By Mark Hughes, president of Security, DXC Technology
When you think of cybercrime, you probably picture menaces lurking outside a company – identity thieves, ransomware attackers, or other hackers. But what I’m hearing time and again from our customers is that some of their toughest security challenges originate within their own IT estates.
Every situation is different, but the enemy within is often internal IT complexity. This can create major security issues.
Complex IT estates
Today, most organizations have extremely complex IT environments, whether it’s due to legacy applications, acquisitions, or multi-layered organizational structures. That complexity allows for many points of entry, and once attackers have gained a foothold, they can navigate around until they find a way to steal data, install malicious software, or encrypt files for ransom.
One of the biggest cybersecurity threats isn’t a security issue at all, but an issue of how IT estates are operated. It takes a comprehensive understanding of the many components and IT infrastructure, how they are connected, and who needs to access them.
Aside from presenting more points of entry, this complexity makes it hard for companies to understand, monitor and implement security tooling across the entire estate. Without this comprehensive coverage, as the adage goes, companies have to be lucky all the time, and the threat actor only has to be lucky once.
Often companies come to us because they failed to detect a threat, or couldn’t respond quickly enough despite having security policies and tools in place.
We hear many tales from the trenches. For example, one customer had very good, comprehensive tools that automatically alerted the security team when certain incidents or conditions occurred. Unfortunately, threat actors worked out how to get around that security by infiltrating a part of the organization that had been neglected from a security monitoring standpoint and was left exposed.
Not just a security issue
Interconnectedness without holistic management often leads to issues with access and permissions. In one ransomware case, an attacker exfiltrated data from an application with sensitive financial and customer information by exploiting a dormant privileged account. The authorized user had moved to another part of the organization, but the account hadn’t been deprovisioned.
Focus and prioritize
Securing today’s IT estates requires an enormous amount of discipline and attention to detailto stay ahead of the threat actors. It can seem overwhelming, but there are ways to make it more manageable.
One key is to prioritize: Identify the applications that deliver the most mission-critical services and contain sensitive data, then ensure they are in hardened environments with sufficient protective tooling. The obvious ones to start with are email, anything internet-facing, and anything involving directory services such as Microsoft’s Active Directory, which manages permissions and access to network resources.
Another key is proper governance – assigning responsibilities and ensuring knowledge transfer about how systems are configured and secured. Too often, we hear companies say, “The person who used to do that is gone and we just left it as it was,” or “We don’t really know how this works because it’s in another part of the organization.”
When choosing security tools, companies also tend to spend too much time debating what technology to use when they should be focusing on business risk — and having a future view of what technologies and best practices might eventually serve the enterprise.
Other obstacles: The unknown, time and new technologies
There are several other key themes we hear from customers as they endeavor to stay on top of security challenges:
- Implications of new technologies: Cases such as Solar Winds and, more recently, Log4J show how attackers can exploit highly useful tools used pervasively throughout the industry. That’s why it’s important to carefully assess the security implications and vulnerabilities of any new technology before implementing it.
- Time pressures: Most companies face slow-burn business risks, such as new competition in the market, that can be addressed in a thoughtful, unrushed manner. With cyber risk, however, the state of protectiveness can go from very good to awful from one minute to the next. A comprehensive IT view and holistic security approach enable companies to gain a commodity in desperately short supply during a breach — time to respond before an attack is launched or critical data is accessed.
- AI and machine learning can help with unknown threats: No matter how much you know about existing cyber threats, there will always be a new type of threat or threat actor about to emerge. You can’t find what you don’t know to look for, but with new tools that harness AI and behavior analysis, you can search for abnormal patterns. One example of this is what we call the impossible logon, where an employee might log in and resolve to an IP address in their home area of New York, then 5 minutes later show up with an IP address in Hong Kong.
Embed security into everything you do
In addition to knowing your IT environment, security needs to be baked into every part of that environment. It should be embedded in every aspect of the enterprise technology stack, from software development to data center, network and cloud infrastructure configuration, to workplace environments and analytics programs.
Companies shouldn’t spend valuable time figuring out how to put in security tooling after deploying some new technology; they should implement the security component simultaneously, and, if available, use native security protections for that system or environment.
Because that’s what security is really about — enabling you to see what’s going on across the company and identify anything that looks abnormal and react effectively — the rest of it is just running tools.