It’s the end of Gartner’s Security Summit here in Sydney, and it has been great to meet fellow analysts, Gartner clients, and event sponsors. One of the conference themes was the evolution of the CISO role from cyber security Defender to Facilitator, and how strategy must encompass not only controls to protect the enterprise and detect when an attack is in progress, but also response and recovery – how to deal with an attack which gets past defences, and then get the enteprise back to business-as-usual operation.
It’s no surprise that right now there are a lot of cyberattacks, and a lot of data breaches subsequent to that as attackers seek to exploit, exfiltrate, and monetise information gained during an attack. Right now, there are more identities for sale, more vulnerabilities being found and more board-level executives are concerned about cybersecurity.
Attacks get smarter, defenders must become more agile
Attacks are becoming increasingly complex, using techniques such as ROP chains, sophisticated data-driven exploits, and of course social engineering. The challenge to determine how the breach occured increasingly looks like an exercise in divination, trying to unearth arcane entry methods. It is becoming increasingly challenging to prevent these attacks on a complex and distributed IT architecture, and the CISO should not undertake to “defend against all comers”, but more importantly to keep the business moving despite cyberattacks, insider fraud, and even hostile acts by competitors.
In the press, we see quotes from breached companies such as “We found no evidence that sensitive customer data had been copied”, and this ambiguous statement can mean not only that the damage from a cyberattack is limited, but also that the forensic investigation failed to reveal a complete attack timeline.
CISOs are becoming the digital paramedic, not (only) the digital firefighter
Nevertheless, CISO’s are charged with the responsibility of ensuring that attack risk falls within the enterprise risk tolerance, and that the impact can be absorbed without disruption to critical business services. Lessons are being learned from business continuity, and even from fraud management, and the question is increasingly no longer “Can we keep the infrastructure secure”, but “How can we ensure that we stay in operation in the face of determined and resourced attackers”.
Data masking techniques reduce the risk of key data being stolen by attackers, and the increasing use of specialist security service providers allows the CISO to make use of best-practice capabilities which may be difficult to retain internally. Evolving technologies such as User/Entity Behavioural Analytics provide insight and early warning of nefarious activity. Analysis of insider attacks reveals common motivators and stressors, including low corporate morale, poor management styles, and personal stressors.
We can expect Arcane to become the New Normal for attacks – so we need to ensure that we have robust defences, vigilant detection, and agile response capabilities.