Any well-prepared CSO has a range of defensive weapons deployed in the environment to meet the widely varied threats out there. But what happens if one of them is breached?
Don’t throw up your hands and assume all is lost, suggests Rafal Los, director of solutions research and development at Denver-based Accuvant-Fishnet Security in a column.
“Knowing that someone can beat you and get in makes you change how you play the game,” he writes. Organizations that have taken the time to identify their critical assets can understand what adversaries are after and stack their defences around that. “This shift in defensive mentality allows your team to set the goal of frustrating the adversary, wasting their resources, and keeping them working while preventing them from achieving their mission objectives.”
Also, knowing an intrusion is inevitable forces CSOs to stop thinking of each incident as a discrete event and start thinking how an attacker will come after the enterprise, he writes. Adversaries “are persistent and will use the tactics and techniques that help them achieve their goals. Only when they are pressed will they change their modus operandi, if they can. So knowing an adversary by name and profile you can better understand what tactics they will use against you – phishing attacks, for example. By knowing that you can identify, track and remove more effectively and efficiently.”
Finally, this knowledge helps security pros determine the adequacy of security programs. “If you can successfully play against a single adversary and frustrate them you may have a sound security program,” he writes — until another adversary shows up. “Proper scaling is crucial,” he admits, “and that means processes, people, and appropriate technology.”
The bottom line is a security program that keeps attackers from achieving an objective, and kept the damage from the manageable is a win.
Los frames his argument in the context of an old security aphorism: If two people are running from a bear, the person ahead doesn’t have to run tremendously fast, only fast enough to be ahead of the one who will likely be caught. Similarly, some CSOs think they only have to be only one step ahead of a slower company in their cyber defence.
Not so. There’s more than one bear out there.