[BreachExchange] Shifting (cyber)world order

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 1 18:57:20 EDT 2017


Today's wars aren't fought with just tanks and planes, but with ones and
zeros. We've heard this reference used to describe cyberwarfare in the
military but it's more relevant than ever in the commercial space where
threat actors (of many forms) use increasingly sophisticated techniques to
cause irreparable harm to corporate entities. Our hyper-connected world is
an unforgiving place for organizations that cannot quickly identify and
mitigate compromises across their extended corporate networks, which often
include public cloud infrastructure, BYOD devices and other less controlled

The way we think about cyberwarfare materialized around 2011. That year,
the White House published The International Strategy for Cyberspace, which
reserved the right to use any means necessary, including military strikes,
to defend against threats originating from cyberspace. It not only
addressed seemingly routine nation-state attacks, but also spoke to
emerging threats that could, one day, attempt to destabilize the functions
of our critical infrastructure. That day has since arrived: cybercriminals
now impact our society in ways we could never have imagined.

Attacks on organizations in energy, health care, manufacturing, financial
services and transportation are becoming ever more prevalent. Hospitals are
the victims of 88 percent of all ransomware attacks due to their wealth of
patient data and records. Criminals access the networks of global banks
through smaller, less-defended banks. And the Department of Homeland
Security found close to 900 security flaws within U.S. energy companies. So
it isn't hard to imagine an attack similar to the one in Ukraine in 2015
which cut power to 230,000 people in the middle of winter. The right type
of attack can unravel infrastructure systems at an alarming velocity,
before government and industry leaders have a chance to react.

Borrowing from Sun Tzu's Art of War, “If you know the enemy and know
yourself, you need not fear the result of a hundred battles.” State of war
declarations are atypical in cyberwarfare, and targets, attackers and
intentions are not well delineated, just as in current day warfare.
Visibility is paramount in ensuring the military's ability to protect
critical data: their approach to cybersecurity is one that strives to know
itself (and the enemy) through clarity into what people are doing, and
where and why they are doing it.

The military is so adamant about understanding behavior and intent that
they've prioritized an active defense with monitoring capabilities, threat
intelligence and incident management that can identify when an attack is
taking place and set auto-response mechanisms in motion when a breach

So how do we translate this approach for companies in the commercial space,
which store data using public and private cloud services and enable
employees to work from anywhere in the world? With no real security
perimeter to defend, how do we protect critical data and IP? We move from a
technology-centric view of cybersecurity to a focus on understanding the
points in which people – employees, partners, contractors and threat actors
posing as such – interact with critical business data and intellectual
property. One that focuses on the human points of interaction with
information technology, where businesses see critical data as most
valuable, but also the most vulnerable. Why is this so important? It's
simple: that human point of interaction with IP is where even the most
comprehensively designed cybersecurity systems can be undermined in a
single malicious or unintentional act.

We need a paradigm shift away from strategies that seek to apply more
layers of technology in the hopes of eliminating security gaps.

Determining a baseline for what “normal” looks like can help us identify
abnormal or risky behavior that leads to data loss. By viewing behavior in
this way, we gain insight to where a user's actions sit on the spectrum of
cyber intent – ranging from accidental to compromised to malicious – to
make informed decisions that mitigate risk. This people-centric approach
can tell us whether a data breach at a nuclear plant was caused by a
mistake (as the majority of today's cyber incidents are), or it can help
expose an employee that is the target of social engineering. In a worst
case scenario, this approach will warn us about a disgruntled employee who
for weeks has planned to leave the organization and is attempting to take
company secrets to a competitor. Mistakes can be remedied through policy,
but if someone is being compromised or acting maliciously, we need to know.
And not in that very moment, but before it even happens. Given the
consequences of this new technology world order, understanding intent
cannot be optional – it is the new battleground of cyber.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170501/717bb59c/attachment.html>

More information about the BreachExchange mailing list