The recent explosion of cloud computing services, mobile devices and other new technologies has upended existing security paradigms.
Gone are the days of setting and forgetting the latest tools. New, sophisticated technologies and techniques have enabled our adversaries — be they advanced and persistent or simply malicious and determined — to pick the locks we had stacked around our perimeter.
In response, technology companies and innovators are building new capabilities. Yet attackers continue to find ways into enterprise environments. The sheer number of successful breaches of large, well-resourced companies and government organizations speaks for itself.
Without an effective strategy, a robust plan and the right people to execute it, security teams and the companies they seek to protect will continue to lose.
Meanwhile, the business risk of breaches continues to rise. According to Forbes, the current cost of cyber crime has reached upwards of $500 million — an amount that has quadrupled from 2013 to 2015, and is set to do so again by 2019.
These costs are closely tied to the increasing time between breach and discovery.
The exact length varies, but several recent studies place it between 150–200 days. Many breaches actually go undetected for years. This reality is often difficult to digest, but understanding and accepting it enables security teams to build a strategy to better protect businesses and fight back.
Today’s security programs cannot guarantee that a network won’t be compromised. Instead, the challenge is to understand the threat and implement controls and capabilities that protect data and effectively manage risk.
The concept of “business risk proposition” is well known to business leaders worldwide, and it accurately represents the challenge for today’s security leaders, who can no longer consider security an IT problem.
A New Approach
To address these new realities, Rackspace Managed Security has built a security operation that takes the most effective elements of a traditional security strategy, focusing on three key areas that make it uniquely effective in today’s threat landscape:
- We prioritize your data and understand its value to the business.
The defensive strategies of yesterday focused on the perimeter. Today, we are laser-focused on the data. Rackspace takes an increasingly dynamic and contextualized approach to security, rooted in deep understanding of the data we are protecting and its impact on your business.
Understanding data and its associated business functions points us to the users, systems and data streams that normally interact with it. With a clear, well-informed picture of “normal,” we can tune our tooling, direct our threat intelligence and enable our cyber hunters to actively search for that which is anomalous.
- We’ve abandoned the traditional reactive posture triggered by alerts.
Today we begin with the assumption that an attacker has gained access to the network, and our security operations team proactively hunts it down. When we accept that traditional perimeter tooling is unlikely to be effective against an advanced attacker, we must also accept that adversaries may be active on our networks. This isn’t an indication of failure; it merely defines the battleground on which we will detect and defeat the enemy.
Fortunately for us, that battle will be fought on home territory. Cyber hunting missions are designed to identify artifacts and activity which, in isolation, appear benign, but may be indicative of an attacker’s presence on the network. Using intelligence to break down what’s known as an attacker’s TTP — “tactics, techniques and procedures,” we are able to determine exactly what to look for at a granular level. Highly skilled and experienced cyber analysts can then systematically patrol the environment for any evidence that an attacker has been active — and that dramatically reduces time-to-detection.
- We take immediate action to protect data and minimize business impact.
Too many security operations still practice a monitor-detect strategy, which is reactive in nature. This over-reliance on technology to provide an alert, and the resulting graduated response has exacerbated that crippling time-to-detect length of 150-200 days. When detection finally occurs, it’s too far down the kill chain, and the resulting impact to the business is often devastating.
Rackspace Managed Security uses a catalog of preapproved actions allowing for an immediate response. Understanding our environment, knowing our priorities and having a clear appreciation of the weapons in our arsenal are all advantages the attacker does not have. We use these advantages ahead of time to plan, validate and approve the actions we must take to be effective when we identify malicious activity. Starved of time, attackers are much less likely to identify the data they seek or achieve a persistent presence in the environment.
Winning on the New Battleground
Delivering a robust and effective security operation in today’s threat landscape is no trivial task, and a shift in thinking is a critical first step. Security practitioners must become security leaders — not only capable of building a complex security operation and leading the daily fight against attackers, but also of guiding their business units and boardrooms through an increasingly complex decision-making process — if they are to be effective at managing business risk.
Detecting and responding effectively to today’s attackers means putting the data you are protecting at the heart of the security operation, adopting a proactive approach to detecting anomalous activity on the network and honing the ability to respond swiftly and effectively to malicious activity when it is detected.
Dangerous and sophisticated attacks are a daily challenge for security teams everywhere. An effective security strategy must deploy highly skilled analysts to actively patrol the network, guided by a thorough understanding of the data they protect and its priority to the business. They must also be agile enough to respond appropriately and immediately. Such an operation will make our adversaries’ work more complex, more expensive and more likely to fail.
This is the new normal.