Paul Anderson, Regional Director UK & Ireland, Fortinet, suggests ways companies can adopt a more proactive approach when it comes to cybersecurity.
If yours is like most companies, over the years it has loaded its cybersecurity closet with a hodgepodge of perimeter defences. You do your best to keep your antivirus and anti-malware systems updated, patch and update your systems regularly, and try to stay on top of active threats. You’ve also probably added some rudimentary tools to try and spot rogue insiders and added various filters and password protections to prevent your employees from clicking on things they shouldn’t. And if something nasty does get through, you have a plan in place to deal with it.
When addressing threats that are already on the blacklist, these reactive security strategies can be enough. But for expanding threat vectors, emerging attack strategies, sophisticated cybercriminal communities, previously unseen malware and zero-day vulnerabilities, reliance on reactive security alone can leave you exposed.
You know it’s time to adopt a proactive approach when:
1. You are constantly cleaning up cybersecurity messes: We’re long past the age where being hit with a cyberattack was a rare occurrence. Nearly half of all organisations experienced a cyberattack last year. Additionally, according to FortiGuard Labs researchers, unique malware variants grew 43% in Q3 of 2018 alone, while the number of unique daily malware detections per firm rose by 62%. Even worse, the average time to identify a breach is 197 days and the average time required to contain a breach after detection is still a whopping 69 days. As a result, 73% of organisations admit that they are unprepared to face a cyberattack.
An increasing number of organisations find themselves in a constant cycle of clean-up and damage control, a strategy that drains time, money and resources. The more sensible approach is to adopt a more proactive, zero-trust strategy that starts with an assumption of compromise. If you knew that your network had already been breached, what would you do differently compared to what you’re doing now? What resources would you isolate? What control measures would you put in place? Those are the things you should be doing now.
2. You regularly find yourself one step behind cybercriminals: Cybercriminals know how reactive cybersecurity tools work – and how to circumvent them by using malicious code with the ability to constantly change to evade antivirus (AV) detection. By blending malware with seemingly innocuous code, it is possible to bypass an AV solution’s methodology.
Malware-for-hire is readily available to multitudes of relatively unsophisticated end-users over the dark web. The actual producers of those scripts tend to be much more professional. When a business gets an update from its AV provider informing it of the latest batch of identified malware variants, the authors of that malware have probably signed up for the very same update and are therefore prepared to launch a ‘new and improved’ version deigned to evade detection. With purely reactive security measures in place, organisations constantly find themselves one step behind the criminals.
3. Insiders are well placed to bypass reactive security measures: Nearly half of data breaches come from within an organisation rather than from an outside source. Of these, nearly half are intentional, while the rest are accidental. While most organisations have some protective measures in place to tackle insider threats – such as file fingerprinting and usage monitoring – they probably don’t contemplate how to tackle privileged users. These are the people who know precisely what reactive measures an organisation has in place. They know how to cover their actions without triggering a reaction. And they also know where the most valuable data resides. When one of these actors becomes rogue, it can be impossible to respond effectively when your security defence system is built around a reactive model.
4. You’re unsure about whether you’re compliant: With GDPR firmly in place in the EU and similar legislation on the horizon in other parts of the world, CISOs have to work within a completely new data protection framework where a data privacy breach resulting from a security compromise may lead to severe fines, depending on the account they are able to provide to the investigating regulator. Were the reactionary security solutions they had in place reasonable and adequate? Did the CISO regularly stress-test the security infrastructure? Compliance isn’t a one-off exercise – it demands investing sufficient resources to meet an increasingly complex threat landscape. Sticking to a reaction-oriented security framework that only responds after an update or event occurs is not an adequate strategy.
5. You’re unable to identify and mitigate threats before they harm you: Research conducted by The Economist Intelligence Unit shows that organisations that have a proactive security strategy in place tend to reduce the growth of cyberattacks and breaches by 53%. In practice, proactivity involves identifying and mitigating any hazardous conditions that can give rise to all manner of threats. For example, a malicious insider has numerous extraction options open which will enable them to steal valuable data. Purely reactive security measures might pick up on a one-off illegal action – but chances are that the insider will be able to bypass them. A proactive approach involves identifying the tell-tale signs that something’s afoot: has this individual’s behaviour recently strayed from the norm? Have they been moving files to new servers? Are they logging into resources they normally don’t access? Is data moving in unexpected ways?
Purely reactive security strategies rely almost entirely on being able to shore up your defences before cybercriminals can target and exploit a new vulnerability, or responding to an alarm that indicates that your network has been breached. Of course, NGFWs, antivirus, spam filters, multi-factor authentication and a comprehensive breach response plan all have an important job to do. But these technical solutions will only take you so far.
Organisations need to be able to anticipate attacks by implementing zero-trust strategies, leveraging real-time threat intelligence, deploying behavioural analytics tools and implementing a cohesive security fabric that can gather and share threat intelligence, perform logistical and behavioural analysis, and tie information back into a unified system that can pre-empt criminal intent and disrupt criminal behaviour before it can gain a foothold. This approach allows for greater control over the network, thereby limiting exposure if there is a breach.