October 24, 2020

Rick McElroy: Infosec Teams Must Act and Think Differently to Combat Adversaries

Written by Rick McElroy, Cyber Security Strategist, VMware Carbon Black 

The growth in widespread, sophisticated attacks

I have been following, with interest, the attacks on the Australian Government which have led to quite a bit of publicity and debate around who the culprits are behind the cyberattacks. Australian Prime Minister, Scott Morrison, confirmed the attacks were widespread across “all levels of government” including in essential services and businesses. In July, he announced that $1.35 billion in existing defence funding would be spent over the next decade to boost the cybersecurity capabilities of the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC). Additionally, the Federal Government wants to create more than 500 new jobs in its highly secretive cyber intelligence agency as part of what its calling Australia’s largest-ever investment in cybersecurity. Organisations and governments are under incredible pressure during the outbreak of COVID-19, and many nation-state actors have seen this as a perfect crisis to exploit.

 

Why Intrinsic Security is so important

But even before COVID-19 hit us, there was no doubt that attacks are becoming increasingly sophisticated. Our own research, through our Global Threat Report series, informed us that the number of cyberattacks, breaches and the sophistication of attacks are higher than ever. Today, increasingly elegant attack platforms and techniques are being shared amongst the criminal community and the infosec industry is not responding fast enough. Part of the problem is that too many products and agents deployed across an organisation make security management complex. Security does not need another new product, it needs an innovative approach, one that combines visibility into apps, networks, users and devices with advanced threat detection and response to deliver a unique intrinsic security approach.

What we are also seeing as a result of COVID-19, is that users are having to defend themselves at home and actions taken to ensure business continuity and resiliency only increase the attack surface. So how do we retrofit security onto that? The simple answer is that we cannot – it needs to be built-in… and back to my earlier point – it needs to be intrinsic.

Earlier in the year we attended the RSA Conference and unveiled our vision for intrinsic security, a safer, more effective security built into the fabric of the various infrastructure control points that are vulnerable to attack (endpoint, identity, network, cloud, workload and so on.)  Here at VMware Carbon Black, we believe that by building security intrinsically into the fabric of the enterprise – across applications, clouds, and devices – teams can significantly reduce the attack surface, gain greater visibility into threats, and understand where security vulnerabilities exist.

But in parallel to this, security teams must also work in tandem with the business to shift the balance of power from attackers to defenders. They must collaborate with IT teams and work to remove the complexity that is weighing down the current model and way that they do things.

 

The importance of testing 

So why has the industry not addressed this problem until now?

Again, we can make further parallels with COVID-19. We did not know how big the problem was because we were not testing enough, but now we can see all the breaches in our systems that already exist. We did not have the right data to measure, meaning much was being missed. We had some anecdotal evidence but with better visibility, better testing, and an intrinsic approach this has revealed that our historic take on infosec was incorrect. And this lack of data has also given us a false sense of security. As an industry we rush to build technology platforms, and then we rush to launch them, and we do not rigorously test them, only to find these technologies are fundamentally insecure and flawed and this needs to change.

Likewise, in tandem to this change in approach to how we build technology, infosec teams need to think and act differently. They need to be more proactively hunting down threats, pre-empting the adversary’s next move. For example, let us look at what we can learn from how a Secret Service agent investigates financial crime and/or protects dignitaries and how we can apply this to cyber. As I mentioned, infosec teams must anticipate threats and they must follow the data, just like they follow the individual. Secret Service agents are trained to think differently and to think like the enemy. They must at once react to a threat because they assume there is more to a threat than that one individual.

So how do we apply that theory to incident response and infosec teams and the modernisation of incident response? Over the last few years, it has become clear that our enemies are emboldened and becoming more aggressive. We must shift thinking and tactics to begin to turn the tide. And I believe it is fundamental that cybersecurity professionals take a page from the annals of a secret service or military agent to better understand how to combat threats. Defenders need to modernise their cybersecurity strategies and their approach to security technology to stay one step ahead of adversaries.