During a master’s game of chess, players must react to the unanticipated — for instance, an opponent dramatically sacrificing a queen to advance a brilliant strategy. To the novice player, it may seem as though chess is a game of reactivity; but for top-notch competitors, there is always an evolving core strategy at play, even when subtle moves may not immediately reveal it. Similarly, in cybersecurity, while organizations must be nimble enough to react to the unanticipated and unexpected — such as a ransomware attack, evolving threat tactics, or even a global pandemic shifting business operations — they must also have a robust and comprehensive proactive security strategy moving their metaphorical chess pieces across the board. Threat actors are strategic in their approaches; as such, organizations must have an expert-level, proactive security strategy in play to ensure they come out on top.
When organizations choose to address cybersecurity deficiencies and incidents as they occur, the results can be detrimental. Those companies that favor reactive cybersecurity are constantly scrambling to triage the most pressing risk of the moment, and often, sophisticated threat actors have strategically masked their attack strategy, making it extremely difficult to detect early threat indicators. This can lead to organizations battling an end game: responding to a more significant incident, such as a ransomware attack, rather than having thwarted an initial phishing attempt or discovering alerts indicating that threat actors are moving into their IT environment.
As the many publicized security issues during the COVID-19 pandemic have demonstrated, it is important that organizations be prepared to meet the security challenges of unanticipated changes in their IT environment, threat landscape, and even the world. The most successful organizations take a proactive stance in laying the groundwork to identify, detect, defend against, and respond to subtle moves made by threat actors in the early stages of the threat attack chain. By pre-emptively identifying potential cyber risks and deploying strategic protective measures, organizations will be better positioned to defend their “king” (i.e., their critical assets) across people, process, and technology.
Proactive cybersecurity programs include comprehensive activities that involve not only the IT and security teams, but also the CEO and boards of directors. Examples of key proactive activities include identifying risk tolerance, defining governance structures, and developing comprehensive security strategies. Throughout this article, we will review key domains where organizations can proactively fortify their cybersecurity measures. COVID-19 has increased threat activity and created unique changes — and increased risk — in IT environments. Now is the time to review some “quick hit” areas where you can bolster your cybersecurity and execute your winning strategy.
Remote access vulnerabilities are a top concern in 2020 because of the mass migration of office workers to home office settings in response to the ongoing pandemic. Threat actors have capitalized on the associated vulnerabilities, waging ransomware attacks, hijacking video conference calls, and other nefarious tactics. Some things you can do to reduce risk include:
Ensure that sensitive documents or applications cannot be accessed without requiring the use of a VPN client.
Deploy multi-factor authentication (MFA) as standard everywhere it can be leveraged. MFA is the easiest and most effective way organizations can protect themselves from unauthorized access. There are plenty of MFA solutions available to fulfill each organization’s unique needs, from tokens to mobile device codes.
Consider disabling remote desktop protocol if it is not needed in the environment.
If new collaboration platforms were quickly stood up, consider reviewing them for security to see if patching is required or if better, more secure options are available for your longer-term needs.
Vendor due diligence
Even if your organization is doing everything right from a security standpoint, the third parties you engage for services could present an Achilles’ heel. Some of the most significant breaches in recent years were caused by gaps in vendor security, so it is important to conduct vendor due diligence assessments. These assessments review the cybersecurity posture of vendor organizations (much as you would your own organization, but less in-depth), and they can be conducted both prior to contracting a third-party vendor or after they are already serving your needs.
It’s also important to understand who is responsible for which aspects of cybersecurity oversight in the vendor relationship. If this is unclear, evaluate security roles and responsibilities with all vendors that touch your critical data assets or security infrastructure. A thorough understanding of roles and responsibilities is essential, not only when securing data against threat actor strategies, but also for contractual reasons and business continuity and incident responses scenarios.
Asset and configuration management
You cannot protect what you don't know you have. Some organizations take a reactive approach to asset management—they procure assets when they need them, such as a new firewall, computer, and/or software, without following through with appropriate disposal of the retired assets, updating the asset inventory, and ensuring configuration settings are appropriate tracked. Automated asset management tools that rely on network scanning to identify assets can be a great place to start, but they don’t necessarily capture all assets, such as those that are not connected to the network (we see this often with connected medical equipment), nor do they gather configuration information.
Having complete information on assets and configurations will position organizations to protect and patch all software and hardware and track equipment that has gone missing.
Having a robust, tested Incident Response and Remediation Plan (IRRP) is not something you want to think about after an incident occurs, when you are in the midst of triaging an actual security breach. The time to create a plan and test it is now. A static or outdated IRRP is not beneficial. These plans should be revisited periodically to ensure they are updated and aligned with the current business objectives and the threat landscape. Listed below are a few common gaps to consider:
Are the call trees in the plan current and up to date?
If you have cyber insurance, are the processes and contacts in the policy integrated in your IRRP? Cyber insurance is designed to facilitate response, but we’ve seen reaction delays as companies work to locate the policy and discover who to contact/what to do because the policy wasn’t integrated in the IRRP.
Are all parties that will play a role in the response part of the plan (e.g., in-house legal resources, communications teams, HR)?
Is your plan aligned to incident response recommendations within an industry-recognized framework, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework?
Do you have a Digital Forensics and Incident Response (DFIR) firm on retainer to assist your team in the event of a significant matter or data breach?
It is also essential that organizations actually test their response plans and playbooks by facilitating "tabletop" exercises against real-world threat types to get familiar with the processes outlined in the plan, ensure response procedures will meet needs under actual threat circumstances, and determine any gaps or weaknesses in the response approach.
Identity and access management (IAM)
IAM extends beyond just provisioning and deprovisioning the access rights of new and departing employees. Organizations should also ensure there are stringent policies and procedures in place regarding the managing and routine auditing of segregation of duties (we suggest even a high-level audit quarterly or monthly). Because insider threats continue to be a significant source of threat against organizations according to our research, it’s important to fully and promptly terminate access rights when an employee leaves the organization.
Cyber risk identification and strategic remediation
Cyber Risk Management can be a daunting task, and some organizations, understandably, aren’t quite sure where to begin in managing cyber risk. Obtaining a cyber risk assessment conducted by a third-party firm against an industry-leading framework or set of best practices can help organizations identify vulnerabilities. Organizations can then create a carefully tailored strategy to prioritize and remediate these risks, based on the organization’s unique goals, risk tolerance, security objectives, budget, and technology landscape.
In our experience, the most successful organizations in cyber defense build an internal cyber risk management function to ensure risk management is not a one-time activity, but, rather, a dynamic commitment that captures the changing cybersecurity landscape at any given moment. Other high-performing organizations successfully apply risk scoring tactics that associate degrees of risk with repeatable values (high/medium/low, or more complex quantitative scores) to assist in prioritizing efforts and investments and track progress over time. Data-driven decisions help derive the most beneficial and objective outcomes from the cyber risk management function.
Cybersecurity staff, tools, and processes can be costly to the enterprise, and often, the return on investment is not immediately obvious. But an outlay of both effort and capital early on is a gambit that contributes heavily to a winning strategy. With a much more robust proactive stance, attack attempts such as ransomware are more likely to be unsuccessful instead of resulting in “check mate” for critical operations.