As we turn the page on another year, I’ve been frequently harkening back to my first experience with “Ransomware” as it’s now come to be known.
Let me take you back to 2010, yes 12 years ago, and a small healthcare org I was contracting with got hit. While some of the details escape me, I believe the exe locking the files was found in a “Temp” folder in the Users “AppData” Directory and the thing was executed on startup and then replicated itself all over the place. Cleaning it out was a pain. I likely touched 30 computers that day disconnecting, patching, manually cleaning, installing Antivirus, recovering files, rescanning, and reconnecting. It was brutal but at least it was contained to the endpoints. Of course, we got them a new firewall and configured some protections there as well as the new Anti-Virus. That should take care of it. Take two aspirin and call me in the morning.
Nope the very next week, maybe two weeks after, they got hit again. This time it was a rootkit, also my first one of those.
That said, looking back over the past 12 years it seems like we’ve been watching the same rerun over and over, we hear about these from word of mouth, the news, and our own experiences. An organization gets hit, does the bare minimum to get through, gets hit again, does some more, but never gets past reactive to a proactive security strategy.
I have to say 2021 was brutal. Even the government is starting to notice and take action with President Joe Biden’s whole-of-government approach. The newly revised (Nov 2021) CMMC 2.0 looks like a super fun exercise for anyone doing any business with a federal/governmental agency. If you haven’t checked it out yet and it applies to you, I’d jump on that.
How do we change the story?
I have a question for you: Who oversees, tactically and day to day, mitigating your security risk?
- Who watches the alerts from your security tools?
- Who analyzes logs to be sure insider threats aren’t leaking your sensitive data?
- Who is writing and enforcing security policies?
If the person you thought of is someone whose primary job is to do something else, i.e., a CIO, Dir of IT, Systems Engineer, Network Admin, etc., then, my friends, I worry that the real answer is “Nobody”.
The reason I say this, in broad terms, is that when a person has a primary function and a secondary function when it comes down to it they will almost always choose to effort toward something with their primary function. If there’s ever a decision point between the two, the primary function wins. The secondary function comes when they have “spare time”, and how many organizations staff IT folks to have spare time? The roles above are technology operations roles. Their jobs fundamentally are to keep the business technology working. Security, quite frankly, involved a lot of extra effort to operate securely, which hinder the business from working by extending vastly the time it would take to make any progress.
Let me give you a hypothetical:
I read the Windows 10 CIS hardening guide last year, (Plug, they have one for virtually all OS, please check them out) and I realized, had I followed this several hundred-page guide when deploying a new OS over the years, 98/7/10 (No I didn’t do 8) I’d have likely avoided the spread of any malware in my environment. It’s really that comprehensive.
The challenge here is having enough staff hours to properly do it. I almost always hear a variant on this narrative wherever I go. We have x staff to xxx number of employees, but our IT staff is a bunch of rockstars and even though they wear multiple hats they get it done every time. And this is not completely untrue as they do “get it done”, from a business ops perspective, but that is only half the job and it’s likely resulting in some security technical debt.
Continuing our hypothetical story about a Hardened OS rollout. The base configuration is relatively easy, we can go through the CIS guide and made the hardened starting point in under a week. That said, this starting point isn’t going to be functional in your environment. It is going to be so locked down even the most elementary function such as logging into the PC with Active Directory credentials is not going to work. The process of getting from this point to making this hardened operating system work for your staff properly is time-consuming. Not just IT time but your end-user staff. Essentially you need a tester for every role and department in the company to engage with the technical staff to test each and every application and assure it functions. This will take several weeks as even small organizations are using 2000+ applications these days thanks to SaaS and Shadow IT. Each of these applications would have to be validated and verified by the team members that use them. Where the apps don’t function, the cause would need to be investigated by the IT staff, a change made, and then the app retested. The time and effort it would take to appropriately implement a hardened Windows OS would be hundreds if not thousands of hours once you get all the UAT done depending on company size. It’s simply easier to deploy it non-hardened and functional, slap some endpoint protection software on it, and “get it done”.
This is a hard question to answer as it’s such a multifaceted problem.
- In some places, it’s a staff and scale problem. There’s an inherent problem between the size of our typical organizations, the disciplines they need, and the point at which technology professionals scale. Or to put a finer point on it, outside very large organizations it’s hard to get all the disciplines you need in-house.
- In other places, technology is still seen as a cost center versus a business enabler and Cybersecurity is just a branch of the same cost center.
- Yet others see the value to technology, but they’ve relegated hope of actual security to a pipedream. They look at the litany of breaches and see it as a cost of doing business.
Then there’s the state of cybersecurity today. Some statistics are indicating cybercrime increased six-fold in 2021. Ransomware has spiked as a percentage of all IRs in 2021. Vulnerabilities as an entry point almost doubled in 2021. All of this is unsurprising given the fast pivot to remote work our “rockstars” accomplished. How many of those pivots were done with a security mindset? I won’t argue that these had to happen. Business operations must happen and when all employees get sent home it’s a whole new disaster response scenario. But we collectively need to realize the cybersecurity technical debt we all took on to make that happen and write that check for that bill or these 2022 stats are going to make 2021 look like child’s play.
