By Omar Zarabi, Founder and CEO, Port53 Technologies
As in previous years, the DefCon of the cybersecurity industry is best illustrated by the headlines – each a cautionary tale. The past two years were witness to a virtual House of Horrors that has propelled cybersecurity to the top of corporate agendas. The 2020 supply-chain attack on SolarWinds’ network monitoring application Orion affected thousands of the company’s customers around the world, including several government agencies here in the US.
And the list goes on. March 2021: Verkada, a Silicon Valley start-up that provides cloud-based CCTV systems, was compromised through the simple hijacking of privileged credentials. Attackers were able to browse the real-time footage of every Verkada customer, including health clinics, psychiatric treatment centers, and the premises of hybrid and electric car manufacturer Tesla. Also available for viewing: Verkada’s own offices.
Another example of stolen credentials was May’s DarkSide ransomware attack on the Colonial Pipeline. It led to panic-buying of gas by the public, and cost the operator $5 million, in a payout characterized by The New York Times as a red flag to other threat actors who may see a lucrative pay day on the horizon.
Even in normal years, this series of events – and others too numerous to mention – would have CISOs scurrying to the drawing board to reimagine their threat postures. But we are not living in normal years. In the midst of the dramatic contortions we were seeing in the threat landscape, nature threw a curveball into the mix. The COVID-19 pandemic ravaged families, business communities, and economies around the globe. Those enterprises that moved decisively, migrated to the cloud almost overnight and instantly expanded the attack surface.
The problems came from several different directions. First, employees working from home were using unvetted personal devices that potentially contained a smorgasbord of vulnerabilities. These devices used private and third-party networks to connect to the cloud-based environments required for remote work. And corporate data, sensitive or not, was crossing unknown boundaries on its journey between the WFH employee and the corporate environment. Penetration testing became unreliable because the architecture being probed was half in and half out of an organization’s jurisdiction.
Second, DevOps teams – desperately trying to transform massive chunks of their employers’ business models to adapt to the new normal – were releasing new digital experiences at the speed of demand. These releases could, depending on circumstances, contain any number of security holes picked up from new PaaS environments.
Rethink your digital dogma
As has been said at many points throughout cybersecurity history, what we were doing two years ago no longer works. Threat actors have proved themselves capable of using every trend, every market shift, every consumer habit, and every employee error to their advantage. Responses from organizations have not been as swift. While cybersecurity professionals can never quite recall a “quiet past”, the “stormy present” of 2022 requires a rethink of our digital dogmas if we are to ensure that employees can stay safe but remain productive.
The starting point: know yourself. Line of business will always have a handle on financial plans, operations, market conditions, and a range of other touchpoints. For IT and security teams to be successful, they must compile a comprehensive asset inventory – from the machines in the office to the devices in employees’ homes, from the tools on laptops to the inner workings of containerized apps in the cloud.
Next comes triage. Identifying vulnerabilities is trivial next to the task of managing action. Some vulnerabilities will be common but may not represent great damage if they were to be exploited. Others may be rare but represent considerable business risk. The general rule of thumb is that if a vulnerability can cause significant damage and is relatively easy to exploit by an attacker, it should be high on the patching list. Anything that is high-risk and not readily addressable should be on a watch list.
Free to innovate
All of this, from the compilation of the asset inventory to the patching actions, should be automated where possible. Several tools today are capable of automatic asset discovery and policy-based patching. Overworked CISOs and their embattled teams represent the most overlooked security issue in the post-pandemic era. By empowering professionals with the tools needed to automate the mundane, we free them to become more effective threat hunters.
Once the basics are in place, organizations will be better placed to meet regulation and compliance obligations. Policies alone will not allow you to prepare the reports required by auditors. And good intentions will not satisfy the strict requirements of standards such as PCI-DSS. The good news is cloud-service providers and other vendors are beginning to provide controls such as MFA and DNS security, and are even offering training sessions for end users to prepare them for the hybrid-work future.
But chasing the regulators in a constantly reactive mode makes for a poor security strategy. There is no substitute for gaining a deep and broad understanding of your organization’s environment and selecting the visualization and automation tools that best fit your circumstances, your architecture, and your business goals. Getting the basics in place – asset inventory, vulnerability management, and user awareness – will give you a strong foundation to secure your digital estate.
Once you have mastered your environment, you can turn your attention to some of the latest policies and tools that are being deployed against cybercriminals. Many of the headline-grabbing incidents that we have seen would not have occurred but for a lapse in the management of privileged credentials. SolarWinds’ Orion, for example, uses privileged access to connect to other systems, which is how attackers were able to compromise so many other organizations. Privileged access management (PAM) is an emerging technique that allows CISOs and their teams to stipulate how accounts connect to environments, using policies such as session monitoring, password rotation, least privilege, just-in-time provisioning, and the elimination of shared accounts to keep estates safe while avoiding hits on employee productivity.
Other practices include Zero Trust, which has become something of a hot topic. Allowing everything in, and assuming all processes to be suspect until they can prove themselves otherwise, is an approach that shows how far removed we are from the recent past. Here, we not only assume we are going to be attacked; we assume we already have been. It is a grim yet justifiable assumption that accurately reflects the world in which we now live.
Do not dismay, however. The headlines of horror may imply an inevitability in becoming a cyber-victim, but their postmortems also show a path to risk remediation. There are tools you can procure, policies you can enact, and actions you can take that will ensure that your organization’s name is not the next to be splashed across media pages.
About the Author
Omar Zarabi Founder and CEO of Port53 Technologies.
Growing up in a small, family-run organization, I saw firsthand the challenges the ever-changing technological landscape presented to resource-restrained IT teams. With a BA in Economics from UC Davis, I started my cybersecurity career at OpenDNS, where I was responsible for delivering the DNS security solution to small and mid-sized businesses in the US and Asia. I worked with thousands of IT professionals in the SMB space, and truly learned their biggest pain points, especially as it pertained to cloud adoption and cybersecurity – two rather new and fluid trends in the SMB IT space.
In September of 2016, a little over a year after Cisco acquired OpenDNS, I founded Port53 Technologies and its CEO. Port53 is focused on delivering enterprise-grade, cloud-delivered security solutions that are easy to deploy, simple to manage and extremely effective, helping customers not only get a big-data and predictive approach to security, but also a more integrated and automated approach.