Read Time: 10 Minutes
Cyber security is no longer buried in the tech section of newspapers and websites – it’s front-page news. It’s a topic in the US primaries. It’s connected with national power outages. Cyber security now cuts across all major industries, countries, and social spaces.
This expansive reach makes cyber security an overwhelming concept for many companies. It concerns both the inner workings of IT departments and companies’ customers. When corporations promising customers confidentiality and privacy are hacked, it becomes painfully clear that cyber security is not just about computers. Ashley Madison (and their customers) learned this lesson the hard way.
And politicians are learning too.
Because of the increasing number of data breaches, and the increasing amount of attention being paid to them, governments around the globe are tightening compliance requirements (even if some of their ideas, such as the demand for encryption backdoors, are not being completely thought through). Companies are going to assume more responsibility for these cyber security concerns than ever before. They’re also going to be held accountable when they fail to live up to these responsibilities.
You’re right if you’re thinking that cyber security sounds like a loaded term. And asking what’s giving it such weight is a good question. If cyber security describes an operational field for businesses, how should it be approached? And how does cyber security differ from traditional IT security?
Should you Start from Scratch?
Some people see cyber security as a fundamental shift in how companies protect themselves, and jump to the conclusion that traditional IT security concepts need to be thrown away. Just recently, the security industry saw headlines announcing the “death of anti-virus.”
But this isn’t the first time anti-virus (AV) has been prematurely put in the obituaries. And just like vinyl persists as a medium for great music, AV remains an important part of any comprehensive security strategy.
Threats and Security Evolve, so AV is no Longer just Signatures
Security measures developed 20 years ago probably won’t be enough to protect organizations in today’s threat landscape. But threats don’t change overnight. They evolve over years. And so do security solutions. New protection capabilities added to traditional signature-based AV scanning have created integrated protection stacks with multiple components.
Within that stack, AV scanning is still effective. And compared to sophisticated heuristic analysis, it’s a more resource friendly method of detecting malware. Why waste CPU bandwidth on samples that can be detected with easier methods? That’s why real security experts see the claim that AV is dead as “misguided hyperbole”.
In 2008, F-Secure first complemented their traditional anti-virus technology with DeepGuard, an advanced heuristic engine that was able to detect zero-day attacks. F-Secure’s Object Reputation Service Platform (ORSP) – today an essential component of F-Secure Security Cloud – was first included with F-Secure products in 2009, and reduced the time to protection against newly discovered threats from hours to minutes. Meanwhile, traditional signature based AV scanning allows us to optimize the CPU consumption. Classifying a sample by signature costs about 10 milliseconds of CPU time. Using heavy analysis can take up to 5 minutes.
Jarno Niemelä – Senior Researcher – F-Secure Labs
But a Paradigm Shift is Happening
Even though technology has progressed, the way companies need to handle security today is fundamentally different from the approach they took 5 years ago. And there are many reasons for this. But two trends in particular are driving the new conception of cyber security for businesses.
First, the increasing digitalization of processes and businesses is happening at an unprecedented pace. So a cyber security incident isn’t just something that causes extra hours in a company’s IT department. Today, IT often powers business engines along the whole value chain, and a single incident can bring operations to a grinding halt, and even threaten the existence of a company.
Secondly, the threats are growing, both in number and sophistication. 2014 was the 8th year in a row that the amount of detected malware doubled, resulting in an average of 81 attacks per minute. The number of malware is expected to have doubled again in 2015. At the same time, recent years have seen malware reach a new level of sophistication. One of the reasons this is happening is due to the emergence of nation states as cyber attackers. They put tremendous resources into finding and exploiting weaknesses in the cyber defenses of both individuals and corporations. The development of the Duqu 2.0 malware that was used to compromise a security vendor (in addition to other targets) is estimated to have cost up to 10 million dollars. And because criminals often repurpose exploits from nation-state attacks, businesses need to consider how this trend increases the overall sophistication of online threats. (On a related note, governments’ attempts to weaken security mechanism such as encryption in favor of their surveillance efforts make things even worse).
Considering that cyber incidents are costly, and that the threats are more numerous and sophisticated than ever before, it’s clear that cyber security needs more attention than annually renewing an endpoint security solution. Cyber security needs to be on the board’s agenda.
Cyber Security and the 360° approach to security
At F-Secure, we’ve adopted a view of cyber security that builds on concepts used in Gartner’s Adaptive Security Architecture. In a nutshell, our conception centers around the notion that if your business depends on information technology and could be crippled by a security incident, you should consider cyber security as a question of risk management, and worth the attention of your management team. This makes cyber security as much a process as a technical issue. Leaning on Gartner’s framework, we see this as a 360° approach to security with a process of 4 steps, each of which can and should be supported by technology.
