Cybersecurity & Networking

If you haven’t heard about it yet, there has been a ground swell of activity over the past 12-18 months with security vendors rallying around a new theme: XDR. There have been different interpretations of what the “X” in XDR stands for, but the general concept is built on the success of the endpoint detection and response (EDR) model, now extending that model to aggregate and correlate telemetry from additional security controls, adding network, cloud, email, and more. The promise is that with a broader view of activity across security controls, more automation can be applied to deliver better coverage, insights, and ultimately more automated response actions for today’s sophisticated attacks.

(more…)

About a month ago, I wrote a blog about how COVID-19 was driving rapid and dynamic changes for CISOs. I followed this up with a second blog, detailing a number of subsequent cybersecurity phases CISOs are now pursuing to assess and mitigate COVID-19-based cyber risks.  

Both blogs describe some fundamental problems. Corporate cybersecurity now extends to home networks filled with insecure IP devices with little or no security protection whatsoever. Meanwhile, hackers are exploiting societal malaise with online scams, rogue websites, and phishing campaigns preying upon COVID-19 paranoia. A recent article in the Washington Post described research from Palo Alto Networks identifying more than 2,000 malicious COVID-19 web domains and another 40,000 it classifies as “high risk.”

So, work from home (WFH) initiatives have greatly expanded the attack surface AND pivoted traffic away from corporate networks instrumented with tried-and-true security controls. CISOs are struggling to figure out what’s out there and whether they are vulnerable to a growing barrage of COVID-19 cyber-attacks. 

What can be done? Just like COVID-19 itself, one way to address this situation is through testing, testing, testing. Rather than novel coronaviruses and antibodies, however, WFH security vulnerabilities can be assessed through new types of continuous automated penetration and attack testing (CAPAT) tools. 

These tools are provided as a SaaS offering so there’s no onsite hardware/software to install and operate. While CAPAT tools weren’t designed for WFH explicitly, I believe that CISOs may find them to be helpful for addressing current COVID-19 challenges by:

• Mapping the attack surface. Cybersecurity teams aren’t sure exactly what’s on the extended network right now. Old insecure PCs? Chatty gaming systems? Mirai botnet infected video cameras? Discovering what’s out there is an important step as experienced red teamers often find lots of assets that cybersecurity teams don’t know about but are still responsible for. Some CAPAT tools address this visibility gap by discovering and mapping the attack surface – a good starting point for risk assessment and mitigation. 
• Testing security controls. Organizations spend millions of dollars on endpoint security software, firewalls, and a potpourri of security controls sitting between the two. Do these things work? This basic question is worth pursuing – according to research from ESG and the Information Systems Security Association (ISSA), 38% of cybersecurity pros say that one of the main implications of the global cybersecurity skills shortage is that their organization cannot fully learn or utilize their security technologies to their full potential. Thus, an overworked cybersecurity staff can lead to human error and misconfigured security controls languishing on the network. CAPAT tools can help CISOs assess whether their defenses work and whether they would know about it if they failed.   
• Pinpointing cyber risks. Armed with an attack surface map and CAPAT reports, CISOs can identify and address specific weaknesses with the right training, processes, and countermeasures. Yes, they do this already with penetration testing and red teaming exercises, but these tend to be expensive third-party services conducted once or twice per year. CAPAT tools replace costly service engagement with automation, providing a continual closed-loop cycle for risk assessment and mitigation. 
• Supplementing existing security programs and technologies. CAPAT tools tend to emulate cyber-adversaries by breaking attacks into kill chains over time. Each CAPAT automated tactics, techniques, and procedures (TTPs) can then be mapped into the MITRE ATT&CK framework – a popular taxonomy that aligns security programs and tools to an ‘outside-in’ hacker perspective and timeline. I’ve also witnessed CAPAT tools used in conjunction with security information and event management (SIEM) and security orchestration automation and response (SOAR) tools to fine-tune correlation rules and incident response runbooks. Finally, as CAPAT tools expose system configurations issues, these vulnerabilities can be programmed into deception technologies used to fool enemies and capture valuable threat intelligence.  

