A Rapidly Expanding Attack Surface Requires an Interconnected and Integrated Approach to Security
In analyzing data from Cisco’s Security Capabilities Benchmark Study (see page 49), we are able to examine patterns and decisions that help organizations minimize risk. We can therefore see where they should make security investments that can lead to a significant difference in risk exposure. We measured risk by looking at the lengths of breaches as well as percentages of system outages (see Figure 53
on page 55 regarding the length of breaches and the systems affected).
To understand how organizations create effective safeguards against risk, we need to examine what drivers affect their ability to prevent, detect, and mitigate risk. (See Figure 68
.) The drivers must include these elements:
- Executive leadership: The top leadership must prioritize security. This is critical for the mitigation of attacks, as well as their prevention. The executive team should also have clear and established metrics for assessing the effectiveness of a security program.
- Policy: Policy has strong ties to mitigation. Controlling access rights to networks, systems, applications, functions, and data will affect the ability to mitigate damage from security breaches. In addition, policies to ensure a regular review of security practices will help prevent attacks.
- Protocols: The right protocols can help prevent and detect breaches, but they also have a strong relationship to mitigation. In particular, regular reviews of connection activity on networks, to ensure that security measures are working, are key to both prevention and mitigation. It’s also beneficial to review and improve security practices regularly, formally, and strategically over time.
- Tools: The judicious and appropriate application of tools has the strongest relationship with mitigation. With tools in place, users can review and provide feedback that is vital to detection and prevention as well as mitigation.
The security safeguards that organizations use—prevention, detection, and mitigation—can be viewed as measures of influence on an organization’s ability to minimize risk. (See Figure 68
These safeguards must include the following elements:
- Prevention: To minimize the impact of security breaches, employees must report security failures and problems. It’s also crucial for security processes and procedures to be clear and well understood.
- Detection: The best detection methods for minimizing the impact of breaches are those that allow organizations to spot security weaknesses before they become full-blown incidents. To accomplish this, it’s vital to have a good system for categorizing incident-related information.
- Mitigation: Well-documented processes and procedures for incident response and tracking are key to effective breach mitigation. Organizations also need strong protocols to manage their response to crises.
All of these drivers and safeguards are interconnected and interdependent. Security professionals can’t simply cherry-pick a couple of drivers and one or two safeguards, and believe they have solved the security problem. They need every driver, and every safeguard. Security teams must analyze where their weaknesses are—for example, low levels of support from leaders, or a lack of tools to mitigate breaches—and calculate where investments in security must be made.The Key Goal: Reducing Adversaries’ Operational Space
Reducing—and ideally, eliminating—the unconstrained operational space of adversaries, and making attackers’ presence known, must be top priorities for defenders. The reality is that no one can stop all attacks, or protect everything that can and should be protected. But if you focus on closing the operational space that cybercriminals must have for their campaigns to be effective and profitable, you can prevent them from reaching critical systems and data without entirely evading detection.
This report categorized different approaches that adversaries use to compromise and attack users and systems. We based our categories—reconnaissance, weaponization, delivery, and installation—on where the attacks are typically deployed in the attack chain. This exercise was meant to illustrate when, how, and where adversaries take advantage of vulnerabilities and other weaknesses to gain a foothold on a device or in a system, launch their campaign, and then reap the rewards they seek.
We suggest that defenders adapt their security approaches to stay ahead of attackers’ basic processes. For example, to undermine adversaries during the reconnaissance phase, security teams should be:
- Gathering information about the latest threats and vulnerabilities
- Ensuring they are controlling access to their networks
- Limiting the organization’s exposure in an expanding attack surface
- Managing configurations
- Developing consistent response practices and procedures that are informed by this work
When weaponized threats are delivered, defenders must apply every tool in their arsenal to prevent them from spreading and worsening. This is where an integrated security architecture becomes critical. It will provide realtime insight into threats as well as automated detection and defense, which are essential for improving threat detection.
At the installation phase, security teams must stay informed about the state of the environment as they respond to and investigate the compromise. If that environment is simple, open, and automated, and if defenders have taken the other proactive steps outlined above, they can then focus their resources on helping the business to answer critical questions such as:
- What did the attackers access?
- Why were they able to get to it?
- Where did they go?
- Are they still operating in our network?
The answers to these questions will allow security teams not only to take appropriate actions to prevent further attacks, but also to inform management and the board about possible exposures and necessary disclosures. Then, the business can begin the process of ensuring that it has comprehensive controls and mitigations in place to address any security gaps—the weaknesses that provided the operational space adversaries needed to succeed—that were identified during the compromise.