There's a jarring imbalance in the world of cybersecurity, where the threats are rapidly innovating, while the defensive capabilities of many organizations lag behind. Familiar threats such as ransomware have evolved to become stealthier and more evasive, and attackers have been quick to exploit changes in work environments, leaving defenders scrambling to plug newfound security holes.
To arm organizations with the information needed to defend against today's threats, Gartner® recently published How to Respond to the 2022 Cyberthreat Landscape. The report offers guidance for security leaders whose role is to not only effectively support the security teams who work underneath them, but to accurately communicate the risk level to the executive leadership. The report offers specific advice for three categories of threats:
Top threats. Gartner defines top threats as "Threats that organizations are highly aware of and that remain relevant year after year as a result of underlying changes." Top threats include ransomware, phishing, and account abuse.
High-momentum threats. Gartner defines high-momentum threats as "Threats that are growing, but for which awareness is not yet on par with that associated with top threats." High momentum threats include API abuse, supply chain exploits, and cyber-physical systems.
Emerging threats. Defined as "threats that are rarer and less visible, but significant enough for security and risk management leaders to pay attention to," emerging threats include the exploitation of changing work environments and exploit gaps that arise during transitions, including the adoption of cloud services.
While How to Respond to the 2022 Threat Landscape outlines specific threats and provides recommendations for CISOs, the report also addresses the role that business processes are playing in the current cybersecurity landscape.
And that, in our opinion, is where things get really interesting.
ExtraHop Take: Security is a Business Decision
Just days before the publication of How to Respond to the 2022 Threat Landscape, Gartner Distinguished VP Analyst Paul Proctor published a blog, Cybersecurity as a Business Decision: A Manifesto. We at ExtraHop believe the two publications, taken together, clearly, succinctly, and compellingly explain why organizations invest billions of dollars each year in cybersecurity and yet continue to be breached at record rates.
Problem #1: The Adaptation Failure
For modern organizations to effectively incorporate cybersecurity into the business decision-making process, they need to effectively understand and manage change both within their own organization and across the threat landscape itself.
Unfortunately, this has proven easier said than done. How to Respond to the 2022 Threat Landscape notes that the often exponential gains in attack technique sophistication, saying "this leads to "attack fatigue," which creates difficulties in terms of obtaining funding for new initiatives for incremental improvements against these threat vectors."
The report goes on to say, "when it comes to top threats, CISOs and their teams often fail to communicate effectively with IT and business executives, and sometimes with their own security teams. They may encounter strong resistance when defending an initiative related to a threat vector that has been known for years, and face comments such as 'we have already invested a ton of money in ransomware prevention!'"
In ExtraHop's experience, this attitude and approach has two critical faults. First, it fails to account for changes within the business itself. These changes include everything from the transition to "work from anywhere" to large scale cloud migration to increased adoption of enterprise IoT. When more people are accessing more systems remotely, when workloads run on external infrastructure, when large numbers of unmanaged (and unmanageable) devices come online, the attack surface changes. Security policies (and the technologies that support and enable them) must change.
Second, this attitude and approach also fail to account for changes in attacker motivations and innovation. Since the beginning of 2022, we've already seen major shifts in this arena. Russia's war on Ukraine has elevated the threat of nation-state attacks on critical infrastructure and governments and private organizations that sanctioned Russia over its actions. At the same time, we've seen new attack techniques, such as the use of compromised multi-factor authentication (MFA) software as the point of intrusion.
Go back to 2021, and the list of new and novel tactics expands. The Kaseya ransomware attack showcased how ransom gangs have moved beyond double-extortion to the full Cyber Hat Trick—exfiltrate, encrypt, exploit—in order to amplify the blast radius beyond a single organization out to their customers. At the same time, the number of zero days more than doubled, blowing away all previous records.
It is understandable that organizations find themselves paralyzed by the rate of change. That's all the more reason why technological change isn't enough. It's time to change the mindset.
Problem #2: The Era of Magical Thinking
While attack surfaces and attack techniques are evolving faster than ever, what isn't changing is how organizations think about cybersecurity. In his "Manifesto" blog, Proctor underscores how this goes beyond the "but we already have a ransomware tool!" problem.
"Boards have no idea what to ask for. They treat security like magic and security people like wizards. You know, give the wizards some money, who cast some spells, and the organization is protected. If something goes wrong… I guess we need some new wizards. This has led to some very bad investment decisions."
While Proctor cites numerous examples of how organizational thinking on cybersecurity is broken, his argument, in this author's opinion, comes down to three things.
First organizations—boards, corporate leadership, and sometimes security teams themselves—are asking the wrong questions. The example Proctor cites is a company that had a policy requiring all systems to be patched within 48 hours. But company leadership didn't ask how long it actually took for systems to be patched. And as it turned out, the compromised system had gone unpatched for 77 days. The difference between asking "what is our policy?" and "how is that policy being applied in practice?" is vast.
Second, organizations plan for resilience, but they don't test it. Proctor writes:
"You know when most organizations test their recovery capabilities? After a ransomware attack. And that is the single biggest factor in whether a ransomware incident takes a couple of hours to clean up or devastates the organization."
Security people know that sooner or later, an attack will be successful. There's a reason that the biggest cliché in cybersecurity is "it's not a matter of if, it's a matter of when." It's time for business leaders to accept this reality, and start planning for what will happen when, not if. How quickly can you determine which systems were affected? How quickly can you restore your systems from backup? How do you know if the backups themselves were compromised? Those aren't security questions. Those are business questions.
Third, and, in this author's opinion, most importantly, organizations have to stop laboring under the delusion that perfect security is achievable, and start making security decisions based on the business outcome they are trying to achieve. In other words, you can't have so little protection that you're constantly locked down by ransomware. But knowing that ransomware and other attacks are going to happen, you also can't put in such tight controls that your people can't function: Devs are gonna dev, folks. People are going to work—and access critical systems—remotely. IoT is going to happen.
Changing the Mindset
Paul Proctor states in his blog post that "Cybersecurity investment is broken because we invest in tools and capabilities, not outcomes." But in ExtraHop's estimation, that doesn't mean that the tools and capabilities aren't important. Instead, it's how organizations approach evaluating and implementing them that matters.
This leads back to what we believe the authors of How to Respond to the 2022 Threat Landscape are stating: Organizations have to stop assuming that the tools and capabilities they implemented five years ago to prevent attacks will be effective in preventing them today.
If the goal is to prevent all cybersecurity incidents, organizations are doomed to fail. If the goal is to improve response time, mitigate downtown, and limit the blast radius of an attack, that is achievable. It can also be calibrated to the unique needs and risk tolerance of each organization. And with that goal in mind, organizations can start to back into the tools and capabilities they need to effectively support that outcome.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Source: Cybersecurity as a Business Decision: A Manifesto By Paul Proctor | March 27, 2022