Recent events are forcing smaller enterprises to reconsider their security posture. Credit: U.S. Army illustration Traditionally, there was a stratification of security requirements influenced by organization size. These requirements imposed expenses, policies, and processes – and were often a balance between efficacy and convenience. Governments, for example, were often prime targets. The government adversary is typically another nation state with deep pockets and high motivation for espionage or worse. Governments must assume that there will be groups of professionals targeting them and security is robust. Some large enterprises found themselves in similar situations. The reward for successfully compromising a financial institution is high. Financial institutions recognize that they are attractive targets, so they create comprehensive security solutions as insulation from possible attacks. Smaller enterprises, such as the middle market, tend to fly under the radar believing themselves to be less attractive targets. These organizations will often deploy just enough security to ensure they are not an easy target for the casual adversary. Until recently, this has been a successful strategy.Nation state capabilities for casual adversariesThe threat landscape has gradually changed for the last ten years. In 2010, a significant new form of malware called “Stuxnet” was discovered in the wild. Researchers determined that this malware may have been operating undetected for about five years. Further, it used a number of previously unknown, or zero-day, exploits. Stuxnet was developed by nation-states for use against another nation-state, but there were also unintended consequences. The malware-infected individuals and enterprises across many countries. Fortunately, Stuxnet did not appear to cause damage outside its intended target. Unfortunately, future attacks would not be as discerning.In 2017, two ransomware variants, WannaCry and Petya spread rapidly throughout Europe. These two attacks utilized an exploit called EternalBlue that was leaked from the NSA in the months prior. Unlike Stuxnet, this malware caused damage to the devices it infected by encrypting and destroying data. While the EternalBlue exploit was originally carefully guarded, the publicity meant it could be weaponized for larger scale attacks. The implications are significant because this means even casual attackers can potentially tap the power of a nation-state. This trend is on the rise and there is no reason to believe that things will get better. Whether an attack escapes the control of a nation-state or a carefully guarded zero-day exploit becomes public knowledge, sophisticated and devastating attacks will become more frequent and destructive.Organizations of all sizes can be caught in the crossfire. For the chief information security officer (CISO), the cost to the organization is the same, regardless of whether it originated as a target or was merely collateral damage. Organizations must accept the reality that a new caliber of attack is going to be more common. Recent events are forcing smaller enterprises to reconsider their security posture. Organizations of all sizes must evaluate more advanced options for mitigating zero-day attacks, identifying network anomalies, and even threat hunting to identify threats that may have already infiltrated the trusted zones of their networks. Evolving cybersecurity strategies for smaller enterprises Cybersecurity strategies such as threat hunting were once the exclusive domain of the high-value targets like government institutions and financial services organizations. The modern threat landscape has evolved to the degree that even smaller enterprises may find themselves victim to a previously unthinkable attack. 1) Develop a baseline for normal activityKnowing what normal network activity looks like today helps to more quickly identify the cause when things are going wrong tomorrow. For example, when accounting starts pulling information from the database server for the first time, this might raise a red flag. 2) Have some defense for unknown malwareVirus scanners are a good first step, but they are easily defeated. Consider malware identification that considers file behavior in addition to signatures. 3) Avoid over-reliance on endpoint defensesEndpoint defenses are a valuable part of cybersecurity, but these are generally the last resort. If the endpoint solution fails to identify the threat, the organization will be compromised. A better approach is to lean forward – seek to identify and block the threat before it hits the endpoint.4) Trust but verify the internal networkToo many organizations create strong perimeter defenses and deem the internal network trusted, and there for unprotected. Monitor your internal network the way you monitor your internet connection. 5) The fundamentals remain importantHaving a good backup strategy would have minimized the impact of these newsworthy ransomware attacks. I recommend the 3-2-1 approach: Keep three backups, two of them on-site, one off-site. * * *As most CISOs know, there is no guarantee against a highly motivated and targeted attack. However, the assumptions that have driven security stratification are changing to the degree that an enterprise doesn’t have to be the target to fall victim to a targeted attack enabled by nation-state capabilities. Related content opinion Threat detection: it’s about ‘time’ Incident response is a slave to time. From time-to-detection through time-to-containment, time is the crucial factor when responding to any threat. By Druce MacFarlane Sep 10, 2018 6 mins Intrusion Detection Software Endpoint Protection Network Security opinion Are network-based security detection tools going dark? For years, network security and detection solutions have been able to rapidly identify threats entering your network, before they hit your infrastructure or end users. The increased adoption of network encryption technologies like TLS 1.3 risk the cr By Druce MacFarlane Jul 18, 2018 6 mins Technology Industry Network Security opinion The Three Mile Island event and cybersecurity incident response Managing the deluge of data and alerts in a SOC can be challenging for any size organization. Observing the lessons learned from the Three Mile Island nuclear facility can help drive home some best practices for how to avoid common pitfalls. By Druce MacFarlane Jun 18, 2018 4 mins Technology Industry Data and Information Security IT Leadership opinion The 3 hidden costs of incident response Every business function seeks to apply finite resources to maximum benefit, and to do that effectively in security, like threats, requires a keen understanding of those costs that are known and those that are hiding. By Druce MacFarlane May 10, 2018 5 mins Data Breach Investigation and Forensics Disaster Recovery Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe