In many regards, 2020 was a perilous year. In the wake of a global pandemic, the entire world had to change the way they live and work. This paradigm change not only presented a difficulty for people personally, also from an IT perspective – and more specifically cybersecurity – many new challenges arose from the shift to remote working.
Looking back at 2020, I believe there are a few things we can learn moving forward. Although there is no way to predict what other challenges 2021 will present, looking at the past may give us a glimpse of what to expect in the future.
Increased focus on detection and response.
There is no such thing as a completely secure system. Even if a system is considered (very) secure, it is only a matter of time before someone figures out a way around the security measures. A good example hereof is the recent disclosure that (some) 2FA security keys – commonly used for passwordless authentication – can be hacked. At the time of writing, the proof-of-concept shows it’s extremely difficult (and expensive) to do so. However, it is only a matter of time before someone comes up with a faster and cheaper way to achieve the same results.
Going back to my statement of earlier, you cannot secure a system up to the point it cannot be hacked. What you can do, however, is implement security across different layers so that you make it infinitely more difficult to breach a system (protect) and detect attacks or signs thereof as they are unfolding (detect). In turn, this will give you a chance to respond to the events, rather than being faced with the aftermath, wondering what just happened.
As many organizations have yet to adopt a broader approach whereby detection and response capabilities are brought to the required level, these organizations already face the challenge of attracting the right knowledge and skills to help them achieve their goals. The skills shortage in the market – about 3.5 million unfilled vacancies in cybersecurity are expected this year – certainly does not help and will require significant investments in training people.
Cybersecurity Maturity Assessment.
Is your organisation sufficiently protected against cyber attacks? By understanding where you are today, you can build an effective, long-term cybersecurity strategy for the future!
Free Security Maturity Assessment
Upskilling.
Unless you have been hiding under a rock (something I could totally understand given the craziness of 2020), you must have heard from the Solorigate attack which broke the news mid-December 2020.
Early in 2020 an advanced attack group – supposedly APT 29 (a.k.a. ‘Cozy Bear’) – was able to compromise Solarwind’s Orion software, in which they stealthily inserted a backdoor. The compromised version of the software then got installed into customers environments, thereby granting the group potential access to as many as forty thousand (!) environments globally. It wasn’t until later in 2020, when FireEye reported they had detected the attack, that the ball started rolling. Although a supply chain attack like this isn’t particularly new, it is the sophistication and scale of it which took the world by surprise.
If there is anything the attack has taught us; it is that it can be extremely difficult to detect (advanced) attacks like this. If you do not believe me, consider that even experts like FireEye, Microsoft, Solarwinds, and others have needed many months before they were able to detect the attack, even though they may have been compromised themselves. Scary, isn’t it?
In theory attackers and defenders have access to the same knowledge and tools, which makes for an equal battle. However, nothing is farther from the truth… Attackers have an increasingly wide variety of vulnerabilities at their side, can explore several attack vectors, can attack multiple targets at once, are generally better skilled, and have at their disposal an arsenal of tools, tactics, and techniques to prevent detection and cause maximum damage. All of this makes that attackers have the higher ground, providing them with an edge over defenders.
In a way, this proverbial game between attackers and defenders is like a real-life fight. When your opponent strikes, for example with a punch, you might be able to detect and deflect the punch after which you could counterstrike (respond). The chance of you successfully defending yourself depends on a number of things, such as your ability to detect your opponent’s movements early enough, allowing you to anticipate the attack. Only if you were fast enough to detect the punch and you were fast enough to deflect the blow, you might have a chance at hitting your opponent back. That is, assuming your opponent does not detect your counterstrike and is able to respond to it.
Like this comparison to martial arts, it is all about skill. It is about how well you know your opponent, and how much you have trained yourself that will decide whether you stand a chance. Transposing this back to cybersecurity, skills define whether you can protect, detect, and respond to incoming attacks. The more skilled you are, the more likely you will be able to successfully defend yourself. Just like in a real fight, Solorigate shows us that even skilled experts must sustain a hit occasionally.
Considering your own level of expertise, you might be able to gauge the number of blows you might be receiving…
No one likes to be hit, not in real life, not virtually. To avoid being hit, some people train in real life to defend themselves, and some do virtually. Whereas one may certainly hope that you don’t need to be extremely proficient in real life, 2020 and the years before certainly taught us that you absolutely need those skill do defend yourself in the virtual world. Even if you use those skills to reduce the number of blows that actually land!
Frameworks.