What does all this mean?
Hopefully, it means we’re going to start seeing security budgets increase.
What I’d like to see is Gross Annual Revenue divided by fifty-two. That’s one week of revenue for annual security spending. Statistically at your current security spend you are seeing a three-to-four-week incident on average, every two years. So, theoretically, this would be a reinvestment of half that loss into avoiding the security incidents. Obviously, you should do your own math and balance your future losses against your current spend but my thinking is with essentially 2% of revenue an organization should be able to make a positive impact on overall cybersecurity posture.
Where do we spend it?
- Let’s go back to the question, Who is in charge of, tactically and day to day, mitigating your security risk? – Make this answer somebody. A CISO is expensive, but there are options for vCISO roles from IVOXY, or if you have the talent repurpose someone with an interest in cybersecurity internally, but remember that must be their primary job, and also realize you’re not always going to like what they have to say.
- Invest in educating your team.
- It’s 2022, and every cent you make likely passes through an Information system so you can count it as revenue. As such every employee has a baseline responsibility to be aware of basic cybersecurity. Turn your staff at large into your primary firewall. Teach them to look out for scams, spear phishing, proper data handling, the different types of attacks, etc. There are solutions out there, such as KnowBe4, as well as managed Cyber Security Awareness programs for those without the bandwidth to take on even one more operational task.
- Invest in your technology professionals. Since you hired your Technology staff things have changed. I don’t care if it was last month they were onboarded. This industry moves so fast and the adoption of cloud is accelerating that even further so you can establish a program to keep getting them education, certifications, or whatever is applicable to your business needs.
- The endpoint hardening project I mentioned takes so many hours of prep and User Acceptance Testing. Windows 11 is out now, and you’re going to be upgrading to it one of these days so make a budget and plan to really do that right roll out properly. The benefit to this investment is two-fold:
- First to lower the total investment you’re also going to crack down heavily on your Shadow IT which is a win in my book.
- Second, once you do this once and properly document all the apps and ports and exceptions when the next iterations come, you have a great starting point for your organizations hardened image, also it’s going to force you to keep it updated as new applications come up over the next few years.
- A Security Operation Center. Gathering logs and watching your environment 24×7 is crucial to catching bad actors. Additionally, deficiencies in logs do not allow forensic analysis to determine the entry point of a bad actor and thus eliminate an ability to be sure you’ve removed them in an Incident Response Situation. Of course, a basic in-house SOC will run you $1-2m annually for staff and a SIEM so if that’s not going to fit in your annual spend there are great solutions on the market that are essentially SOCaaS, IVOXY has partnered with Arctic Wolf and we really like what they are doing for our customers without forcing a rip and replace of their security investments, and a concierge-based customer-centric solution.
- Take a look at your Continuous Vulnerability Management program. There are over 1,000 new vulnerabilities a month and their profile is on the rise, about 10% of security incidents in 2021 started with vulnerabilities. Having a managed solution or internal tool to continually scan your environment, risk rate gaps in vulnerabilities, patching, 3rd party software updates, and then affect those remediations continuously is a great place to start.
- VPN’s are the new norm, again. While I advocate moving toward Zero Trust, many organizations in response to the pandemic have reverted to ye olde standby, the trusty VPN. There is nothing inherently wrong with the VPN unless your identity game isn’t super strong, and you fail to monitor the situation. For a bad actor, a VPN is a glorious method to obtain access to an internal network, and if your organization has had to open up controls for this i.e. allowing it from pretty much anywhere, this has opened a new vector, obviously, VPNs need to be secured with MFA or, even better, a trusted device conditional access policy so taking a look at this could benefit a lot of organizations today.
- Another thing to look at seriously is your 3rd party risk. I firmly believe this is going to be a continued vector now that the first few warning shots have come over the bow with SolarWinds Dec 2020 problems, and Kaseya in July 2021. The cool part about this is you can ask your legal and compliance officer to do part of this for you. Have your legal team review all 3rd party contracts that may touch your data or systems and review for appropriate security controls in the agreements. Then you can do an internal review and adapt your process for updating critical infrastructure and software. Obviously, there’s a speed element to patching and updating but assuring these sources are trusted is critical as well so this is a risk that must be balanced.
- Finally, if you truly don’t know where to start, have a trusted 3rd party do an assessment of your environment. Many organizations don’t have a CISO type role due to the size and the aforementioned staff scaling problem. To be clear I’m not talking about a product-based assessment. There is a proliferation of these product-based security assessments being hawked for “free” or “semi-funded” and they are virtually all geared to poke holes in tools and sell you a magic product that will solve all your ails. What I am suggesting is a paid, holistic evaluation of where you are and what should you do next. At IVOXY we have a Security Roadmap Assessment which scores your environment against the CIS and NIST frameworks based on real-world threat analytics that produces a roadmap for your next 3-5 security-oriented projects based on the data. This gives you at least a year of projects or multiple years based on risk appetite with statistically relevant risk reduction figures for you to make business decisions from.