Several years back, a number of security industry leaders began declaring that there are only two types of organizations, those that have been hacked and those that don’t yet know it. Industry analyst firm Gartner agreed and shortly thereafter began advising organizations to build out security strategies that could respond to this fact of digital life. Recently, we woke up to the news that FireEye, SolarWinds, Microsoft and possibly thousands of other public and private sector organizations had been compromised — reminding us that Gartner was on to something worth listening to.
As the incident unfolded, we began learning that the culprits, suspected to be a Russian-backed threat actor, had been in the big three’s networks for as long as nine months before they were spotted; free to move laterally across the victims’ digital ecosystems. How could this have happened? Haven’t we fixed the security problem by now? Both great questions. Especially when you consider that globally, organizations spend almost $125 billion annually on security and risk management products and services, there are more than 2,000 vendors serving the market, and venture capital money continues to fund innovation in the sector.
One constant that is all too easy for us to forget is that when it comes to cybersecurity, things are always changing. Adversaries adapt their campaigns frequently. When targets close one gap, attackers open up another. An anti-virus signature that worked one minute, may be obsolete the next. Firewall rules that permitted the right traffic in one day could end up letting in malicious packets the next. In security, there simply is no “set it and forget it” dial.
To maintain an effective level of defense, security leaders need to remain focused on their traditional technology stacks but also accept the notion that sooner or later, something malicious is going to slip in. Those who buy into this concept know that the success of a security program can’t be measured only by how many times it stops the bad guys and gals from scaling the walls, but also on how quickly those that do get through can be identified, cut off, and then purged.
The compromise of FireEye, SolarWinds, and Microsoft is certainly epic in nature but by no means unprecedented. Anyone who has been around the industry long enough can remember when lone-wolf hackers started to release worms designed to bore into the Windows operating system, the TJX payment card breach, the OMB espionage incident, and the Equifax break in — all at least equal in stature. What many may have soon forgotten though, is that each of these breaches, and the many that filled in the news cycles in between, had some things in common. Most notably, that the attackers were able to dwell undisturbed in victims’ systems for prolonged periods.
Frequently, adversaries are held up at the gate. With the help of modern defensive tools and strategies, organizations do prevent attacks from developing into breaches. Preventative measures should not be discounted, but security and risk teams need to be cautious of exclusive reliance on them. When on the battlefield, which is what the modern cyber landscape has essentially become, well-fortified walls are needed. It is equally important to have in place the ability to spot and stop enemies who make it past barriers before they do things such as detonate costly ransomware, steal data, or gather intelligence that could be used to execute an incursion later.
In cybersecurity, the ability to see an enemy before they can inflict too much damage is what we refer to as “threat detection.” Many capable defenders are able to detect and neutralize threats before they slip past the guards. Almost 100 percent of the time, as Gartner points out, at least one burrows in — which is all it takes to lead to a catastrophic breach. A best practice is a layered approach (also referred to as Defense in Depth).
In the days following the FireEye, SolarWinds and Microsoft breach, news outlets, security researchers, experts across social media, and a large number of security vendors have contributed to helping the world understand what happened, how to determine whether or not “your” organization has been impacted, and how to mitigate the effects of the breach. FireEye was the first to break the news and to start offering information on how to purge the attackers from networks. SolarWinds started immediately doing all it could to help its customers to recover. Microsoft has continued to provide updates. Even our own research team burned the midnight oil to provide free, relevant threat intelligence that can be used to aid with detection procedures. Every organization should certainly be leveraging its internal expertise to determine if the attack has impacted them. All should also consider taking advantage of the free and open assistance available, as no business should hesitate to accept outside help if it enables more quickly seeing and removing a threat before it can spread further into their networks.
Cybersecurity nirvana, where everything is protected and breaches don’t occur, may never be achievable. Organizations that accept the mathematical reality that not all breaches are preventable but almost all attackers are detectable can reduce significantly the level of risk and damage that threat actors are able to inflict.
By Hugh Njemanze, CEO, Anomali