One of the things I’ve learned from the upheaval of 2020, and that I’ve seen throughout my career in private and government security, is the need to act fast and deliberately in a crisis.
Case in point: In December 2020 when the security company FireEye learned hackers had broken into its network by way of a third-party software update, it quickly alerted the industry.
The cyberattack, allegedly carried out by Russian intelligence by inserting malicious code into network-management software produced by U.S.-based SolarWinds, ended up infecting more than 300 companies and nine federal agencies. It has become the worst cyberespionage case in history.
If not for FireEye’s decision to alert the world, nation-state spies might still be crawling through networks at government agencies, hoovering up sensitive information.
Rightly, the Biden administration is now looking to codify that sort of public alarm-sounding. The president is poised to issue an executive order that will require software vendors doing business with the government to alert it if they identify a breach.
A reactive game plan is a crucial part of the security playbook. But I can’t help wonder if the administration is missing an opportunity to strengthen the industry’s proactive posture.
I can’t help wonder if the administration is missing an opportunity to strengthen the industry’s proactive posture.
The CISOs and CIOs I speak with every day are focused on fending off increasingly sophisticated phishing and ransomware attacks, keeping their digital transformations on track, and enabling and securing their remote workers. They absolutely need to know if a breach occurs in their networks or if they’ve been made vulnerable by a third-party software supply chain attack.
But they also tell me they are tired of this reactive crouch. Most of them, if not all, want to stretch into a stronger proactive posture. They want to get off the back foot and onto the front.
The government can help. The federal Cybersecurity Maturity Model Certification (CMMC) program already requires defense contractors to meet certain standards, and be vetted by a third party, in order to do business with Department of Defense agencies. Other federal agencies should adopt that model, which would then force wider adoption of proactive security measures.
Of course, CIOs and CISOs don’t need to wait for the government to mandate measures. They can adopt them today and provide leadership by tackling three key technology issues: gaining visibility into all network assets, patching vulnerabilities, and accelerating incident response.
When I ask CISOs to name one obstacle preventing them from building more proactive security strategies, they invariably say a lack of visibility into their assets. A persistent problem for years, this inability to see across networks and endpoints grew acute in 2020. As workers fled the office for home, taking their devices and logging in to company networks over unsecured Wi-Fi, the attack surface expanded. IT teams are still struggling to find and inventory all those assets.
Any hope of becoming proactive rests on a CIO’s or CISO’s comprehensive, accurate, and real-time understanding of all assets on the organization’s network. That includes all endpoints, from laptops, tablets, and PCs to virtual machines and applications in the cloud, as well as software.
Always be patching
Critical enterprises, such as electric utilities, healthcare providers, industrial manufacturers, and financial service institutions, often put off patching known vulnerabilities. Their reasons: Downtime interrupts their operations, and it’s costly. Other patch-averse entities are simply hamstrung by slim budgets that can’t keep up with the onslaught of vulnerabilities cascading their way. So they update high-priority bugs and come to terms with an acceptable level of risk.
For those considering playing the odds, calculating that some years-old vulnerability isn’t in a hacker’s line of fire, look no further than Equifax. In September 2017, after the company had failed to patch a two-month-old bug in a web application, it revealed that hackers had breached its network, exposing sensitive data for as many as 147 million U.S. consumers. Totally avoidable.
The best way to avert a costly breach like that is to establish a proactive patch-management program, which means updating your software in a regular cadence—and not just operating system software, but also third-party applications. That includes web browsers, plug-ins, and one-off software that a worker might install to complete a project. Vulnerabilities are entry points.
IT leaders often forget that incident response is a proactive measure. By acting before a breach occurs, by automating threat detection with real-time alerts, and by cutting through the noise of false alerts, organizations can identify, investigate, contain, and remediate threats. The sooner an incident is identified and responded to, the less impact it is likely to have on that organization.
IT leaders often forget that incident response is a proactive measure.
Many security pros don’t have the resources or time to respond quickly to incidents. Today’s harried CISOs are tasked with responding to a wide range of incidents within a distributed environment and, in the aftermath of the pandemic, one whose vulnerable assets have only increased.
Traditional security tools don’t help. They are often siloed, and their investigative capabilities typically rest on incomplete or aging data. However, a newer crop of incident-response solutions offers real-time visibility into networks. They allow security teams to choose from a variety of remote remediation options—from the surgical approach, aimed at a single endpoint out of thousands, to the blunt, applied to the entire network environment.
Don’t forget people and processes
Moving from the back foot to the front is not only about tech. Your people and your processes are crucial to your efforts. The most forward-thinking CISOs I know take time to loop in stakeholders across the organization, including legal, compliance, IT, HR, and business. They seek partners in helping to develop an internal reporting structure, one that will meet or anticipate the requirements of the coming executive order and even future requirements.
The CISOs I work with put leadership in place to assure accountability. They appoint a liaison to work with agencies that might oversee compliance in their work with the federal government. And they are painfully aware of the many lessons bestowed by the SolarWinds cyberattack.
They know the security bumble at one company can perforate the defenses of others along the supply chain. They know they must get off the back foot and onto the front to be prepared.