What to Do When Everyday Problems Have No Everyday Solutions…
In the world of cybersecurity, we end up having a few, predictable conversations all the time. We discuss these common topics over and over and over again, regardless of new technologies that promise solutions. These are everyday problems we encounter that, unfortunately, don’t have pat solutions. Yet, our charge is to make the world a safer place, so how do we strategize to help the situation? Here are two everyday problems we grapple with all the time.
#1. They ARE Going to Click on that Link
They are. They are. You know they are. We’ve all seen it happen. It doesn’t matter if it is an email with a bunch of misspelled words, a hacked together email from a trapped prince or a sophisticated email that exactly replicates a verified sender, we all know that people are going to click on the link.
The fact is, moreover, that there are plenty of threats targeting us. Our own Gigamon Applied Threat Research (ATR) team, for example, has quantified four common email attachment threats in, “1H 2018 Crimeware Trends: A Sampling of Malicious E-Mail Attachments.” Check it out — it’s an informative read.
So should we ever delude ourselves that people are going to learn to be suspicious or paranoid or savvy enough to refrain from clicking that link? The answer is NO! Increasingly attackers are really focused at single directed attempts to compromise their targets, and it is becoming harder to verify if a link is trustworthy. No one can fault someone for clicking the link when there is that much intelligence behind it.
Zero-trust networks are emerging in which, as the name implies, nothing is trusted unless there is an established identity. As exciting as that technology approach may be, the one thing we all know is that as soon as we think we have a solution, the attacker is going to figure out how to run around it.
#2. So, If We Know We Absolutely Can’t Keep Them From Clicking on the Link, What the Heck Do We Do?
If they are going to click, our focus has to first be around finding the attackers’ motives so we have a chance to disrupting those plans. Then after an attempt, we hone in on what happens post-click. We focus on looking for the modes and means attackers used to infiltrate. We understand and learn and prepare, and, most importantly, establishing and cultivating a visibility framework that keeps us running an effective defense, while trying to stay one step ahead of an unknown. We never can fully prevent it, but we can stay one step ahead and make it harder.
“I feel thin, sort of stretched, like butter scraped over too much bread”
J.R.R. Tolkien, The Fellowship of the Ring
By far the most common problem facing the good guys is, how do you prioritize the spend? An organization needs to spend not just money on tools, but on hiring and training the right people, establishing processes for communication, enlisting consultants to help build programs and educating internally on how to be utilize those programs.
We are always on the edge of our seats, cringing, thinking the other shoe is about to drop. Are we going to get hit? Will we be splashed throughout news tomorrow? Did we prioritize enough money in our budget to making our security posture stronger?
That problem is never, ever, ever going to go away. We will always have to justify how we protect a business in relation to how we grow a business. There will always be a battle about what should be spent, weighed against other areas in the company looking for money and investment.
So How to Deal With That Reality?
We need a complete mindset change around security requirements and position in a company.
Most CEOs, when surveyed about their biggest issues, list security at the top of list. In the way, however, fogging up the windows, is what I call Cybersecurity Mystery.
Do most people in a company with purchasing power understand how attackers and defenders operate? Probably not. It’s mysterious to them. So, without fully understanding the modus operandi of attackers, companies either blindly throw money at the problem, or keep their heads in the sand, hoping to wait and take care of it later. Even though the problem is money, the solution is to remove the mystery.
We do that by hiring security specialists who can be advocates and teachers in the organization, and talk about things in ways people can understand and use. Companies today require employees to take these online security training things and, although they are better than nothing, being able to have true champions in an organization who can enlighten people in a real way gives us a clearer path to get better every day and stay in front of the attacks of the future.
As in a team sport, we need a coach to lay out the plays, the common rules, the limits on offense and defense. There can be improvisation, at the last minute a play can run differently, but there needs to be understanding to adapt. Knowing how to play the game gives everybody, not just the C-suite, a better understanding of the weight of various pros and cons in the cyber game, to zero in on what is needed. Remove the mystery at every level of the organization and we all start proactively paying attention to protect the business. If we do that better, we win the game.
Certainly the world of cybersecurity is not one of clear-cut answers and, in some cases, we don’t even know all of the questions. What are your “everyday” problems around this industry? I would love to hear your common problems and the innovations you use to solve them, even if they have no solution.