If organizations want to get ahead of cybersecurity threats, or at least not fall too far behind malicious actors, they need to start thinking about IT security differently.
That was a key takeaway from two keynote speakers at the CDW Protect SummIT in Phoenix. Businesses large and small need to take a page from hackers and learn lessons from their behavior, and must also shift their focus from a perimeter-based defense to a data-centric one, they said.
Organizations can be more nimble in their cybersecurity efforts by building security solutions that protect their critical assets, and by challenging old dogmas about security culture, such as the notion that security pros “cannot fix the user.”
“We need to do things significantly differently,” said Keren Elazari, a renowned cybersecurity analyst, author and researcher. “We cannot keep calm and carry on.”
Alyssa Miller, manager of the information security solutions practice at CDW, also urged the conference attendees to think about security differently. According to Research and Markets, the global cybersecurity industry is expected to grow to $177 billion by 2025, Miller noted. There are thousands of cybersecurity tools available, including artificial intelligence-based solutions and advanced endpoint security products.
“There’s so much noise that we’re just not getting there,” Miller said. A new approach is needed, she and Elazari argued.
Organizations Can Learn Cybersecurity Lessons from Hackers
Being a hacker, Elazari said, is about “using your power over technology for good. It’s about showing the world the vulnerabilities in it so that we can create something better.” Hackers, she said, “can be the immune system for our new digital reality.”
So, what can IT security pros learn from hackers? First, cybersecurity is about more than protecting secrets or assets; it’s about protecting our very way of life in today’s modern world. Attacks like WannaCry and NotPetya showed the devastating real-world consequences of cyberattacks.
Next Elazari said, connectivity means more vulnerability, and initial wiperware or ransomware attacks may be a smokescreen for larger, more malicious thefts, as was the case in the attack on Banco de Chile in 2018.
Additionally, there are now more connected devices than people on the planet. These devices can extremely vulnerable, and can be exploited in botnet attacks, as the Mirai botnet attack in 2016 demonstrated.
Further, automation and scale are making the lives of cybersecurity defenders more difficult and easier for hackers. They can automate attacks as well as the tools they use to create attacks, Elazari said.
Hackers are also exploiting wider attack surfaces and “going bigger and upstream” on their attacks, targeting routers and out-of-date operating systems.
To change their approach, organizations should make it easier for their users to make everyday security decisions, like installing applications and downloading files.
Organizations should also look at a “return on security investment” that takes into account not just how effectively cybersecurity tools prevent things from happening, but whether they will make decisions easier. Elazari said that companies must invest not just in technology but in skills that will allow them to become more resilient. They must build a “security culture” that takes advantage of red team testing, threat hunting, and digital forensics and incident response.
“Things will happen,” she said. “How you react to those things determines not just your job at the company but your company’s future as well.”
Organizations should also be more willing to do bug bounties and work with white hat hackers who they pay to identify vulnerabilities in their systems, networks, applications and devices.
“We cannot allow our future to be defined by our fear of technology,” Elazari said. “We need to learn to coexist and co-evolve with technology.”
Focus on Protecting Key Assets and Data
In the past, most organizations focused cybersecurity on the perimeter, and used passwords to authenticate users at the edge of systems, allowing them free reign once they got inside, Miller said. The same thing happens now with network firewalls. “That’s a dangerous way to look at things,” she said.
Organizations must instead take a data-centric approach to security that protects their critical assets. These assets are not necessarily technology, Miller said, but things like customer data, financial assets, trade secrets, key personnel and critical services.
“We need to start thinking about these assets in terms of the business,” she said. “We also need to come up with a better understanding of what business threats we face.” Those include attacks like fraud, theft, exposed data and attacks that interrupt the business.
Since most organizations already have a cybersecurity setup, what can they do? “We often don’t get the ability to design from the ground up when we think about cybersecurity,” Miller noted.
Alyssa Miller, manager of the information security solutions practice at CDW, says defenses should be built around critical assets.
Organizations should invest in threat hunting and security assessment capabilities, she said. Application security assessments should be ongoing, Miller said. She compared it to maintenance someone might do on a car on a regular basis.
“If we do our preventative maintenance, it helps defend against that more expensive repair down the road,” she said.
Additionally, organizations need to prioritize their defenses and build from their critical assets outward with alternating layers of prevention and mitigation solutions. “Start at the thing your business holds most dear,” Miller said.
Doing so allows IT leaders to build a “very, very compelling business case” for cybersecurity investments. If they go into a CEO’s office or a board room and make the argument that security investments protect a critical part of the businesses, they are likely going to be taken seriously.
“Those conversations carry a lot more weight, and you gain a lot more credibility very, very, quickly,” Miller said.
Check out our event page for more articles and videos from the CDW Protect SummIT.