1. PREDICT: Know your risks, understand your attack surface, uncover weak spots
In order to take the right security measures, you need to understand where to direct your attention. A good start is to assess who the potential adversaries are (cyber criminals, competitors, hacktivists, terrorists etc.), and what damages a security compromise can cause – a risk analysis if you will.
Getting a full view of the attack surface is an integral part of this, but it’s not easy. Many companies don’t even know their digital footprint, leaving them unaware of potential entry points for attackers and threats. Plus, the IT systems in many companies have grown organically, resulting in intertwined systems, outsourced infrastructure, and 3rd parties that are digitally connected and integrated with business processes.
Keeping all of this under rigid control is virtually impossible. And while there are technical solutions that provide the visibility you need, just mapping your digital footprint isn’t enough. You need to scan it for vulnerabilities to find its weak spots. This will yield actionable insights that fuel the next step in your cyber security process.
2. PREVENT: Minimize attack surface, prevent incidents
Learning about the risks and weak spots will help you take all available measures to reduce the attack surface. There’s many things you can do, but you need to consider the constraints you’ll be working within – budget and resources being the most common. System hardening, firewall configurations, and the targeted elimination of vulnerabilities (in both third-party software and your own) are common things to do in order to reduce your weak spots. This phase of the process is where the established endpoint security solutions come into play. These solutions prevent would-be victims from ever getting in contact with malware. Even in case an exploit does reach the target’s environment, they filter out most of the millions of malicious bits of software. These layers of protection are provided through modern approaches, such as reputation analysis, and control mechanisms such as application or web access controls. Traditional AV scanning also plays an important role here.
Automatic patch management further reduces your exposure, and ensures that newly discovered vulnerabilities are patched in a timely manner, drastically reducing the time window for successful attacks. Another (often neglected) prevention measure is the improvement of the security culture in your company. After all, the human being is typically the weakest link in a security strategy, and recent studies confirm that this weak link is the most commonly cited culprit of cyber incidents.
3. DETECT: Recognize incidents and threats, isolate and contain them
The previously mentioned Doqu 2.0 malware utilized 3 previously unknown weaknesses – so called zero-day vulnerabilities. It also featured sophisticated evasion techniques that made it virtually impossible for established security solutions to catch. With such super malware in circulation and thousands of new attack methods emerging every day, you have to work under the assumption that sooner or later, something or someone will get through your defenses. The worst-case scenario is that you are under attack and you don’t know it. The longer you’re compromised the bigger the damage the incident can cause, as attackers will have more time to make lateral movements in your environment and steal data. Today’s reality is that it takes companies months (not days) to detect a breach once it has occurred.
To reduce this so-called dwell time, you need to put solutions and processes in place that allow you to spot new threats in progress. This requires a variety of things, including making sure your endpoint protection doesn’t just work in the traditional “antidote” manner (matching against signatures), but also features heuristic detections that block and isolate suspicious behavior in your endpoints. You’ll also want a monitoring solution that alerts you when something potentially harmful is happening in your environment. And in addition to introducing such technological components, you need to develop a routine in your teams of constant monitoring and security state assessments. Only then do you have the best chance to react swiftly to incidents, which leads us to the last step in the process.
4. RESPOND: React to breaches, mitigate the damage, analyze and learn
As prominent cases such as the Sony hack have shown, companies are often unprepared to deal with cyber security incidents. If you look at cyber security as a risk management issue, you should make sure there is a business continuity plan in place in case of such an incident. Many incidents are something that companies cannot handle with their in-house resources. So make sure that you have expert partners lined up that can help when disaster strikes. Time is of the essence, and after the detection of a breach, there often remains bitter doubt as to how deep the intrusion reached and whether all traces of the breach have been removed. You will need to use IT forensic expertise and tools to get on top of this to restore confidence in your systems. And even after a full recovery, it will be important for you to understand every detail of what happened. This completes the circle, as it helps you uncover new weak spots, which in turn helps you fortify your defenses and improve your security posture.
Protection is never 100%. But preparedness is everything. So step up your security to reduce your risk, and always work under the premise that you will eventually get owned. Following this approach will help ensure that when disaster strikes, you can manage it professionally.
There are 2 types of companies: those that have been breached and those who do not know it yet.
Jens Thonke, Executive VP Cyber Security Services, F-Secure