Today we want to share a few thoughts about the current and future state of cybersecurity. We’ll talk about how to defend your organisation and your employees from cyber threats. Everything evolves. Every business is on the path to become a technology business, and security plays a HUGE role in this process. Before we dive into technology, let us tell you about Col. John Boyd, a Korean War fighter pilot. He is known for developing a theory about how to lead the combat, which has been adopted by the military all around the world. As a part of this theory, he developed the concept of the OODA loop. OODA loop is a decision-making process based on 4 steps:
- observing your environment
- orienting yourself in it
- deciding on your actions
- acting based on this decision
and then... repeating the entire cycle. What the OODA loop adds to the combat, but also to the business strategy, is the conclusion that those who can handle the fastest rate of change will survive. It's not important how many weapons you have, or how heavily is your jet fighter loaded. What matters is how fast you can adapt to change. Keep this in mind – we’ll come back to it later. No time to read? Watch the video instead!
Fast reaction is key to cyber safety
You might wonder by now, what does it have to do with security?If you apply this principle to security in the modern world, it is not important how thick walls you build, it is not important how many appliances or network firewalls you put your network behind, it is important how fast you can detect and react to an incident in your network. Why? Because the attack service is cheap. People trying to attack your network use commodity services just as you do. If you wanted to execute a ransomware attack against an organisation, you wouldn’t build this capability. You'd rent it as a service. You’d pay a monthly fee, and use the software. Speaking of ransomware – it was recently described by European Union agencies as one of the top threats in 2020. We have a lot of experience in fighting ransomware and recovering companies from it, and we were part of the efforts to recover Maersk in 2017 from a NotPetya attack. That happened six years ago. And today, we have other logistics companies being affected by the exact same type of attack. Why is this happening and what do we need to change to avoid those kinds of threats in the future?A simple kind of threat, like ransomware, can put your business in jeopardy, and make it suffer financial losses. So, what can you do?Let us tell you about the 4 trends we think will shape security in the 2020s.
Zero-trust approach – what is it and how does it work?
Every user using your company’s resources, laptops and computers, is an entry point to your network. That is the biggest shift in the security approach we are observing right now. Before that, it was defined by the network itself. You had firewalls, gateways and a point of entry, which you could protect.Right now, every user who is using thousands of applications and services is a point of entry. If somebody breaks your user’s security, they can try to leverage it to break the security of your network. It is clearly visible from the Digital Defense Report from Microsoft. If you look at the top concerns of CSOs and other C-level executives, threats targeting remote workers and breaching the identities of the users are some of the most common. This is also why most of the organisations surveyed for this report are now speeding up the efforts to implement a zero-trust approach. The zero-trust approach is about using a set of services and products to implement a policy where security is enforced constantly. The first step is to evaluate a lot of factors, such as who is the user, what kind of device are they using? What kinds of risks do they have? A different risk profile might apply to a standard user or to the administrator. What now?Use these factors to decide what kind of security countermeasures to apply for your users. You are not building a wide, open network where you place your servers.You segment your services and solutions, to become a part of the zero-trust policy network. Then, you gather the signals to automate the investigation process and to get insights if something bad is happening at your company.
The importance of security plus DevOps
The other trend, which will be significant in the years to come, is DevSecOps – or Security DevOps. DevOpsand Agile development are on everybody's mind because they allow us to get the most out of the cloud investment, or to deliver faster. We have fast deployment cycles and automated CI/ CD pipelines. But not every developer will be trained in security, and not every product or development team includes a security expert. What is really missing at most of the organisations we work with, is that CI/CD infrastructure itself is a major security point, since it has the highest possible access privileges to your infrastructure. And it’s very often managed by people who are not security professionals.The big question is, whose business is it to care about security? Well, it's EVERYBODY’S business! And instead of thinking about Security and DevOps as separate processes, you need to embed security into DevOps. There are a lot of tools and practices for that right now, but it will mature over the years. You will see more and more investments in this area, and you should start investing in it as well. Educate your developers, educate your organisation and security people on it.
What is SOAR?
The third big trend in security is the SOAR (Security, Orchestration, Automation, Response) approach. Remember the OODA loop? SOAR and OODA loop are creating a new security landscape for your organisation. Here’s why – the security process is about observing what is happening, gathering the intelligence and all the information that we have, making sense of it, and then, if we detect something's happening in the network, decide what it is – and decide fast. It doesn't have to be the perfect decision, but it has to be a decision made fast because you want to start limiting the impact of the incident as early as possible before it unfolds.
Security operations are changing. The modern approach will be more aligned with the OODA loop.
- How fast are we able to collect data and signals from our environment?
- How fast are we able to classify them?
- Are we able to detect an incident?
- How fast can we implement the response mechanism to that incident?
Cloud providers are uniquely positioned to deliver the supporting tools because they see a lot. Microsoft sees all the attacks against Azure or Office 365 environments. It also monitors the attacks on Windows 10 and on consumer services, like Xbox. Microsoft puts this knowledge into products like Azure Sentinel or Azure Security Center, which provide us with insights we would find very hard to collect on our own. We also get tools for identity and user protection. We have Azure AD and Windows Defender Solutions, which act as distinct OODA loops for protecting users or workstations. Together they are delivering modern security operations focused on quick decisions, based on the gathered information to quickly decide how to protect our environment.
Security consulting as a service
Besides that, what we are seeing as a trend as well, is that security consulting is commoditised and delivered as a service. If you’ll go to Office 365 or Microsoft 365 control panels, you’ll find tools like Compliance Manager or Microsoft Secure Score. They deliver specialised knowledge and apply it to your environment, to deliver actionable items for you to follow.If you are running Office 365 or Microsoft 365 environment right now, after this reading, check your compliance and secure score. You will find a lot of insights there.To improve your security posture, you need the right people with the right skills. These skills in the new environment will be very different from what we’ve seen so far. We are moving towards the environment where cybersecurity is about security operations and development.
To get all of it together, your organisation needs to start acting now and you need to prepare for this new security landscape. It is already out there, but a lot of companies are still catching up with it.
How to protect your organisation from threats?
To start, we have 3 steps for you to follow.
- Learn about the cloud security model.
It is different than the on-premises security model. You need to understand how it is different from what you’ve been using and building before, and how you can leverage the new services for your benefit. - Address the security basics first
Many organisations we are helping to recover from ransomware attacks, failed on very basic things, like separation of privileged accounts, turning on the MFA or patching the domain controllers. You don't want to be in the same boat. Get the basics, fix them before going for any new security investments. - Think how you can build your security OODA loop
Look at the tools you have at hand from vendors like Microsoft. You might have a lot of them already purchased in your current environment, and not putting them to work. Ultimately, it is your decision, which direction you will choose. You can stay in the past and take care only of the network infrastructure. OR you can turn your security process into very dynamic, very well-organised OODA loop-based security operations.
Author
