[BreachExchange] Do You Even Know What Cyber Defense Is?

[Destry Winant]

http://ww2.cfo.com/accounting-tax/2017/06/even-know-cyber-defense/

The days are long gone when you could simply install some software to
block attacks. If something did get through, you just cleaned it and
moved on or you implemented something to make sure employees didn’t
access the wrong systems. That was information security.

Today’s companies are tasked with something that was formerly the
responsibility of the military and government, that of defending
themselves from attackers. Today’s adversaries are cunning,
determined, and happier to take down a small target than a large one.
Small targets are less protected and have smaller budgets. And
adversaries can use them to larger targets they can laterally move
into once the smaller target is compromised. Protecting against these
attacks is the goal of cyber defense.

Although the enemies have changed, many companies they are just
realizing that their defense posture is targeted at preventing malware
and insider attacks, not cyber attacks. The technology they’ve
deployed is patchwork consisting of solutions from multiple vendors
that doesn’t work together.

Typically, the corporate defenses against cyberattacks aren’t managed
or monitored by experts. Ultimately, they’re not delivering on the
promise of protection that the vendors of those disparate systems
made. This is in no way that a country, in comparison, should defend
its borders from invading hordes. Further, in an age where we’ve moved
from historical accounting and future valuations to profit and
revenues as the key market determinants, there’s a strong desire to
control spending and reduce overhead.

In the current environment, we’re seeing more complex attacks that
employ sophisticated tactics even against smaller targets. Here’s a
great example: I received a call from our intelligence team informing
me that they had intel that a mid-sized company had been compromised.
The attacker had control of all the company’s systems and was trying
to sell the company’s confidential data on the Silk Road, an online
black market that transacts business on the dark web.

If the company didn’t pay the ransom in 24 hours, the attackers
threatened, they would encrypt the company’s data and demand they pay
him to decrypt it. Not wanting to give in to the attackers, the
company didn’t pay the attackers. No one in the black market paid for
the data in the 24 hours, and the attacker simply walked away,
launching the ransomware campaign. The ransomware encrypted the
customer’s entire data.

The problem was that although company was equipped with good security
products, it had no cyber defense program. No one had even considered
it. Ultimately, the company suffered greatly and spent months trying
to recover.

WannaCry is another example. In that case, the hackers took advantage
of a security vulnerability that for a lot of companies was still
exposed. The problem was something that a standard information
security program might have allowed to slip by for a time or go
completely unaddressed. For companies with strong cyber defense
programs, including defenses against attacks like Wannacry, the attack
had no effect.

Why is it that so many companies were caught off guard? We spoke to a
great many companies that week and almost all of them were baffled and
confused as to exactly what the attackers were doing and how they
might have protected themselves.

Although I know of many organizations that are striving to keep up
with such threats, there are too many who don’t understand that cyber
defense is not the same as a security program. The problem extends not
only to C-level executives who aren’t responsible for security but
even to those who are.

What was formerly a good security program isn’t designed to provide
the type of protection required to foil sophisticated attackers.
Companies need a more global view of attackers tools, tactics, and
procedures regardless of their size. There is no way to hire the
skillsets and team sized needed to keep up with all the different
attack groups and government sponsored adversaries.

Cyber defense really requires a change in mindset. Leaders need to
truly accept that they are under attack. This means understanding that
there are a plethora of reasons that they might be a target.

But acting as if no one cares about their company or their executives
is naïve. Accepting this will change the measurement used to calculate
financial risk models.

A lot of the problem is that most non-IT C-level doesn’t have the time
to properly educate themselves on cyber defense. Financial trade
organizations should focus more on informing CFOs and their peers
about cybersecurity. For their part, CFOs should make time for
top-tier vendors to present to them just as they present to their
CTOs.

If we don’t do more to educate non-security C-level executives, the
chances of making real headway for corporate cyber defense is limited.
We need to get the message through to the executive suite and the
boardroom that company-wide cyber defense is more important than mere
information security.