To be clear, CAPAT tools aren’t a panacea but they can help expose WFH blind spots by increasing attack surface visibility – as the old management principle states, “you can’t manage (or in this case, secure) what you can’t measure.” Additionally, CAPAT tools can help security professionals “think like the enemy,” another fundamental tenet of cybersecurity. Finally, CAPAT tools have the potential to democratize penetration testing and red teaming. While most organizations can’t hire and retain experienced FTEs in these areas, CISOs should be able to find affordable SaaS options.

There are a host of innovative CAPAT vendors out there including AttackIQ, CyCognito, Cymulate, Randori, SafeBreach, Verodin (FireEye), and XM Cyber, amongst others. Some focus on attack surface discovery, some test controls, and some automate red teaming. I believe CAPAT tools will ultimately become a key technology in the SOC arsenal.

Last week, I wrote a blog describing 3 ways that COVID-19 is changing CISO priorities for 2020. COVID-19 drove large scale work from home (WFH) initiatives where the priority was getting users up and running as quickly as possible. Security leaders were then forced into an unanticipated follow on sprint to deliver elementary security safeguards for remote employees (i.e., VPNs, endpoint security controls, network security controls, etc.).

This is the new reality and it’s an ongoing scramble, but what comes next? 

Let’s call the current situation phase 1, which is about employee access, network communications confidentiality/integrity, and basic endpoint security. 

Since posting my last blog, I’ve heard of additional IT efforts to address network performance and user productivity (phase 1A). Some organizations are implementing split tunneling so key employees can access VPNs and the internet simultaneously. Some are paying to upgrade employee bandwidth, especially for executives spending their days on Zoom/WebEx meetings while their children use the same networks for home schooling. My colleague Bob Laliberte also tells me about companies instrumenting key employee systems with WAN optimization software. Back at corporate, there’s also lots of load balancing and SD-WAN activity.

From a security perspective, forward-thinking CISOs are now on to phase 2 focused on situational awareness and risk assessment. This is directly related to the fact that a lot of LAN traffic has been rerouted to WANs and internet connections. The goal? Scope out the new realities of usage patterns and the attack surface.

To gain this level of visibility, organizations are deploying endpoint security agents to assess device posture and system level activities. Think Tanium agents and EDR software from vendors like Carbon Black, CrowdStrike, and Cybereason. Security pros also recognize that employee home networks may be populated with insecure IoT devices, out-of-date family PCs, etc., so I’ve heard of instances where security teams are doing home network scans here as well. Finally, there is an increased focus on network traffic monitoring travelling back and forth on VPNs or directly out to SaaS providers and the public cloud. 

Leading organizations are also ramping up monitoring of cyber-adversaries and threat intelligence, looking for targeted attacks, COVID-19 tactics, techniques, and procedures (TTPs), IoCs, etc. I’ve also heard that threat analysts are more actively sharing intelligence and participating in ISACs. In other words, I’m seeing an increase in collaboration within the cybersecurity community. 

In about 4 weeks, organizations will have visibility and enough historical data to proceed to phase 3, a full risk assessment and a board-level report. These reports will examine the WFH infrastructure, new traffic patterns, perceived vulnerabilities, rising threats, etc. They will also dig into a more thorough look at emerging WFH issues like insider threats, expansive privileges, data security exposures, insecure cloud application configurations, and others. The goal? Quantify risk and then work with executives to prioritize actions.

This leads to phase 4, which is all about risk mitigation. Based upon my conversations, the goal is to address this by mid-May at the latest. During the risk mitigation phase, organizations will likely employ controls for data privacy/security, assign least privilege to networks and applications, and segment home network traffic to protect WFH assets from gaming systems, smart refrigerators, security cameras, and the like. We’ll see more deployment of technologies like multi-factor authentication (MFA), zero trust networking tools, privileged account management, and DLP/eRM at that point. Process automation will also be added during this period. 

