Why are current cybersecurity incident response efforts failing?
Business-critical applications, such as enterprise resource planning (ERP) systems provided by SAP and Oracle, are considered the crown jewels of the enterprise. These assets hold an organization’s most valuable data: from confidential financial information to private customer and partner details. Attackers that gain access to these applications can cause mass destruction, by hijacking an organization’s payroll system, shutting down its manufacturing facilities, or transferring large sums of money to their own bank accounts.
Despite the high value of these applications, they are constantly placed at risk by the discovery of critical vulnerabilities. At the same time, security teams are perpetually challenged with limited bandwidth and resources.
This article will explore why current cybersecurity incident response efforts are failing, and how a proactive, risk-based approach enables companies to reduce exposure most effectively and to maximize the return on their limited resources.
Understanding the gaps in current incident response processes
Many companies invest heavily in many layers of technology to secure their critical operations. To control every attack vector, they spend money on endpoint security tools, network defenses, authentication and identity solutions, application delivery services, and more. While these capabilities are crucial, very little budget or time is allocated to the critical applications themselves that contain the assets that matter most. Many threat groups have highlighted how cybercriminals can enter business-critical applications directly and remain undetected for months – even years – while quietly siphoning off millions of dollars.
The law of diminishing returns is highly prevalent in cybersecurity: the first layer of defense on any asset or for any attack vector reduces the risk most significantly. Now that the critical applications are being targeted directly, they must also be defended directly.
Organizations often generate incident response playbooks that outline strategies based on a type of attack (e.g., ransomware or zero-day exploitation). However, obtaining a deeper understanding of an organization’s business-critical application landscape and creating a playbook focused on the assets, systems, and processes that matter most can be far more effective at overall organizational risk reduction.
Taking a risk-based approach to incident response
A risk-based approach to incident response enables enterprises to prioritize vulnerabilities and incidents based on the level of risk they pose to an organization. The simplest way of framing risk is a calculation on frequency of occurrence and severity. Malware frequently reaches endpoints, and response and clean-up can cost thousands of dollars (both directly and in lost productivity). Furthermore – and security teams all over the world would agree on this – vulnerabilities on internet-facing systems must be prioritized and remediated first. Those systems are continuously under attack, and as the rate of occurrence starts to approach infinity, so does risk.
Similarly, there have been many threat groups that have costed enterprises millions directly, and in some cases tens of millions in lost operations and ERP system downtime. Large enterprises measure the cost of simple maintenance windows in ERP systems in tens of millions. Thus, it’s difficult to imagine the substantial calculations on a business-critical application breach. As severity increases to that order of magnitude, so does risk.
Like internet-facing systems with the highest rate of occurrence, business-critical applications hold the highest level of severity of impact. A risk-based approach can also help IT teams properly allocate their efforts and budgets and drive the maximal risk reduction on a per dollar or per hour basis.
Incorporating modern vulnerability management tools
With modern vulnerability management tools, security teams can gain full visibility into all assets across the IT environment, including those hosted on-premises, the cloud, or both. This enables them to make an inventory of all assets within their system, identify any hidden or previously known vulnerabilities, and keep a record of all of them.
These tools can also provide security teams with automated assessments of each threat, their business impact, and their associated risk, and subsequently share thorough descriptions and solutions for each. Vulnerability management capabilities that capture a complete view of an enterprise’s threat environment can help security teams understand their attack surface and save significant time, money, and resources that would have otherwise been spent focusing on lower priority items.
While this sounds ideal and drives directly to the goal of a risk-based incident response process, the simple truth is that there is a critical gap. Conventional tools such as firewalls and vulnerability scanners are necessary, but while they may cover system-level concerns in business-critical applications, they simply do not support the application itself. The underlying operating system vulnerability may be detected, but not the SAP custom code issue, or the E-Business Suite (EBS) application layer flaw.
Defending the enterprise crown jewels
Threat actors have the knowledge and capabilities today to directly target enterprises’ mission-critical applications and conduct highly sophisticated attacks. Only those organizations that are well-prepared will be able to protect their crown jewels and prevent the long-lasting implications of an attack against these systems.
Security officers and incident response teams need to prepare themselves to bring the same standards and the same security operations maturity that exist elsewhere in the IT environment into the formerly sacrosanct domain of the business-critical applications themselves. The attackers are already doing it; it’s time the defenders do, too.