5 Ways to Make 2022 More Secure
Introduction
2021 was a year of prolific ransomware attacks that crippled the operations of many organizations. From the Colonial Pipeline attack that led to fuel shortages across the East coast to the Kaseya supply chain attack which caused a tremendous downstream impact on their clients, the proliferation of ransomware sent waves of fear across the industry.
I spent a good chunk of 2021 talking to business and security leaders about cyber resilience and how they can prepare for a potential ransomware attack. Sadly, my message was not what many leaders wanted to hear. There is no silver bullet solution to cybercrime. Instead, as an industry, leaders need to move away from relying too heavily on compliance and tool-driven security programs toward a more pragmatic approach to security resiliency.
In this blog, I reflect on 2021 and provide actionable recommendations on making your enterprise more resilient.
Five Security Considerations for 2022
If you are a techie at heart and a technical discussion is something you cannot resist, be warned. You will be purposefully disappointed. In this article, I do not offer any technical solutions or discuss the latest and greatest technology to stop advanced threats, even if such a thing was possible in the first place. As a security leader, you are probably well-versed in this space. Instead, my focus is on five key concepts that I want you to reflect on and honestly answer how well your organization implements them.
Shift Focus to Cyber Resilience
Over the last several years, many leaders asked me why their organization experienced significant cyber events despite heavy investments into cybersecurity. Unfortunately, there is no straightforward answer to this question. However, while leading investigations, I observed several patterns, including compliance-driven security programs that focus on the latest and greatest tools while neglecting fundamental security hygiene, proper asset management, or adequate access control.
Based on countless breach investigations, I believe that you no longer can assume that your organization is immune to cyberattacks because it invested in state-of-the-art security technology. Instead, shift your focus toward cyber resilience. You must give equal weight to protection, detection, response, and recovery if you want to avoid being on the news in 2022.
Consider a Threat-Centric Approach
In the age of prolific cybercrime and attacks that cripple business operations, organizations need a more pragmatic approach to security. Defenders should build and evaluate security from the perspective of a threat actor. I firmly believe that to protect your organization against cyber threats, you must understand those threats in the first place.
Many reputable vendors, public sector organizations, and industry-focused intelligence sharing groups make high-quality intelligence available for other organizations to consume. Yet, I still see organizations that deploy SIEM with out-of-the-box correlation rules and inadequate logging standards, believing they can detect threats. Understanding how threat actors operate and execute their tactics, techniques, and procedures (TTPs) at each phase of the attack lifecycle is essential to prioritizing your resources to address the weaknesses and vulnerabilities that threat actors are most likely to exploit.
Validate Security Controls
In software engineering, before you deploy new software in your production environment, component and system testing is performed to ensure the software works as per requirements. However, I hardly ever see the same level of rigor applied to validating security controls. Given how critical this requirement is to protect your organization against cyber threats, I find the deploy and forget approach incomprehensible.
As part of your threat management strategy, consider conducting focused red teaming exercises to validate your controls and determine how well your tools can detect attack techniques. Moreover, red teaming will also expose your analysts to real attack scenarios, so they do not have to train when your organization responds to an actual incident.
Build Alliances Across the Organization
As security professionals, we often act as good cops, politely pointing out to IT their omissions and preaching what they should do to make systems and applications more secure. The truth is that security is not as easy as a CISSP study guide describes. IT and Security’s priorities commonly do not align. IT primarily focuses on and is measured on functionality and availability. Misalignment can create situations where IT and security work at cross purposes in ways that can lead to passive aggressive behaviors, internal resistance, and ultimately, mistrust.
Instead, we need to enable cross-training, encourage collaboration, and engage in transparent and blame-free communication. Our role as security leaders is to create a culture of trust where security and IT perceive each other as mutually beneficial and willingly work together toward the same mission.
Secure Privileged Identities
I have led investigations into large-scale breaches over several years and cannot recall a single case where the threat actor did not compromise a privileged identity. Credential harvesting and privilege escalation are critical steps in the attack lifecycle. Threat actors cannot exfiltrate data and deploy malware without privileged credentials.
If you have the budget, I recommend investing in privileged access management to vault and rotate privileged credentials. However, even with limited resources, you can still implement measures, such as enforcing the principle of least privilege, separating system administrator accounts into administrative tiers, and monitoring privileged access for anomalies.
Conclusion
In this short blog, I discussed five strategies to help you secure your organization more effectively in 2022. This list is not exhaustive, and I did not intend for it to be a silver bullet to all security headaches. However, implementing the strategies I described above will help you keep your organization from the news. For me, security is about what it was always supposed to be: protecting systems and data from cyber threats. I wish you all a secure 2022!