At the end of phase 4, WFH should be set up for threat prevention, detection, and response at scale.

A few final things I’ve heard:

• While the four phases are a general project plan, CISOs are also busy patching tactical holes like blocking Zoom bombing by using meeting IDs and issuing passwords. Issues like this come up daily.
• Another issue I’m hearing about is securing “shotgun” applications, developed and deployed quickly to support remote workers, business partners, and customers.
• Security will continue to play catch-up, with IT leading on network performance and service availability. User support and productivity is paramount while security remains behind the scenes.
• The need for speed is causing CISOs to have a “SaaS first” mentality.
• CISOs are taking a long-term approach since no one can tell how long the lockdown will last. Many also feel like this is a game changer for the future of IT and security. 

I’ll continue to report on what’s happening in the CISO trenches as desperate times call for desperate measures. Your feedback, inputs, and suggestions are most welcome.

According to ESG research, 62% of organizations were poised to increase spending on cybersecurity in 2020. Thirty-two percent of survey respondents said they would invest in cybersecurity technologies using AI/ML for threat detection, followed by data security (31%), network security (30%), and cloud application security (27%).

Of course, that was back in the innocent and carefree days before COVID-19. Have things changed?  Yes, and seemingly overnight. Like society at large, the cybersecurity world’s priorities, strategies, and tasks have been turned upside down.

I reached out to some CISOs and industry beacons this week to get their account of what’s happening. My first observation is it’s difficult to get CISOs on the phone right now as they are heads down trying to secure the new reality. But I did manage to get a few on the line; here’s a synopsis of what they said:

1. Big projects have been postponed indefinitely. Large organizations tend to have a few cybersecurity projects that require engineering, piloting, and cooperation with IT operations. Think of things like reengineering the security data pipeline, data discovery/classification/security across the enterprise, or IAM initiatives like identity federation. With everyone working remotely, these projects have been tabled for now—even if they were already progressing.
2. It’s all about securing remote users. This one is obvious but its also the reason why CISOs are so busy. The mandate from executives was to get employees up and running first and then address security afterward. CISOs have been fighting “bolt on” security cycles like this for years, but the virus has forced security teams to work uphill to catch up. This means on-the-fly risk assessments, controls adjustments, and lots of work in tandem with IT and network operations teams.
3. An immediate search for “quick wins.” CISOs are finding and patching holes as quickly as they can. In some cases, this means they are starting from scratch as they quickly ramp up product research, purchasing cycles, testing, piloting, and deployment. Despite this workflow, CISOs are looking for tools that can be easily installed and configured to mitigate new risks. 

Budgets haven’t been cut yet and CISOs really don’t have time right now to deal with paper pushing.  Rather, security teams are grabbing money as they can to address the new reality. Some of the emergency purchasing needs include:

• Endpoint security controls. There are two priorities here: providing network access and blocking malware. This equates to VPN clients and antivirus software—especially for employees sharing their systems with family members. Some are also looking at asset and operations management tools (a la Tanium) to turn unmanaged home PCs into managed short-term corporate assets.
• Mobile device security. This was on the to-do list at the beginning of the year. Now that executives, high-value employees, and privileged account managers are working from home, mobile device security efforts have become a high priority.
• Network security. CISOs are defaulting to VPNs to deal with a work from home population that grew from 20% to greater than 80% of employees in a matter of weeks. In some cases, basic VPN access has superseded more thorough zero-trust access projects that require time and planning for things like policy management. VPN growth is accompanied by the need for more firewall and other gateway appliances. Finally, I’m seeing increasing interest in secure DNS services, which is also perceived as a quick win.
• Simple multi-factor authentication (MFA). Organizations that have success with MFA in small pockets are expanding these efforts as high-value employees migrate from office cubicles to their home offices. Again, the goal is to bolster security first and then fine-tune policies over time.

