Last April, seasoned cybersecurity journalist Joseph Menn led a panel discussion at the Randori/SANS Attack Surface Management Conference to discuss the future of security after the how does the security industry need to change in response to the cataclysmic outfall of the new wave of mega breaches sweeping security such as SolarWinds, Microsoft Exchange and the more recent Darkside ransomware compromise?
Panelists included security’s foremost thought leaders: SAP’s CISO Richard Puckett, the former Square CISO Window Snyder, Randori’s CTO and Co-founder David “moose” Wolpoff, and former NSA General Counsel Stewart Baker.
The resounding answer from panelists was to invest in fundamentals and build resilient security programs.
For too long, the cyber industry has depended upon their ability to find-and-fix issues before they are exploited to protect them. With the sheer volume of endpoints, vulnerabilities, and attacks expanding – this model no longer works. To reduce the business impact of issues like SolarWinds, security teams need to go beyond identifying issues and asking – when something fails, what happens next? How will we recover?
“The word security is a problem in and of itself,” said Wolpoff. “Resiliency is that thing that you build and practice over time. And within that, I think about the recognition that I’m not going to be able to secure everything. There will be some things that are hackable, but that the systems and the institutions need to be resilient anyway.”
SAP’s CISO, Richard Puckett elaborated: “It’s not just about patching, it’s also about observability. Can you see the fight? Because if you can’t monitor and see what’s going on, you certainly are not going to see what somebody is doing to it. So do you have the right kinds of observability in place? Do you have Threat Detection Operations in place?”
To help organizations position themselves to tackle the next era of defense, Richard Puckett detailed three key takeaways for security professionals:
- Find out what matters most to your organization and protect that first. “Knowing your crown jewels is about asking: do you know what’s most important? Because you can’t defend everything; not reasonably. So you’ll end up defending nothing. And I think if you can come to the conclusion about what are the most crucial things, that’s where greater observability, greater service management can be in place. And around that with the right kind of bubble to make sure it’s safer while the rest of the environment is maybe not as well protected.”
- You can’t be resilient without stress-testing your defenses. “Resiliency isn’t just about having all the mechanics. It’s also about testing and retesting to make sure you can do the exercise properly.”
- Open and honest dialogue on how to defend forward will be integral to taking on nation-state level attackers like Russia and China. “We call it the dilemma of the five worlds: public sector, private sector, military, law enforcement, and intelligence, and in our bubble, the private sector, what’s being shared between entities and then what’s being shared with law enforcement or government, and then how they’re acting on it.”
The entire panel stressed that the new wave of attacks, which is increasing in both scale and frequency, is an indicator that all US organizations are now battling with nation-state level attackers. No matter how under-the-radar you may feel, your stack operates by allowing privileges to users, to third-parties and to software appliances. You should implement least privilege, but you will never reach a state of absolute zero. You will be attacked. The question has now become how prepared will you be when you are? How well will you have practiced counter maneuvers? How diligently will you have acted preemptively to limit the enemy’s attack vectors? And how much damage can your system absorb while remaining resilient and keeping adversaries away from your crown jewels?