Most information security professionals are familiar with Chaos Monkey, a tool developed by Netflix in 2011. It’s designed to test the resilience of the video streaming service’s IT infrastructure by randomly disabling computers in Netflix’s production network as a means of gauging how remaining systems respond to the outage.
Rick McElroy, head of security strategy for VMware Carbon Black, cited Chaos Monkey as an example of the kind of thing businesses of every size ought to be doing more of if they strive to build more resilient organizations.
Speaking at the CDW Tech Talk “Maximizing IT Resilience with Adaptive Security and Infrastructure,” where industry experts discussed modern cybersecurity and risk management issues, McElroy argued that organizations must build resilience into everything they do.
READ MORE: Learn how to detect and respond to cybersecurity attacks faster.
Business Haven’t Made Much Progress on Cybersecurity
McElroy said many of today’s organizations have advanced IT solutions built on crumbling foundations, especially from a security perspective. That’s the outcome of rapidly changing technology, evolving business models and other factors that have encouraged enterprises to simply deploy more solutions without addressing infrastructure.
As a result, businesses haven’t made enough progress when it comes to staying ahead of threat actors. For example, more than 20 years ago, average dwell time — the period it takes an organization to realize it’s been breached — was more than a year. Today, it’s still more than 200 days, a reduction of fewer than six months after two decades of trying.
“What you’re seeing attackers do is start to leverage ransomware to perform denial of service attacks,” McElroy said. “What’s compounding it is what I call the trickle-down cyber economy: You have very large nation-states that pay organizations to develop tools for offensive cybersecurity operations. Those tools are found in the wild, leaked and reverse-engineered.”
For example, a leaked National Security Agency cyberattack toolkit became “the primary source of lateral movements within organizations for WannaCry,” he said. The same capabilities found their way just a few months later into NotPetya, a global hack that cost $60 billion worldwide.
“Some people say we need a digital Pearl Harbor to create momentum to do something about this problem,” he said. “I say we’ve already had it, and we’ve had it several times over. The real problem for defenders is that it lands on us to defeat and defend against these advanced techniques that these nation-state actors are coming up with.”
Cybercrime will cost about $6 trillion next year, about the same amount as the world’s third-largest economy, according to Cybersecurity Ventures.