Time to Move from Cybersecurity Defense to Detection
Imagine coming home one night and seeing your front door cracked open and the lock damaged. Inside, your belongings are all over the floor, furniture is moved, your TV and computer are gone, your jewelry box is on the floor, empty. You are overwhelmed with emotions — fear, panic and anger. But through that, one thing is clear: Your home has been broken into, and your valuables are missing.
Now imagine you go to work. The doors are fine. Your computer looks fine, your files are all there and your software is working. All of a sudden your CEO comes out and says, “I received an email saying our data has been stolen, and unless we pay the attacker a large sum of money, they will release it to the public.”
How could this happen? The data is right there. The IT team is always patching stuff; they even made you install some new annoying software. How can the data be stolen? But it is true. The data was copied, and now your business is faced with a choice that security people have nightmares about. Do you pay to prevent the data leak, or do you refuse and hope whatever they stole just isn’t that bad? But what will your customers think when they find out?
Cybersecurity has continued to evolve over the decade, and, while defending against attackers is still the main priority, there is an undeniable need for a new mindset that calls for “zero trust” and to “assume compromise.”
Despite billions of dollars spent on defense, attackers simply have more time than defenders, and incredibly large incentives to defeat whatever defenses are in their way. If they run into a target that makes it too difficult, they just move a few IP addresses down the range and try to compromise another business.
We have to come to terms with the idea that a breach will happen — it is nearly inevitable.
Everyone gets breached. The only variables now are how long until you notice it. According to IBM, on average it takes more than 200 days for most companies to realize a breach occurred and what exactly the bad guys got.
This mindset shift requires businesses to view their cybersecurity programs through a newer lens. Antivirus software has evolved into EDR (endpoint detection and response) tools, helping close the gap between simply stopping an attack, but also notifying defenders if things just seem a little off. SIEM (security information and event monitoring) solutions exist to centralize and collect logs from the ever-growing list of defensive tools.
Firewalls can now block connections based on where in the world they are coming from or going to. Specially trained analysts exist to review these systems for the digital version of a broken lock or glass on the floor or the digital footprints that indicate where on the network an attacker might have been and, more important, whether they left with copies of anything.
The shift from not only preventing breaches, but also doing everything they can to detect, understand and recover from breaches continues to challenge organizations. Many of them are just getting their arms around the prevention steps — and some aren’t even there yet. But this shift is necessary for the survival of businesses, big and small.
Simon Sinek talks about the idea of an “infinite game,” and that is precisely what “blue teamers” (cyber defenders) are in. Attackers get to play a finite game. Even mediocre attackers can hear about a new bug in a piece of software, scan the internet to find which company isn’t on the ball or hasn’t had a chance to patch it yet, and make their move. If it doesn’t work, they can try again that night or the next day. Your defenders don’t have that luxury. They don’t know when that attack will come or how it will come. And if they miss anything, you can be sure the attacker will find it, because the attacker just has to look for a weakness; they don’t have to worry about all the stuff the defender did right.
Your company exists to achieve your mission — maybe you build buildings, heal sick people, help business file their taxes or keep people’s money safe. But to do those things safely in 2023, you now need to ask yourself, If a bad guy breaks in, how will I know?
———
Jordan Silva serves as senior manager of security and cloud services at Hawaiian Telcom. Reach him at Jordan.Silva@hawaiiantel.com.
© Honolulu Star-Advertiser
Visit this article in the Star-Advertiser.
