Why your security strategy needs to be pre-emptive [Q&A]
As cyberattacks become more sophisticated, so traditional security techniques may no longer be up to the task of protecting systems.
What's needed is an approach that can spot the routes an attacker may use and help close them down. We spoke to Todd Carroll, CISO at CybelAngel and with over 20 years previous experience in the FBI's cyber, counter intelligence, and counter terrorism branches, to discuss the need for a pre-emptive attitude to cybersecurity and how such an approach can work.
BN: Why are more passive approaches to cyber security no longer effective?
TC: The days of sitting waiting for detections from your endpoints, or from inside your cybersecurity walls are gone, this is not really the way to tackle today's threats. Being proactive whether you partner with a vendor or not, you're looking for those things can give you those early indicators that you are having issue. It also stops the easy things from coming through, because a lot of things that we we find are things that are left open or not patched, or left open out of negligence, not because it's malicious. Yes, there's a lot of malicious activity out there but negligence is where many things start and the attackers are looking for those things, those mistakes that are out there.
BN: Is this intelligence driven, are you looking at where the latest attack vectors are?
TC: In a sense it is intelligence because we are giving information that is going to help the company, see their bigger picture. They're going to be able to see the things that they hadn't be able to see, so that's going to give them intelligence that they didn't have before. It's going to give them a view on information that you can't see from the inside. Normally, you have to be taking a more holistic look from the outside which is not easy to do and almost turns into a big data solution because there's a lot information out there to grab. And how do you get that all that data that's floating around out there that's exposed right now and then zero it down to something that as a company I need to be concerned with? How do you prioritize that as something that's important? Just telling a company, "Oh, by the way, you have X amount of open ports and they have X amount of open vulnerabilities," is not enough. We have to be able to tell our clients, "These are the ones that are most critical because here are your sensitive services."
Definitely intelligence will help a company decide what is important for them, where they believe their next threats are coming from or the next attacks are. Sometimes it's just closing on the easy stuff that gets the attackers to move on. Don't make it easy for them because you have X amount of exposures going on when all you needed was visibility into those areas and very easily could shut them down before they become something major.
BN: What's the starting point for pre-emptive security?
TC: It's really taking a look at your external or your service management, but from a different point of view. A lot of vendors are looking for the internal point or endpoint detection systems. We look at everything from the outside in, mainly blindly looking at the Internet and scanning for those different assets. Whether it's an open cloud bucket or file servers or devices or domains that are floating around out there that are lookalikes that are being prepped for attacks. So I think it's firstly to scan to discover what is out there. What does it look like? What does your potential attack surface look like from the outside and you can put that together with what your tools that are looking at on the inside and have a better picture of what is going on?
It's about establishing an inventory, knowing your assets that are out there, where and how they're vulnerable or how they're actually viewed from the outside. What's Internet facing that you may not know about? Knowing what you don't know gives you a better inventory.
BN: So it's about what former US Secretary of Defense, Donald Rumsfeld once famously called, 'known unknowns'?
TC: You don't know what you don't know and in today's world everybody's throwing new assets up all the time. Whether it's a person working at home scraping information and putting it on their personal drive that a company is not going to know about, but they've left it wide open, exposing your data, or whether it's an IT device that's set up. You've got to be able to know those things are out there. So we consider assets anywhere. It can be part of your supply chain because we link and rely so much on vendors and third parties. We have to look beyond what is just our assets, because if they control our information, well, we have a we have skin in the game when it comes to that asset.
BN: Is it true that the shift to remote working means businesses have lost control a little bit over over where their data is going and what machines it's on?
TC: When we had in-house servers and we had people that generally controlled our servers, we had server farms and everybody managed them and complained about the costs. Then cloud is here and, well, that's a cheaper alternative and we're kind of piece-mealing it out. Then along comes work from home and COVID which accelerated moving to the cloud. Now we have employees setting up cloud instances without really knowing what they're doing or understanding fully. They're either oversharing or they're putting information out there that makes it very easy for attackers to start their attacks.
BN: How does this tie into the buzz phrase of the moment 'zero trust'?
TC: I know there's a lot of talk around zero trust, everybody's looking for that silver bullet that's out there, if I had this then my life would be much better or I would be able to stop these attacks or phishing attacks and/or whatever it may be. I just don't think technology is going to be able to get there, because it's just going to create some other other issue, there's always humans involved and we make mistakes.
AI and machine learning helps us if it's used in the right areas. We use it to go through the amount of data that we're able to scan, we find billions and billions of assets or documents on a daily basis. How much it will progress in the next couple of years I just don't know. I think it can be useful, but again it's not going to solve all our problems.
Photo Credit: Alexander Supertramp/Shutterstock