containments. Most need to realize they will have to determine what are acceptable levels of infection and how to deal with continual cleanup. Organizations should optimize patching and vulnerability management of course, but event those few that do that well will eventually get infected. For most, the keys to success will be looking at data protection, data veracity, and resiliency and secure mobility in compute.
Castle and Moat theory
The past, best practice for every enterprise was a successful implementation of a ‘defense in depth’ strategy. This is the ‘castle and moat’ theory of security. Every enterprise (the castle) would build a set of concentric rings to help protect the core business functions. The theory being that a breach in any one, two or three of the rings would be detected and stopped quickly and that this type of security would create a safe compute environment. By continually building better moats (end point security), intrusion detection, virus scanning, deep packet inspection, and manning the castle with guards (security operations center), the enterprise would be safe.
But like Romans looking over Hadrian’s wall, what we see is the same thing- the barbarians come back every day, and larger numbers, and seek weaknesses. Eventually they will find them, and break through the walls, and over-run even the most expensive, well installed and executed defenses.
For the modern executive coming to terms with the knowledge that your enterprise is already, or will be breached is a turning point in moving forward in defending the most valuable assets in the enterprise- intellectual property and data.
How cyber attacks evolved to Data Denial
The business of cyber war is changing and evolving rapidly. Through our direct engagements helping enterprises improve defenses and improve incident response we have seen direct evidence of how adversaries are evolving in their attacks. We can now view adversary actions in cyberspace as if it is a new, but evil, business market. The adversaries and their capabilities and actions have the same characteristics of actors in a business market and every executive should pay attention to how this horizontal is growing and changing. The evolution to a mature industry has started and will continue at an ever increasing pace as adversaries become more sophisticated. In the past, cyber attacks were aimed at single individuals- stealing your personal information for short-term gain. The second evolution was the mass collection of personal data- stealing massive amounts of credit cards, the OPM breach stealing millions of records, and the multitude of addition breaches at that scale.
But what criminal groups are finding is that there is very little money to be made by stealing this type of data. Fraud detection is sophisticated, monitoring of credit history is more the norm. The public is not outraged by the incidences as they were several years ago. This type of attack is passé.
We have entered the next phase of evolution- the denial of data. This is ransomware. Basically the hackers have found that access to data, systems, information about your business, customers, patients is far more valuable than just collecting or stealing it for later sale. When your enterprise is facing supply-chain disruption, the inability to provide health care, or have access to basic compute, most enterprises will pay whatever cost to have the barrier removed.
Every executive must understand that they will be hit with ransomeware. And all should know that their operations are now at risk, and that older ways of thinking about continuity of operations and disaster recovery are now defunct. Ransomware is the next step of maturation of the cyber industry. The adversaries have determined that your data is key to their success.
Data denial will continue to evolve, with ransomeware becoming even more agile in terms of inserting itself into the enterprise, and more covert in terms of communication out to its controllers. We also expect to see ransomware to evolve to creating doubt and fear about your data once it is returned. The concept of changing your data, altering key information, creating sham accounts, payments, or changing key records may well be the next phase of the cyber war.
Once you have been denied data, can you be sure that once you regain access, that you have pure data integrity? What would you pay for that assurance? How can you trust the data once it has been breached?
What you can do
Every executive must now think about data integrity and a data recovery/assurance program. Knowing that you will be breached, you must focus more time and energy on creating a holistic approach to managing data and information in the enterprise. You must create strategies for ensuring data integrity, being able to quickly re-constitute information and intellectual property. The ability to move compute rapidly to new providers and have up-to-date information available for the variety of constituents that your enterprise serves.
Focus on cloud computing, software-defined networks, software defined perimeter, smaller, more agile data lakes that can be moved rapidly away from breaches, infections and ransomware. Enterprises must become more virtual with less reliance on thick-client and static compute.
An action we recommend for all executives is to sign up for our Daily Threat Brief. This succinct articulation makes sure you are always informed on the nature of the threat.
Looking for ways to move out quicker on improving your enterprise? Find more actionable insights at: Protecting Your Business From Cyber Crime.
And get in touch asap if you could use an independent assessment of your current security posture.