Sophisticated threats? It’s usually the basic ones that get you
To listen to the headlines, the threats we face today are so sophisticated and intense, they can only be evaded with the help of artificial intelligence and machine learning. Losing sleep over zero-day cyber APTs launched by nation states? You shouldn’t be.
It’s much more likely to be a common password or an off-the-shelf web app attack that puts you at the mercy of hackers. If you want to protect your business, you’re better off focusing on addressing the basics—because chances are, you’re still at risk from the same boring attack techniques that have been around for the past decade or more.
Over the last dozen years, I’ve had opportunities to see security programs from a variety of different angles—as a security consultant, seeing the security program at a different F500 company every few weeks; as the in-the-trenches CISO for Etsy, building its security team during the company’s explosive growth; and now as the co-founder and CSO of a security vendor helping defend companies in their shift to DevOps and the cloud. Time and again, the breaches come down to off-the-shelf attack techniques around phishing, social engineering, credential re-use, and web app attacks.
Why are so many companies still facing the same security challenges? For one thing, it’s hard—or at least, people assumed that it had to be, that security had to come at the expense of usability. That led to cumbersome products and processes that deterred adoption, undermining their effectiveness. It was a false narrative all along, but only recently are we seeing security solutions designed around a good user experience.
There’s also been the misconception that compliance equals security, so addressing the first meant you were covered for the second. While in some cases compliance can help with security, it is often tangential at best to security. Finally, there’s the perennial headcount problems that every CISO faces. There are open reqs on virtually every security team on the planet, making it difficult or impossible to make effective use of tools historically designed for security experts.
That’s the why. Now, the how: here’s what you need to do to get your core defenses in place.
Limit the damage of a compromised endpoint
The most important shift to make when it comes to defending your endpoints is to stop thinking that all attacks can be prevented, and to begin with the assumption that your endpoints will be successfully compromised. The priority now is to obtain visibility and limit the scope of that compromise.
There are a number of next generation endpoint security companies like Carbon Black and Red Canary that provide a great starting point, along with strong two-factor authentication from a service like Duo can severely limit the ability of attackers to laterally move around inside your network, raising the bar dramatically in the typical environment. You can also use tools like Thinkst Canaries to set traps for attackers and gain visibility into when they’re laterally moving across your network. Just as importantly, because of the strong focus on a good user experience, these sort of effective security controls don’t introduce friction to your users.
As for the endpoints themselves – make sure you’re using the full-disk encryption available on the laptops and mobile devices in your environment, such as BitLocker for Windows, FileVault for macOS, and the built-in encryption on iOS and Android. Devices will always be lost or stolen, but you can keep it from turning into a massive data theft problem.
Keep your head in the cloud
While there is often a wariness of cloud services, in many cases they can actually make an organization more secure, not less. Take email, for example. Not that long ago, even small organizations had to host their own mail servers to provide email access for their employees. This meant that the highly technical burdens of securing and maintaining this often complex bit of infrastructure fell to those who typically didn’t have the resources to do so.
Flash forward to today, however, and you have service providers, like Google and Microsoft, providing email services while handling the vast majority of the associated complex administrative tasks. Additionally, by using Platform-as-a-Service provides, like Pivotal, a company no longer has to deal with datacenter or even infrastructure-level security and system administration issues.
Get smart about your web apps
Over the past two decades, the attack surface at the web layer has dramatically expanded. Initially, organizations’ websites were typically marketing channels that, if compromised, could be defaced, but wouldn’t expose any legitimate customer data.
Compare that to today, where web applications (and the APIs that power them) are in fact the main customer-facing products for many companies. From an attack perspective, targeting a company’s web applications is often the most direct route to compromising sensitive data. For defenders, just as attackers have shifted, we too must shift to a greater emphasis on defending the web applications which are the conduits to sensitive customer data.
My advice? Don’t stay up at night worrying about the 1 percent nation-state zero-day scenario when it’s the 99 percent of common attack techniques that end up leading to the vast majority of breaches.