As we’re rapidly approaching the end of 2017, the advent of the new year means at least one thing in the cybersecurity industry: predictions. MKACyber is a managed security operations company, so we aren’t really in the business of making predictions. However, we are passionate about getting security right, and numerous incidents throughout 2017—the WannaCry and NotPetya ransomware outbreaks and the Equifax breach to name a few—suggest that many security practitioners and leaders are knowingly getting it wrong.
The three incidents referenced above arose, more than anything else, from a well-understood problem: patch dereliction. Everyone in security and IT knows that it’s important to patch vulnerable systems, but we don’t always do it—sometimes for reasons that seem completely justifiable (until something horrible happens).
Given the distributed nature and vastness of the NotPetya and WannaCry outbreaks, it’s impossible to pinpoint what exactly went wrong at each of the victim-organizations. That said, it’s highly likely that security and IT staff at a meaningful plurality of the affected businesses knew about the ETERNALBLUE exploit, which was thought to have been developed by a sophisticated hacking group and later leaked via unknown means, the server message block (SMB) vulnerability that enabled it (CVEs-2017-0143, -0144, -0145, -0146, -0147, and -0148), and the patch that resolved it (MS17-010) in March 2017. Maybe IT departments couldn’t update because they were saddled with legacy gear; maybe patches didn’t get installed or systems didn’t get upgraded for business continuity or compatibility reasons.
For Equifax it was a serious, well-publicized Apache Struts vulnerability (CVE-2017-5638). Again, it’s hard to say for certain why Equifax failed to mitigate the vulnerability. Apache released a fix for the bug on March 6 2017, attackers were exploiting it in the wild by March 9, and Equifax wasn’t breached until sometime in mid-May of the same year. It could easily be the case that Equifax wasn’t aware, from an inventory or a visibility stand-point, that it was exposing some 143 million Social Security numbers to theft because it had developed one of its Web applications using a vulnerable version of Apache Struts. Just as likely: Equifax’s security teams knew of the vulnerability and the risk it posed to their business, but weren’t allowed, or believed they weren’t able, to fix it, a possibility that would make sense given the level of effort involved in fixing the Struts bug in question. Remediation reportedly involves not merely installing a patch but rebuilding affected Web applications using the new version of Struts, a process that almost certainly would have caused extensive downtime and some degree of business continuity and profit loss for Equifax.
What seems utterly unlikely in every case is that all of the victims of the ransomware outbreaks and all the security staff at Equifax were blissfully unaware of these vulnerabilities and exploits.
While well-done, forward-looking predictions pieces can be helpful if you’re trying to keep track of what’s new and what’s emerging, for many enterprise, what’s new and emergent is a distraction because they still can’t get a grasp on the old, well-established threats. As such, we’ll forego entering the already crowded predictions field and instead explore the things we can all do to get security right in 2018.
- Build better relationships
It’s easy to hand-wring over security staffs that fail to install patches, especially when that failure facilitates a data breach or other incident. It’s equally easy, from the security practitioner, manager, or leader’s perspective, to throw hands up in the air after a breach and come up with some excuse as to why you weren’t able to patch systems. This is understandable: nearly every other business unit has incentive to ignore the security team at one point or another. This is why the CISO (or whoever is in charge of security) has to constantly maintain relationships and build trust with various partners across the organization. In this way, when the CISO tells the CTO that something needs to be patched or asks the CEO for budget, the CTO or CEO listens.
Would the Equifax breach have happened if the security team there had impressed upon leadership that a failure to remediate the Apache Struts problem could lead to a data breach exposing the Social Security numbers of nearly half of the U.S. population? Probably not. Similarly, if the cybersecurity department at Maersk had shown its leaders the cost of inaction—the shipping company reportedly lost $300M because of NotPetya—would they still have neglected to install the MS17-010 patches or to upgrade their legacy systems?
As a CISO or security leader, there is a fine line between crying wolf on threats (and losing the trust of your leadership as a result) and accurately quantifying the risks that specific threats pose to your organization. The hypotheticals above could be perceived as either, and it depends on the level of trust a board or executive has in its CISO. However, if a trusted CISO says that failing to upgrade your Apache Struts installation and rebuild all the apps that were built with the old version could lead to a situation where the CEO is forced to resign and testify before Congress, then leadership will listen.
- Quantify security
Gaining trust and building relationships is easier said than done, and (on the point of quantifying risk) it would be remarkably difficult for a security team to forecast the exact cost of an unforeseen, global ransomware outbreak, which is part of why it pays to continually evaluate security in ways that resonate with business-focused leadership. Many cybersecurity teams, despite being awash with valuable data, aren’t really tracking anything worth reporting to leadership. They don’t know their visibility and they don’t know their SOC’s capacity for threat detection. These are two metrics that are absolutely worth tracking and reporting to the executive board. In this way, a CISO has a reason to regularly communicate with leadership, demonstrating to them his team’s ability to detect threats, the improvement of his security regime, and the various returns on security investments. These conversations also reinforce the ongoing effort to build trusted relationships with leadership while simultaneously ensuring that security is always on their radar.
Furthermore, this level of statistical tracking isn’t just a tool for monitoring processes or informing the board. It’s practical. Part of knowing your visibility is knowing where you are vulnerable. If the security team is maintaining an updated vulnerability database, then they would be able to cross-reference incoming threat intelligence about a wormable ransomware strain leveraging a certain exploit or an Apache Struts bug getting exploited in the wild with their actual network architecture. This again would feed into conversations with leadership about the organization’s exposure to risk and the potential costs of failing to invest in hygiene or IT upgrades.
- Run Security Like a Business
Quantifying cybersecurity in these and other ways is complicated. The security team has to be organized and disciplined, which is why it’s so important to run the security operations center like a business. Everything ought to be codified in processes: detection, mitigation, response, and whatever else the security team is doing. There should be repeatable methodologies that lend themselves to generating statistics that can be used to create metrics. Of course, if the SOC is running like a business, then it’s that much easier to articulate security needs to leadership in business terms.
- Retain talent
Finally, this is all for naught if the organization is averaging a one-year shelf-life for its analysts. A security department will not have success if it has to constantly hire and train new analysts. Beyond the time and money spent recruiting and training, there is immense value in carrying staff with institutional memory and staff that are connected enough to the business that they are actually concerned about its best interests and its success.
The standard for security operations is to organize analysts into tiers. The lower tiers end up carrying the burden of responsibility for completing the most boring tasks, while the upper tiers get to do the most interesting work. It does not need to work this way. Analysts should be organized into teams, where they distribute the most banal tasks evenly among the group, and work together on the most interesting jobs, having the less experienced analysts ride-along, so to speak, with the most senior analyst while they are working on more advanced tasks. In this way, everyone has a fulfilling job, and the senior analysts are continually training the junior analysts.
Getting security right in the new year
CISOs and other security leaders who have strong relationships with, and are trusted by, their peers and executives have a far easier time implementing their agenda. Of course, you can’t just establish strong relationship and trust on willpower alone, so it’s important to run the security department like the rest of the business and measure detection abilities, success, and improvement with statistics. The more you can make the security department look and function like other business segments, the better. Finally, retaining talent so that the security staff is well-acquainted with the security department and the broader corporate mission makes it far easier to remain focussed on what actually matters: shielding the business from cyberthreats.