Where we used to think that it was possible to protect corporate networks and systems and prevent them from being compromised, we are now seeing a level of persistence; organisation and skill that makes these break ins inevitable. Organisations are better off assuming to be breached, a mindset that will allow us to get beyond the prevention paradigm from yesterday and implement a much more effective approach to cyber-defense, one that is largely based on response.
But where do we start? How about with the question what is worth stealing or disrupting? What are your crown jewels, your prized possessions and critical processes? This is often where the confusion starts. Although at first glance similar, there is a fundamental difference between “what are you looking to protect”, and “what are you looking to defend?”. The former looks at your valuable data such as intellectual property and critical business processes, where the latter is really about your attack surface or infrastructure. I say let’s worry about what attackers may be after first and then think about how best safeguard it.
Many organisations are still transforming from a perimeter focused approach and in the process of including more security layers, embedded throughout vital parts of the business architecture. The problem with the disappearing perimeter however is that if you try and protect everything with the same level of security you will eventually fail. Not in the least because it will break your budget. Equally, if your strategy is still based on a pure protection approach this will also lead to failure. The more successful strategies I have seen are based on at least sixty percent response as opposed to protection. The first question asked on this subject is if a predominantly response based security approach will not allow for attackers to always claim success. Not necessarily. Implement prevention technology and processes where they make sense , and response oriented controls across the board starting with continuous monitoring.
The key is to focus on your valuables, the stuff that really matters. This is where data classification usually comes in, managing the sensitivity of information and giving it labels such as classified or even top secret. The issue here is often over-classification. When in doubt label it classified, just to be sure. That is what many people will do, not realizing that this dilutes the process and makes the classification senseless. Simple data classification is not good enough in today’s world, and more rigorous steps are required to ensure that the organisation understands what is truly critical to protect to manage the business successfully.
Once you know the answer to that question naturally you will need to then provide an appropriate security architecture and organisation to address the risk of a breach of these valuables and an appropriate level of security for the rest. Much of this will be based on a more modern response framework and not just protection. This will include continuous monitoring, threat intelligence, incident analysis and response and hopefully an incident response team organised in a Security Operations Center. We have seen new methods of incident response hunt teams with a proactive approach as opposed to only following security events and incidents. This goes a long way in further complicating an attack, which is absolutely critical in stopping it. By complication your incident response team will have the valuable time that it needs to stop an attack in its tracks prior to it succeeding in exfiltrating your data or disrupting your business process.
Such a modern approach to cyber defense, in what can be classed as an a-symmetric battle, needs to start with the assumption that your organisation is breached. It will make the subsequent security transformation a lot more successful.