Enterprises involved in the global supply chain, even tangentially, have become highly susceptible to cyberattacks. This is because infiltrating a third-party software provider gives bad actors an avenue to target and access thousands of downstream customers. One of the biggest recent supply chain attacks was on IT management software provider SolarWinds, which saw hackers insert a backdoor into the company’s software to gain access to dozens of organizations, including some in the U.S. government.
The incident served as a reminder to all organizations that they need to put in place strict cybersecurity measures to protect themselves and their customers, especially as these types of attacks are expected to peak in 2022.
The only way to protect companies and their customers is by fully operationalizing security. This includes the enlistment, orchestration, and continual adaptation of people, processes, and technology required to mitigate threats and reduce risk.
Going Beyond Detection and Response
To fully operationalize security, software companies must partner with a security provider that goes beyond detection and response, actively reducing the attack surface and improving overall security maturity.
Hardening (reducing attack vectors by culling the pathways, or vectors, attackers would use) is one preventative approach to reducing security risk by condensing the attack surface. An example of boosting security maturity is to see if there’s a credential compromise that occurred in the environment.
A root cause analysis (RCA) can then help determine if the breach was due to credentials sharing, or attributable to other factors like MFA not being enabled. The cause determined from the RCA can then be used to develop prevention measures.
Securing a Company’s Critical Assets
When seeking out an MDR service provider, a company must ensure that the provider possesses a robust assessment process to build a repository of its high-value assets, and that of its customers, tailoring protection around that.
This is crucial for a company’s business operations since it ensures an extra level of protection that is ongoing, rather than of a static nature (or something that happens once right at the beginning of the partnership between the organization and the MDR service provider).
Using Machine Learning Combined with Human Analysis
Another aspect of fully operationalizing security to protect a company’s and its customers’ critical assets is using machine learning (ML) models in combination with human know-how. ML models in cybersecurity allow data to be assessed at machine scale.
ML models ingest large amounts of data and review it at a speed beyond human capability (e.g. ML can examine a bulk of user logins and detect anomalies within an organization) before it goes to a human analyst for review and weeding out any false positives.
The human can then better contextualize the data within the organization’s environment. For example, ML might detect that there is a mailbox redirect rule within email, which alone could be legitimate. But if the human analyst sees there were also five failed login attempts for the same user within an hour, the analyst can determine if it’s something suspicious.
This essential combination of ML and human expertise not only assesses threats, but speeds up effective mitigation of attacks.
Enabling Full Security Operationalization Via Mission Control
Operationalizing security takes more than buying tools or hiring people. It requires more than a 24×7 operations center staffed with experts. It takes a Mission Control for cybersecurity. When NASA embarks on a new mission, it relies on Mission Control to operationalize that process. Mission control owns the end-to-end success of a mission, from inception to conclusion, and CISOs need the same.
An MDR service provider should deliver a Mission Control consisting of a unified platform of people, process and technology that owns the success of mitigating threats and reducing risk. There are 5 core principles to operationalizing security:
The first is having a mission in service of the outcome. It’s easy to get bogged down in the details and tactics, but it all needs to tie back to that higher level objective, which is the end result. Detection and response represents only one part of the mission.
The mission of an MDR service provider is broader: to mitigate threats and reduce risk. Mission Control should take a virtuous security lifecycle approach of assessment, prevention, detection and response. These are continuous, interconnected processes, actively informing each other.
Having a list of critical servers isn’t enough. That knowledge must be operationalized, informing stronger preventive measures on those servers. Isolating a host to mitigate a threat doesn’t stop there, but is followed by a root cause analysis (RCA) to better detect similar threats in the future. Ultimately, every activity powers the virtuous life cycle so security maturity increases continually, and so the MDR service provider can deliver on its mission every day.
One cannot secure what one does not understand, so knowing your environment is another key element. With each organization, there are different points where an unauthorized user can try to enter or extract data (attack surfaces).
Mission Control needs to be keenly aware of where these points are to create a strategic protection plan aimed at decreasing them, and it must also be familiar with where critical assets are located, as well as what’s considered normal (versus abnormal) activity for that specific organization to flag suspicious activity. The process of Mission Control building knowledge of the environment needs to be continual.
A third principle is fostering collaboration. Protecting an organization, mitigating threats and reducing risk takes active collaboration between many teams. Security needs to keep on top of vulnerabilities, working with IT to get them patched. IT needs to enable the business, working with security to ensure users and resources are safe.
To deliver on the mission, it also takes executives to prioritize efforts. It takes finance to allocate budgets and third parties to deliver specialized incident response services. Therefore, it’s critical that Mission Control fosters collaboration between both internal and external teams, all of whom contribute to security.
The fourth principle stresses the importance of solving the challenge using a system. This entails developing a process that ties everything together to achieve the outcome, knowing exactly where people and technology fit in, and implementing tools strategically as the final piece of the puzzle.
Too many tools can lead to complexity resulting in vulnerability. Cloud providers are helping by providing built-in capabilities as part of their IaaS and PaaS offerings. Wherever possible, organizations and their cybersecurity service providers should leverage the built-in security capabilities of their infrastructure (e.g. Microsoft Defender, Azure Firewall, Active Directory), eliminating the need for new tools. InfoSec teams need to start thinking about how to develop systems that allow them to focus on only the most important incidents.
The final principle is measurement, which should not only consist of backward-facing metrics, but predictive ones indicating preparedness to defend against future attacks. To measure the effectiveness of security posture, the scope of measurement should go beyond MTTD/MTTR to include metrics like how many critical assets are not covered with EDR technologies, and how long it takes to identify and patch critical systems. These metrics require a deep understanding of the attack surface and the organization’s operational realities.
An MDR service provider that operationalizes security using the above 5 principles can mitigate third-party breaches leading to supply chain attacks. This will help to effectively thwart SolarWinds-style attacks that are expected to occur in 2022.
This article has been amended to more accurately reflect the SolarWinds supply chain attack.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply