Moving Beyond The Cybersecurity Chess Match

Deputy CISO and Vice President Information Security, Fortinet Inc.

For decades, the world of cybersecurity has resembled a chess match at times. The “bad guys” make a move and the “good guys” make a move to counter what the bad guys have done. The rules of chess do not allow one player to make two moves in a row, and making a single move in itself can be challenging for security teams. It is sometimes a seemingly never-ending, tit-for-tat cycle.

What’s more, each move by the good guys is a little more difficult than the previous one. Cybercriminals have managed to increase both the volume and the sophistication of their attacks by automating and “democratizing” their tactics. Automation means that new malware variants and attack types can be deployed instantly, thanks to technologies like artificial intelligence (AI). Democratization means that even non-specialists can now participate in cybercrime through intuitive software packages and even professional services that help even less experienced adversaries pull off their attacks.

Yes, the chess match is getting more difficult. But my message to cybersecurity teams is simple: Stop playing chess. Until organizations are able to move from a reactive stance to a proactive one, the chess match will be never-ending.

Here are some specific proactive steps that organizations can take.

1. Build a regular cadence of application and infrastructure testing.

The pace of technological change is accelerating as customer demand for digital services evolves, and the new world of work means that users are more geographically scattered than ever. As a result, organizations constantly deploy new infrastructure, new applications and an increasingly distributed network. In this context, overwhelmed security teams might declare victory if they manage to scan applications for vulnerabilities or conduct security assessments on infrastructure elements once in a while.

Unfortunately, that is not good enough in today’s increasingly advanced threat landscape. Application security testing must be done regularly throughout the software development lifecycle (SDLC). And organizations should continually use red teams and penetration testing to probe cloud-based and on-premises infrastructure and services—and the networking elements that connect them to users. Security can no longer be an afterthought.

2. Leverage deception to deflect adversaries—and gain intelligence.

Reactive organizations deal with attacks as they come in, but those who want to get out of the chess match should consider deception techniques. Such approaches lure attackers into revealing themselves—while leading them away from what they are looking for. When attackers end up in a fake environment that resembles the real one, organizations can gain valuable intelligence on their tactics, techniques and procedures (TTPs) without risking system downtime or data loss. They can start to follow the breadcrumbs known as indicators of compromise (IOCs) to understand more about where the attack came from and what was being targeted.

Deception technology is a sound investment, no matter what. If adversaries fall into the trap, a real attack is prevented, and the organization gets valuable threat intelligence. If deception processes are never triggered, companies get confirmation that their other security efforts are proving successful.

3. Be proactive—and comprehensive—with zero trust.

At the risk of boring readers with yet another discussion of a trendy topic, I believe that zero-trust network access (ZTNA) must be mentioned here as a proactive strategy. The principle of ZTNA is simple: No user or device is presumed to be trusted to access a specific application or service. Instead, every request for access must be verified—preferably in more than one way.

This principle makes abundant sense to specialists and non-specialists alike. But as with many simple principles, the devil is in the details. One detail that can make or break ZTNA is network segmentation. If computing resources are not segmented to a granular level, users will have access to things that they do not need to do their jobs. This increases risk to the organization.

Another important detail is what parts of the infrastructure ZTNA is applied to. Many ZTNA approaches are completely cloud-based, meaning that they cannot adequately protect on-premises applications and resources. While many organizations have embraced a cloud-first strategy, the reality is that most still operate in a hybrid environment—and core applications remain on premises at many. ZTNA should be applied to the entire infrastructure through a common platform.

4. Check frequently for misconfigurations.

While it might be easy to assume that data breaches occur because an organization did not invest in an expensive security solution, many occur because of simple human errors like misconfiguration. Verizon’s latest Data Breach Investigations Report notes that such mistakes are responsible for 13% of breaches, with misconfigured cloud storage representing a growing slice of that pie.

And when you think about it, human beings manually checking for human errors is inefficient and not terribly effective. What organizations need is an automated way to verify configurations across multiple cloud platforms and on-premises systems.

But what if my organization isn’t huge?

Many readers may be thinking, “This is all well and good for Fortune 100 companies that can staff large security operations centers (SOCs). But my little team could never do all these things.” But even smaller organizations can make these things happen by leveraging services. Such offerings are often priced affordably according to an organization’s size.

Penetration testing services and red teams for hire have existed for a long time. More recently, broader offerings like digital risk protection services (DRPS) have been created to help organizations do external surface threat assessments, discover and rectify security issues, and gather contextual insights on current and imminent threats.

Regardless of how it is done, today’s threat landscape means that getting out of the chess match is an imperative. Thinking strategically and taking proactive steps will help organizations reduce risk while making life a little easier for the cybersecurity team.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Comments are closed.