In May the US Colonial Pipeline shut its operational network after a ransomware cyber-attack. It’s said to be one of the costliest attacks for an economy. A painful accolade if ever there was one.
New details are emerging about the specifics of the pipeline attack all the time but there are a few concerns that every boardroom must acknowledge. The first relates to reports that there was no Chief Security Officer (CSO) in place.
Ten years ago, whether to appoint a custodian for security was hotly debated. It was rare to find a dedicated figurehead on the board, with the exception of major banks and finance houses because of the regulated markets they operated in.
Fast forward to today and its rare not to have a CSO for very obvious reasons. Now it must be a priority for every business. IT is so integral to business operations, if core IT systems are impacted most businesses cannot function at normal capacity, or at all in some cases. IT has to be protected at all costs. What’s more, it’s necessary for compliance, business continuity and, as the fall out of the pipeline attack shows us, reputation.
Not to have a solid security strategy is also at odds with the business and digital transformation strategies that companies are embarking on. In general, strategies like this incorporate the digitalisation of data, migration from data centres to the cloud, and a widespread adoption of applications across business functions. Mobilising the workforce, reducing cost and improving productivity and profits are all cited outcomes.
But those outcomes are significantly undermined if not managed in parallel with a security strategy. The fact that 55% of organisations experience a DDoS attack against their APIs at least monthly is a prime example of the threats being entertained.
Using APIs is an efficient way for perpetrators to get a foothold, so it’s imperative that any app or thing connected to the network is protected.
There’s a misconception that all attacks today are automated. But ransom DDoS is so lucrative that people control and operate the attacks not machines.
These experts determine a strategy based on very specific intelligence found on underground forums about a network or applications’ weaknesses and turn it to their advantage. This further underlines the need to have defences in place.
However, that alone won’t be enough because not even the best defences can block human operated threats. Instead strategy must shift from defending networks and applications to one that can discover anomalies in behaviour and stop an attack before it escalates.
Of course, the rallying cry after any high profile attack is to get the basic hygiene
factors in place fast. But it’s far easier said than done, especially if you have legacy systems or are mid-digital transformation. For those companies, legacy systems will probably always be a thorn in the side because it presents too much operational risk to ditch them entirely.
It therefore boils down to a balanced strategy based on coherent threat assessments that model risks and the assets most likely to be exposed or desirable to attackers.
But no matter the attack vector, it’s critical to recognise that all industries are facing challenges when it comes to staying secure. In the last year, it’s the pharma, biotech, finance and government bodies of this world that have been hit hardest by attacks, but that doesn’t mean retail, ecommerce and utilities are immune.
The most targeted industries relate, in part, to the pandemic and the heightened focus on vaccines at a time when drug IP is so precious. But it’s also down to the sensitive, and high-value data organisations in these sectors manage day to day. It doesn’t matter whether it’s espionage for nation states, or a crime gang that can cause significant reputational damage from leaking sensitive customer or patient data, and in some cases sell it at a premium too.
We have always said that as attacks become more sophisticated so the job of detection and mitigation gets tougher. But now risk is exacerbated by the complexity in hybrid and multi-cloud infrastructures, as well as the complexity in cloud native application development, DevOps and continuous integration and continuous delivery models. These are now contributing to the leading risks for an organisation because it’s much harder to stay in control of all the constantly moving parts.
Companies must therefore face the realities – attacks can range in sophistication and will exploit every nuance. If security teams only focus on building a bigger wall they will fail. Instead they must think through every eventuality and plan more agile defence strategies that can keep pace with the organisation’s digital strategy. This requires adopting a security posture that assumes attacks will happen and they can only be thwarted by having full visibility of the entire network. Without that it’s a fast track to failure.
Rob Hartley, VP of EMEA and Latin America divisions, Radware
