Working in cyber security is an exciting if humbling experience. It is a discipline where you can never have enough details, best practices, and lessons learned by examining mistakes made by others. Learning from peers has always been paramount. Recently I was fortunate enough to facilitate a fireside chat with Arkadiy Goykhberg, CISO of news media and business services giant DMGT.
The challenge: Enterprise Drift due to Ongoing Threats
Per Arkadiy, most enterprises look at mitigating risk through either a compliance or threat informed defense lens. Several attacks on other newspaper publications made him feel the latter applies more to DGMT. The threat to enterprise revolves around two things, he says – threat actors and enterprise configuration drift.
Change in security posture grows daily as threat actors, whether financially motivated or nation-state actors, evolve their tactics, tools and Procedures (TTPs). Like water finds ways into every available opening and cracks, so do the attackers. Enterprise drift occurs as the unintended consequences of daily configuration changes in the enterprise environment. From changes in routing configuration, firewall rules, group policies, proxy changes for URL whitelisting or SSL inspection, email domain whitelisting, to certificates expiring, and key processes dying due to software defects, these can potentially weaken enterprise cyber-resilience posture and security coverage gaps appear and expand over time.
Incorporating a software development methodology to cybersecurity
Being a big believer in applying software development methodologies to managing complex architectures and cybersecurity, Arkadiy feels running continuous and automated regression testing was the best way to ensure efficacy of security controls is maintained over time.
Drawing a baseline for a fact-based cybersecurity discussion
The objective in looking at continuous security validation solutions was to get a clear baseline of DMGT security posture, to facilitate a fact-based risk management and cyber security investment strategy with executive management, as well as optimize security technology and operational processes with his staff. Having a small team and limited time. Arkadiy looked at several solutions and chose Cymulate.
Experience with Cymulate
Deployment: The Cymulate solution was easy to deploy and quickly showed value in the form of baseline regression test results and executive reports.
Business impact: Arkadiy quickly understood his cybersecurity baseline, gained visibility, found gaps and misconfigurations in his security controls and processes. He could clearly measure, and explain coverage against TTPs, map it to threat scenarios previously discussed with executive management, and develop a plan to improve control coverage and efficacy. After implementing the proposed plan, cyber resilience improvement could be measured, demonstrating return on investment. Operationalizing this process enables optimizing for risk reduction for every dollar and hour spent on improving cyber security architecture, making it easy to develop justifications for additional budget, if necessary.
Continuous security: Cymulate updates the solution 24/7 to incorporate new indicators of compromise (IoCs) and new tactics, techniques, and procedures (TTPs). Cymulate developed tests are current and relevant, and provide actionable recommendations for improvement, enabling security teams invest their time in analyzing results, versus spending limited time on researching, developing, and validating testing scenarios.
Everyone wins: Arkadiy also noticed Cymulate was valuable for many stakeholders on his company. Technology teams used it at a more granular level to understand why tests failed and what needed to be remediated, Arkadiy used it at a higher level to understand current trends, changes to the baseline, and to explain the gaps and resulting risks to company executives.
“Because of Cymulate we are improving, you can easily establish a baseline and measure progress overtime. I’m informed on my current state, where I have gaps, where I have overlaps in defenses, where we need to make additional investments, and where I recoup costs due to overlap.”
The full fireside chat video can be viewed here.