As the universe of technologies and solutions to access information continues to explode, how quickly can you detect when something goes wrong?
Perhaps more importantly, are you able to detect a problem with enough detail to guide the right response?
As we learn to anticipate breach, the ability to rapidly detect and quickly respond with the appropriate action is likely the difference between success and failure. Over time, the notion of a breach returns to a legal concept and a symptom of a larger challenge.
In the meantime, it seems our endpoints are growing in importance.
That was the thrust of the discussion I shared with Patrick Dennis (LinkedIn, @_Patrick_Dennis), President and CEO of Guidance Software. Prior to joining Guidance, he served as senior vice president and COO of EMC’s Cloud Management Division, where he focused on helping enterprise IT groups make hybrid cloud computing a meaningful part of IT strategy, and was responsible for long-range planning, mergers and acquisitions, and divisional strategy.
Over the last year we’ve shared a few discussions about the changing nature of our industry. With the rise of ransomware and the proliferation of endpoints, where are we supposed to focus? Where can we focus?
With that, Patrick shared some insights to help security leaders embrace the role endpoint places in speeding up detection and guiding response.
What do security leaders need to consider when it comes to protecting endpoints?
The idea of a breach is outdated. Considering the average breach lasts more than 100 days before detection. So, if only four of the hundreds or thousands of attacks that hit most organizations every day succeed, an organization could very well be "breached" for the entire year. Every security leader should assume they have been infiltrated at all times. Breaches are no longer a one-time event, it's the baseline state of most organizations.
As businesses continue to digitize, the number of endpoints grows exponentially, and all of these endpoints are potentially vulnerable to hackers. We need to make a concerted effort to protect all endpoints, but businesses still struggle to justify resources, find the right solutions, etc. Hackers know this and it is relatively simple for them to just keep looking until they find the unprotected endpoint.
Complete prevention is impossible. Breaches happen, and a new one is going to make the headlines every day. Cybersecurity and business leaders must shift their thinking away from a myopic focus on protection/prevention, to an understanding of the need to work under the assumption of compromise and focus more on the ability to detect, respond to, and remediate attacks.
How does ransomware change how we think about protecting our organizations?
Like everyone else, hackers love a quick win. A traditional malware attack involves gaining entrance, moving laterally, exploring, escalating privileges, and then – after weeks or even months – exfiltrating data.
Ransomware is different. More like a missile strike than a slow burn, Ransomware encrypts files immediately.
Attackers can immediately pressure organizations to pay. But even if the victim pays up, this doesn’t guarantee that the criminals behind the attack will play fairly. Attackers may refuse to decrypt data after payment, attack the same target again, or otherwise act like criminals. Organizations will always need strong security practices and training for employees on how to avoid threats.
The immediacy of ransomware emphasizes the need for systems and processes, like a well-practiced incident response strategy and proper data back-ups, for quick response and recovery even if an attack is successful. Finally, attribution is important in Ransomware cases. Don't overlook the importance of determining who the attacker was.
How is the nature of detection and response changing?
Security teams facing a diverse set of threats need a variety of capabilities, including the ability to monitor the rapidly expanding universe of endpoints, identify threats, and then take action. The growth in ransomware in just the last year reinforces the need for rapid detection and appropriate, immediate response. Finally, security teams need forensic capabilities to investigate what happened in the aftermath of an attack, collect the breadcrumbs as part of recovery, and help stop attacks in the future. All of this will hopefully also enable better information sharing and even the prosecution of more cybercriminals.
What do most people overlook with their backups?
Do not neglect the security of your backups! It's not unusual for backups to transverse a separate internal network that is reserved for systems traffic. These networks are often times less well monitored and make a great avenue for a savvy attacker to travel.
Start with the basics, make sure you can restore from the backup. From there, evaluate the security of your backups, are they susceptible to ransomware? Make sure there are processes in place to review and check in integrity of backups on a regular basis. There are no silver bullets in this business, but having the right systems in place and process to continually evaluate security needs vis-à-vis new threats is critical.
What are the first steps for a security leader to step back and think about endpoint different?
The first step is to think beyond traditional endpoints (computers, laptops, even mobile devices), and understand all of the endpoints you have. The definition of an endpoint varies greatly by industry. In retail, every POS is an endpoint. In healthcare, any terminal with patient care information is one.
There is also an emerging category of endpoint, edge compute, that will drive even more scale and complexity. These devices will have more embedded logic, make decisions without human or cloud computing intervention and often be driven by sensors (i.e. autonomous automobiles). These types of endpoints will work at worldwide scale and security will play a role in the owner’s safety.
Take your time to know and understand the needs and vulnerabilities for each of those endpoints. From there, explore solutions available for better detection and response. Determine what best fits your needs. Work with others on your team and in the security industry. Leaders must know how to determine the interfaces, connections, and the processes by which their team operates.