 Some final observations:

• The degree of cooperation between security and IT/network operations is unprecedented, with lots of things happening simultaneously.
• CISOs aren’t doing a lot of shopping. Rather they are working with trusted partners to get things done quickly. This will impact startups.
• CISOs have asked their staff to do what they can to increase end-user monitoring. They are also working with HR on “crash course” security awareness training. Those that have synthetic phishing tools have increased activity here as well.
• Data security remains a big issue as there aren’t really any quick fixes. This is one of the reasons for increased end-user monitoring. 
• Before COVID-19, many organizations did not configure endpoint security tools in the maximum protection setting for fear of disrupting users with false positives or reduced performance. Some of the CISOs I talked with have mandated a change in this policy, reconfiguring endpoint security tools for maximum protection everywhere.
• CISOs are asking trusted vendors for help. In some cases, they are discovering security product capabilities and free features and services they were unaware of. Who knew?

With ransomware a top security concern for most cybersecurity teams, the cost of cybersecurity insurance is making its way into the annual budgeting process for CFOs around the globe. While ransomware is not a new cyber-threat, largely entering the cybersecurity scene in 2016 and 2017 with high-profile attacks, research conducted by ESG reveals that a majority of organizations continued to experience ransomware attacks in 2019, representing a concern for both business and IT leadership.[1]

The research further revealed the prominence of cybersecurity insurance policies, and the relationship between ransomware payouts and those companies that hold these policies. A subset of organizations with cybersecurity insurance report that their providers are advising, and possibly even pressuring, them to pay cyber ransoms, further fueling the success rates and the economy built around ransomware. This disturbing trend sets the stage for the continuance of ransomware, and an opportunity for criminals to exploit those organizations that have engaged with cybersecurity insurance companies.

The ransomware economy stretches well beyond the cryptocurrency that attackers are extorting from both companies and the public sector. Cybersecurity insurance is growing at an equally disturbing pace, along with the many ransomware-targeted security controls that endpoint and data protection vendors are bringing to market to help organizations protect themselves from attacks. Further contributing to this economy are the outside incident response vendors and legal practices that are helping companies understand and recover from successful ransomware attacks.

I’m a big analogies guy, so I’ll liken this to the use of radar in the automotive industry: As vendors equipped law enforcement with speed-measuring radar guns, it spawned an opportunity for the sales of radar detectors to alert drivers to “speed-traps.” As radar was further used in additional applications including automatic door openers, collision detection systems, and more, new advances were required to filter out the noise, further fueling the economy built around the radar industry.

Ransomware is following a similar pattern: Software developers are building and selling ransomware to criminals. Criminals are using the ransomware to extort funds from organizations of all types. Cybersecurity insurance companies are selling insurance policies to protect against attacks. Cybersecurity software companies are building and licensing software to protect against attacks. Data loss protection (DLP) vendors are building and selling specialized solutions to enable data to be safeguarded and restored in the event of ransomware attacks. Incident response companies are helping victims understand and recover from attacks.

With all the positive focus on helping organizations protect against and recover from attacks, ransomware and the economy surrounding it appear to be here to stay. ESG research tells us that this story is only getting worse, with 48% of companies investing in cybersecurity insurance policies, and nearly two-thirds (60%) of organizations experiencing a ransomware attack in 2019. While successful phishing attacks far outweigh successful ransomware attacks, most organizations say that ransomware presents a higher risk.

To learn more about what organizations say about ransomware and how cybersecurity insurance is impacting the ransomware economy, download my free brief, Ransomware Still Rampant, Fueled by Insurance Companies.

[1] Source: Enterprise Strategy Group Research Report, 2020 Technology Spending Intentions Survey, February 2020. All Enterprise Strategy Group research references in this blog post have been taken from this research report.

It’s 2020, yet many organizations still depend upon a myriad of disparate point tools for security operations, leading to many challenges. According to ESG research:

• 35% of cybersecurity professionals say that the biggest challenges associated with managing an assortment of point tools is that it makes security operations complex and time consuming.
• (more…)