Apr 13, 2022
Develop a Cybersecurity Action Plan: Focusing on Visibility and Breaking Down Silos
During these challenging times organizations need to create and deploy a plan of action that strengthens their defensesBy Melissa Bischoping, Endpoint Security Research Specialist, Tanium
Could there be a more “exciting” time to be a cybersecurity executive? Some might choose other adjectives: stressful, uncertain, confusing, mindboggling — to name a few. The past two years or so have seen an unprecedented string of events that have elevated threat levels and increased awareness of cyber risks at the highest levels of organizations.
Among the trends that have helped put cybersecurity in the spotlight are the dramatic rise in remote and hybrid work as a result of the pandemic; an ongoing and rapid shift to the cloud; a greater reliance on mobile devices in the workplace; a dramatic growth of e-commerce platforms and transactions; more sophisticated threats including ransomware; a rise in the number of data privacy regulations; a worsening security skills gap; and an ever-growing threat surface.
The number and types of threats continue to increase, whether it’s malware, phishing, zero-day attacks, distributed denial-of-service, data breaches and others. Software vulnerabilities have become a major concern, so starkly illustrated by the recent flaw discovered in Log4j, the Java-based logging utility. Experts called the vulnerability, which involved arbitrary code execution in the framework, one of the biggest and most critical of recent years.
In this blog series, I recap the most significant cybersecurity incidents and present a strategy that will help organizations build a strong cybersecurity program designed to defend against the latest threats.
Cyberattacks in the headlines
Here’s a brief look at some of the key attacks of recent months:
- In May 2021, U.S. oil pipeline system Colonial Pipeline, which originates in Texas and carries gasoline and jet fuel mostly to the Southeastern U.S., suffered a ransomware attack that impacted systems used to manage the pipeline. Colonial Pipeline shut down all of the pipeline’s operations to contain the attack and due to concerns about the attackers carrying out additional attacks on the pipeline. Within hours of the attack, Colonial paid the ransom demanded by the attackers. The incident was said to be the largest cyberattack on an oil infrastructure in U.S. history.
- In June 2021, a print spooler vulnerability was patched as part of Microsoft’s regular Patch Tuesday workflow. A few weeks later, around the July 4th weekend, a proof-of-concept exploit was released. Interestingly, this was an inadvertent zero-day release, as the bug it exploited was different from the original Common Vulnerabilities and Exposures (CVE). Not only that, but this vulnerability also impacted every version of Windows, server or workstation. Organizations scrambled over the holiday to quickly apply mitigations that were quickly discovered to be insufficient. This highlighted the fact that organizations need scalable, fast solutions for identifying the presence of a vulnerability.
- What happened to Kaseya, a company that provides software for managing networks and systems, in the summer of 2021 is the type of thing that keeps every vendor awake at night. In the case of Kaseya, a supply chain attack compromised the trust of its endpoint management tool to deploy ransomware. While about 50 different managed service providers were compromised, the overall impact hit more than 1,500 individual companies that had outsourced services to these providers. The attack, which was carried out by REvil, caused widespread systems downtime. It also led to the arrest of two individuals charged with deploying REvil ransomware to attack U.S. businesses and government entities.
- Security researchers in December 2021 identified a zero-day security vulnerability involving arbitrary code execution in Log4j, a Java-based logging framework that is part of Apache Logging Services. Security experts said the vulnerability was among the biggest and most critical to be discovered in recent years. This bug affected a library used in thousands of applications — enterprise and free/open-source.
These are just some of the cybersecurity highlights — or, more appropriately, low points. Attackers have realized the massive opportunities for gain when going after large organizations, or supply chains. As with any business, economy of scale is always the most profitable solution. This is true in cybercrime too. While Big Game Hunting is on the rise, smaller businesses are often affected by spillover attacks or supply chain compromises.
When we think about the most concerning threats on the landscape, we often go to the newest vulnerability. But repeatedly, the attackers hide in plain sight, sitting in an organization’s environment using an old contractor’s credentials, the service account passwords that have not been rotated in years, or by social engineering legitimate users into facilitating access.
Organizations need a plan of action to counter all of the threats. This plan should cover at least five key areas: inventory and asset management, breaking down silos, risk assessment, gap analysis and patch management.
Inventory and asset management
To find and stop security threats such as malware on endpoints, security teams need to be able to see these threats. But many organizations report that a lack of visibility is a challenge for their security operations.
Activities such as shadow IT, where employees procure devices, software or services without the knowledge or approval of central IT, only exacerbate the problem. And this will happen. People will use unknown devices and bring them onto the company network. While the intent is not malicious, the impact can be catastrophic.
Also, adding to the challenge of asset management are the remote and hybrid work models. Many employees are using their own devices to access data they need in order to do their jobs.
Security teams can’t identify, patch, or securely configure questionable endpoint devices when they don’t even know they exist within the environment. All the threat hunting in the world does not make up for the assets they are completely missing.
To effectively manage IT assets, organizations can’t rely on legacy tools that can take weeks to return results. They need results in real time and at scale across the entire network. Solutions such as converged endpoint and security management platforms provide security teams with real-time, actionable data across endpoints.
Endpoints are the most common point of entry into IT environments, which means effectively managing endpoint security is vital. It requires focus and vigilance.
Breaking down IT silos
Another important practice is to break down any silos that might exist among the security and business teams. Unfortunately, the relationship between security teams and business users can be a bit antagonistic. Security professionals are looking to ensure the protection of systems and data, while users want to avoid any tools and processes — including those for security — that might hinder their work.
It’s important for cybersecurity leaders to remember that while they are experts on security and technology, the business users are experts on how they use that technology to meet business goals. Working with rather than against them is critical, and security should be seen as a foundational service provided to all areas of the business. Security teams should exist to support and enable better experiences through secure design.
The exercise of mapping assets, software inventory and data at rest and in transit cannot be done from within IT operations alone. This is a unique opportunity to build alliances within the business, uncover gaps, improve work efficiency, and even save money.
It’s important for security to build relationships with representatives across the organization, to gain their buy-in, and to establish a rapport and feedback opportunity as the security team implements and modernizes the architecture.
CISOs should consider creating a CISO Advisory Board to gather insights and feedback from business users.
They should form relationships with the people who can shine a light on shadow IT and keep security leadership aware as solutions are being evaluated. These valuable relationships enhance the adoption of new security initiatives, proactively alert security to problems, and enhance trust.
Working with business users also gives IT and security an opportunity to discover situations such as when three different business groups are each using separate cloud-based software tools to effectively accomplish the same goal. It unlocks a powerful opportunity to identify duplicate efforts, stale solutions or opportunities to consolidate tools and workflows across other teams — saving a significant amount of money.
In my next article, I’ll cover the remaining three areas of the cybersecurity action plan.
You can also learn more by watching my latest webinar, Lessons Learned from Cybersecurity Headlines in 2021.
See how Tanium can help strengthen your organization’s security defenses by requesting a demo.