How to stop preventable cybersecurity breaches
Security breaches continue to hit the news almost every day. And most aren’t from advanced zero-days, but recognised cyber-attacks that the average enterprise should be able to stop. The latest Microsoft Digital Defense Report found that basic cyber hygiene protects against 98% of attacks. If organisations already have the security tools and controls in place to prevent breaches, why do they still happen? It comes down to what we think is the biggest challenge in enterprise cybersecurity today: control failures. That is to say, when a security control is expected to be in place, but actually isn’t.
Preventable breaches in the news
There are plenty of infamous breaches that have made the news over the last five or so years that can be traced back to significant control failures. These include:
2017: Equifax says cyberattack may have affected 143 million in the US.
Equifax is one of the largest credit reporting agencies in the world. This breach meant that hundreds of millions of US customer data records was compromised, including social security numbers and driver’s licence information. The crucial control failure was an unpatched critical vulnerability on a customer web portal.
2018: Marriott hacking exposes data of up to 500 million guests.
In 2016, the Marriott hotel chain acquired Starwood, which had suffered an undiscovered breach in 2014. The breach was detected in 2018, and by that time data had been compromised for half a billion customers. The control failure in this instance was also an unpatched critical vulnerability, but within the acquired business Starwood.
2020: Scope of Russian hacking becomes clear, multiple US agencies were hit.
The Pentagon, US intelligence agencies, nuclear labs and Fortune 500 companies use software that was found to have been compromised by Russian hackers. One of the major known control failures in this debacle is also unpatched critical vulnerabilities on a critical system.
2021: T-Mobile says hack exposed personal data of 40 million people.
Since the attack that affected over 40 million people, T-Mobile has agreed to pay $350m in settlement and another $150m on additional cybersecurity capabilities. Hopefully this spend will help with any future control failures, beyond the unprotected network access device that led to this breach.
2021: Inside the Facebook leak.
The New York Times called it a ‘mega-leak’ and was right to do so. The Facebook data leak affected 553 million people across 106 countries. The control failure in question here was an unpatched critical vulnerability on a critical system.
2021: Cyber-attack forces shutdown of a top US pipeline.
The Colonial Pipeline ransomware attack last year led to the whole 5,500 mile pipeline being shut down. As the largest fuel pipeline in the US, its six-day stoppage led to fuel shortages and price increases. The attack was successful because there was a control failure – the password policy not met.
Why do preventable breaches still happen?
Phil Venables, CISO of Google Cloud, said: “Many incidents are not due to a lack of conception of controls but due to failures of expected controls.” While security tools and security controls are not the same thing, security practitioners often conflate the two. While some controls include the deployment of specific types of tools, not all do. For example, if your security control is: “Deploy a vulnerability scanning tool”, that lines up nicely. Enterprises have the security tools they need and have a significant number of security controls in place. Between 2021 and 2025, cybersecurity spending is expected to be $1.75 trillion. In addition, our 2022 Security Leaders Peer Report found that enterprise security teams use on average 76 security tools, rising to 96 in larger companies (10,000+ employees). Logic would dictate that more tools leads to improved security. But that isn’t the case. According to IBM, companies with more than 50 tools ranked 8% lower in the ability to detect a cyberattack and ranked 7% lower in the ability to respond to an attack compared to companies using less than 50 tools. There are a few reasons for this.
Data overwhelm and security measurement
Understanding cybersecurity is now a measurement and data science problem. With so many tools deployed, security teams are overwhelmed by oceans of data. It’s easy enough to look through a handful of tools and get an understanding of what’s going on, but when you have 50, 75 or 100 tools, it’s an unwinnable battle. These tools weren’t designed to work together, so there’s a lot of manual work to make sense of the data. Data overwhelm is linked to the measurement challenge. There's an old adage: "You can't manage what you can't measure." And if you can't fix the data science, you can't measure your security posture effectively. This requires greater automation
Inability to prioritise
Even if you can see all the issues in your total estate, what do you fix first? Most security tools don’t provide context around the issues they are showing you. A great example is in vulnerability management. Your vuln scanners show 10,000 vulnerabilities in your organisation. You have 7,000 lows, 2,000 mediums, 800 highs, and 200 criticals. What do you fix first? The criticals, of course. But there are 200. Which do you prioritise? If you get business context around them, and you find that half are on machines that are crucial to your payments process and half are on machines responsible for the cafeteria menu, you know what to prioritise. But, as I said, your regular security tools aren’t designed to do that.
Control coverage gaps
Most enterprise organisations struggle with asset visibility. The number of assets in a network is constantly changing, especially with virtual machines, BYOD, and shadow IT. Many still use spreadsheets, and those using CMDBs or Active Directory often have gaps. As a security pro, you probably know that your inventory isn’t 100% complete. Most organisations have “known unknowns” – assets they are aware of but aren’t identified in the inventory. Not to mention the “unknown unknowns”. But the tools you’ve deployed don’t know about those. This inevitably leads to coverage gaps in both your security tools and your controls. These coverage gaps can be considered control failures. Earlier we gave the example control: “Deploy a vulnerability scanning tool.” A better control might be: “Deploy a vulnerability scanning tool on all endpoints.” It’s harder to achieve that control, because attaining 100% coverage on a vulnerability scanning tool isn't always straightforward, but doing so will make you more secure. These control coverage gaps occur across multiple domains, beyond vulnerability management and asset management we've mentioned already. Patching, IDAM, PAM, user awareness, cloud configuration, and more, are all at risk of coverage gaps and control failures. It is difficult to proactively measure security controls, find gaps and failures, and fix them before an incident occurs.
What’s the answer?
As mentioned above, the Microsoft Digital Defense Report found that basic cyber hygiene protects against 98% of attacks. But, of course, that’s easier said than done. However, stopping preventable breaches is what we are all about at Panaseer. That’s why we’ve been pioneering the Continuous Controls Monitoring category for the last five years. CCM uses automation, advanced data science, and security posture measurement best practices to support good cyber hygiene by making sure the security controls and tools you have are working as they should be. Do they cover every necessary endpoint? Are they operating with policy range? Are there control gaps or failures? There are a range of ways that CCM supports good cyber hygiene, but first and foremost is by optimising your current tools and controls. Instead of buying more tools to implement more controls, improve your current arsenal. It provides a boost to your security posture by eliminating gaps in coverage, saving time and resources that would be spent on new tooling, and validates that your controls are providing the protection you expect. In fact, investing in more tools can make matters worse by increasing the complexity of managing security. CCM helps to automate the pain away.
Automate cybersecurity measurement with CCM
Advanced automation is crucial to the effectiveness of CCM. The first step is creating a trusted inventory of assets across the enterprise by ingesting data from tools across security, IT, and the business, that is enriched with business context to help prioritise effectively. This provides that all important asset visibility, which is the baseline for almost all cybersecurity measurement. From there, CCM provides hundreds of out-of-the-box metrics that provide actionable insight and evaluation of enterprise-wide cyber hygiene across the security domains outlined in the Microsoft report. These include: vulnerability management, patch management, endpoint management, IDAM, PAM, application security, cloud configuration, and security awareness. Combining metrics from across domains can provide powerful insight. For example, if you are looking at devices with unpatched vulnerabilities, you can prioritise by owners who have failed phishing tests or lack of EDR on the device. Incremental improvements across these domains mean a much larger net improvement of total security posture. It is with this kind of proactive effort to improve basic cyber hygiene that organisations can stop preventable breaches. To find out more about how CCM can do exactly that, get in touch.