Security chats with Oliver Tavakoli, CTO at Vectra, a California-based artificial intelligence (AI) cybersecurity company, about the future of remote work and cybersecurity risk management frameworks security leaders should rely on to ensure proper security during the next year.
Security: To support and enhance robust-remote work environments, what should enterprise cybersecurity leaders (or CISOs), in tandem with other C-suite leaders and IT security teams, prioritize?
Tavakoli: In terms of preventative frameworks, implement Zero Trust and apply the principle of least privilege necessary to perform a role. Once basic prevention capabilities are in place, build a practice around robust detection and response capabilities across endpoint, network, software as a service (SaaS) applications and public cloud — because the bad guys will invariably find a way through the sprawling attack surface that most modern enterprises present and you are only as strong as your weakest link.
Security: It is often said the burden for maintaining cybersecurity cannot rest exclusively on the IT or security departments — employee training is essential to spread and encourage a security-aware culture. What should an updated security awareness training program look like?
Tavakoli: Security awareness comes down raising the bar on the sophistication of the attack required to con an employee into taking the action hoped for by an adversary. Much of this comes down to employees having a clear sense of what is “normal” and adopt a posture of heightened awareness when something out-of-the-ordinary takes place. The pandemic forced the rapid adoption of many new tools and processes, expanding the average employee’s credulity related to unannounced changes. Part of every employee’s training should be to infuse a culture where it is OK to ask questions when you’re not sure about something and where an extensive knowledgebase of up-to-date information about how things work is always available.
Security: As evidenced by unprecedented cybercrime in the past year, traditional preventative security defenses have lost their effectiveness, requiring organizations to use multiple sources of data for threat detection and response and use an integrated approach to find and stop cyberattacks. How can enterprise security leaders elevate their security operation center (SOC) visibility to detect threats and protect its organization’s sensitive data and vital operations?
Tavakoli: Start with a list of threat models relevant to your organization. Next make a clear inventory of your assets (including data stored in SaaS applications and public clouds). Now analyze your threat models in the context of your assets and come up with specific attack scenarios which you can conceptually evaluate or make the subject of a red team exercise. An effective threat detection and response strategy must acknowledge the limits of preventive technology and controls and ask the question “if the attacker got past my first line of defense, how soon would I detect this and how quickly would my team be able to respond?” And modern approaches to this problem must be capable of detecting threats across endpoints, networks, SaaS applications and public clouds — with the ability to correlate and contextualize signals in each of these areas as well as following an attacker across them.
Security: Third-party risk is becoming a first priority challenge, in light of recent cyberattacks. How can CISOs and their security teams map and manage third-party cyber risks, particularly as the third-party vendors they use are also welcoming back employees into their offices?
Tavakoli: The risks that organizations take on whenever they acquire a product — whether it is installed in their environment or consumed in SaaS form — are significant. Third-party applications running on dedicated servers should be constrained in a number of ways: consider white-listing what software can run on the server and restricting with firewall policies what communication to and from the server is permitted. Vendors who supply software agents which run on many endpoints often require you to whitelist the agent’s files with regard to your AV/EDR software — doing so means that you are implicitly trusting the vendor never to get thoroughly compromised and should that happen, the impact would be catastrophic. Insist on robust security practices which have been independently audited from all vendors who seek to place software in critical parts of your environment and particularly from SaaS vendors who are the stewards of your sensitive or mission-critical data.
Security: The most likely scenario to play out for the foreseeable future is a hybrid work environment where employees split time between home and corporate offices. What are best practices cybersecurity and compliance professionals should consider to facilitate this hybrid work environment?
Tavakoli: As far as possible, there should be no distinctions made between how employees access applications when at the office versus when working from home. This is principally the idea behind Zero Trust — the mere fact of being on a network (in this case the office network) does not grant you streamlined access to applications and data. Following this principle also means that end users form a single set of expectations of how systems ought to behave as they are doing their jobs — such an approach tends to minimize mistakes that arise when employees have to switch how the work (and how they expect systems to behave) depending on where they are.
Security: What are cybersecurity risk management frameworks IT leaders should rely on to ensure proper security during the next year, for either a hybrid or remote workplace?
Tavakoli: The National Institute of Standard (NIST) has since 2014 supplied a Cyber Security Framework (CSF). NIST CSF has been adopted across organizations in many different industries. NIST also regularly publishes guidelines for new and emerging threats — a draft related to Ransomware Risk Management is one such example.
FAIR is a risk management framework which helps companies quantify security risk in financial terms. FAIR decomposes risk into quantifiable components such as loss frequency and loss magnitude. In the NIST Informative Reference Catalog, you will find a mapping of the FAIR risk management model to NIST CSF, thus combining a mature cybersecurity framework with a more evolved risk management framework.
While neither of these frameworks specifically call out the hybrid workplace, there is a wealth of material in NIST CSF about supporting a remote and mobile workforce and (unsurprisingly) Zero Trust is called out as key element for securing such environments.