Many organizations lack a structured approach to cybersecurity, leaving them exposed to risks and vulnerabilities they might not even be aware of. Part of it is because of a lack of knowledge on how to properly identify threats, and part is perhaps because of an aversion against frameworks and the inevitable – perceived – overhead they entail. Of course, everything is in the eye of the beholder. Where one sees overhead, someone else sees the necessity of a risk assessment…
Regardless, a strong cybersecurity strategy requires a structured approach and can work miracles over time. As I outlined in ‘Microsoft 365 Security for IT Pros’, the key is to identify which risks (such as vulnerabilities and threats) you face, so you can define a strategy (controls) on how to reduce or mitigate the risk, and to understand if – and how much – of a risk you are still facing (residual risk).
The goal of this article is not to advocate one or the other framework. But if I must, I can personally recommend looking at the NIST Cybersecurity framework and – for a more practical approach – MITRE ATT&CK. The NIST Cybersecurity framework, with its five phases of cybersecurity (Identify, Protect, Detect, Respond, Recover) is very digestible, and a great segue into frameworks in general. There is plenty of guidance around how to use the NIST cybersecurity framework, and even their own website is quite good as a starting point.
Image courtesy of NIST.
MITRE ATT&CK is not so much of a framework as it is a database of tactics and techniques. It can be used for threat modelling, but also for evaluation of existing policies and controls to understand exactly which of those tactics and techniques you are protected against. The good part? Next to information about how these tactics and techniques are used, many vendors refer to them to provide more insights into how they protect your environment, making it increasingly easier to generate usable overviews.
Legislation to the rescue?
Despite numerous precedents, many organizations still are not adequately equipped to handle (major) attacks, let alone have the right controls in place to drive down the risk to an acceptable level. In an effort to increase the level of protection, the European Union published its first cybersecurity directive (NIS) back in 2016. This directive, however, had to be translated into local legislation, delaying the effective implementation thereof considerably. On top, it only requires specific actions from organizations delivering ‘critical’ services, such as energy, transport, water, health, etc.
Since the first version, the world has changed and not for the better. Attacks have become more sophisticated and more prevalent. As such, I was happy to read that the European union has launched an initiative to update its NIS directive moving forward. The current proposal is to extend its scope to include more organizations, small and large. And, the first steps have already been taken!
Whilst government interference is something to consider carefully – you don’t want to end up being over-legislated – outlining some basic rules to which every organization must adhere is not a bad thing. After all, rules and laws are what keeps (parts of) our society together and establish a common understanding/baseline. I believe the proposal to update the Directive is a missed opportunity. Looking at its contents, it remains high level, and not very tangible. But it’s a start. If anything, it forces those who have neglected security thus far to take at least a couple of measures to ensure more security. Unfortunately, even with the minimal requirements outlined by the Directive and similar efforts, organizations who do not take cybersecurity more seriously will remain a liability. The worst part is that these organizations are not just a liability to themselves. They often possess or process personal information from other parties, which are – in case of a breach – the real ones affected. Personally, I would not mind seeing governments take things one step further, perhaps even require specific certifications (like ISO 27001) or some other form of compliance with very specific requirements, recommendations or frameworks. Although 2021 will most likely not be the year when this happens, if it ever happens at all, it is food for thought. How are you approaching security (this year)?
Compliance.
You can have security without compliance, but can you have compliance without security? An interesting thought exercise, don’t you think?
2021 will be the year of compliance. Or at least, the start/continuation of a trend. The increased focus from governments and regulators towards the protection of personal and sensitive information forces organizations to adopt a strategy that matches the newfound scrutiny (although not that newfound after all!). Besides, no one wants to lead the headlines with news of a data breach, let alone one whereby personal information was up for grabs.
After years of investments in protection and detection capabilities, organizations will gradually shift their focus from a security and threat-centric approach to a more comprehensive compliance-oriented approach, which accounts for more than just the security of the systems. Given one cannot be achieved without the other, this shift will not forfeit investments in cybersecurity. In the contrary.
It serves to solidify the efforts made so far.
Compliance does not necessarily mean regulation though. Some organizations, which do not necessarily have to adhere to specific regulations, may choose to implement other compliance requirements. In wake of a more structured approach, they may pursue a certification such as ISO 27001, or perhaps define their own, internal, compliance requirements. Whatever the reason, the drive to comply with a set of criteria and controls will push organizations to adopt smart solutions helping them achieve those results atop of the security controls which they have been rolling out in years past. I cannot think of a better example than Endpoint DLP (from Microsoft). Whereas organizations have been (and are) moving towards the onboarding of most of their fleet of devices onto Microsoft Defender for Endpoint, the next (logical) step is to take advantage of the capabilities the onboarding provides by enabling additional control of what data can be shared, etc. Although, strict technically speaking, an onboarding to MDE is not required, it is a catalyst – and an important one at that too!