F-Secure Countercept’s New York team spent a few great days at the Gartner Security and Risk Management Summit in June. A particular focus was to highlight critical trends and issues within the current security landscape. To that end, here are – in no particular order – our top ten takeaways from Gartner 2019.
1. Traditional security controls still have a long life ahead of them
As a business, we know that traditional controls, while effective in preventing basic attacks, do not protect against more sophisticated, targeted attacks. That being said, traditional controls are still necessary, and will continue to be necessary. A common misconception with security is that a single solution will protect and prevent against all threats, when in reality, security is a series of pieces that come together to form a bigger picture. Even the most advanced solutions (i.e. managed detection and response), rely on support from basic security controls (such as intrusion detection and prevention systems, antivirus variants, and email filtering systems) to establish a comprehensive security posture.
2. Supply chain security
High profile incidents such as ASUS, CCleaner and Magecart exemplify how supply chain attacks continue to be one of the top ways organizations and individuals are compromised. As these types of attacks exploit existing trust between two parties, it is imperative that organizations continually evaluate and implement best security vetting practices between them and their key suppliers.
3. Phishing the C-Suite
It has been stated many times, but to reiterate, phishing and social engineering are responsible for upwards of 90%+ of all breaches. To combat this, expensive training programs are undertaken, which often yield unimpressive results: no matter the amount of training, employees fall for phishing scams. In the current landscape, it is much more cost effective – and effective in general – to focus on training those with access to critical assets, having an incident response plan in place, and strengthening internal controls as much as possible.
4. The MITRE ATT&CK framework
The MITRE ATT&CK (Adversarial Tactics, Techniques, & Common Knowledge) framework outlines the specific tactics, techniques, and procedures employed at each step of a cyber-attack. It was designed to be a guide for self-capability assessments, giving organizations the possibility of truly understanding their detection capabilities against these threats. From here, response plans can be built and this should be at the heart of any strategic security plan.
5. The importance of capability assessments
Organizations purchase tools, security services, and hire “security experts” to secure them from cyber threats. Penetration tests and vulnerability scans are performed to assess technical controls, but we have noticed that not many businesses take time to assess the more important control: their security team or service provider. Capability assessments allow businesses to discover exactly where they stand on the security spectrum. They help determine what their teams have the ability to detect, as well as if they’re able to detect threats in the first place. Most importantly though, capability assessments tell a company exactly where their team can improve. Capability assessments also allow those outsourcing their security teams to see if they’re getting what they’re paying for. The MITRE ATT&CK framework is one of the most useful tools when performing capability assessments, whether you’re a company assessing your own team, or a consultancy.
6. The security skills gap continues to grow
Cyber security lacks talent, and lots of it. This is not something new in the industry, yet needs to be highlighted over and over again due to our increasing reliance on technology. In truth, most companies cannot do everything themselves, even if they want to. It’s important to understand this challenge and be proactive: recognize where your gaps are and contact experts and consultancies to fill in those gaps. It is often cost effective and saves huge amounts of time and heartache in building and maintaining an internal team.
7. Engaging the board of directors
Security is sometimes not taken as seriously as it should be, especially by those who hold the corporate wallet. You, being an expert in cyber security, therefore need to speak about security in the way the board understands and appeals to – or else you risk your budget not matching your needs. Gartner spoke on this topic, highlighting that the things most leadership teams care about are: profit, risk, and cost.
8. Office 365 Security
While having existed for years, cloud-based technology is becoming more and more a staple within modern IT environments. Because cloud technology exists within the cloud, cloud applications increase the attack surface of an organization. Due to the prolific nature of Microsoft technology within organizations, Office 365 is being increasingly adopted. Office 365, like most cloud solutions, allows the buyer to configure its security settings; although too often this is being mismanaged. All cloud services should be thought of as integral parts of an estate and should be included in thorough security programs.
9. Vulnerability management
A basic but a good one – patch management is vital. While phishing is the primary cause for breaches, managing and patching internal systems is just as important. A rule in offensive security testing is “always try the front door first”. The amount of times that our consultants come across default credentials, ports and services that shouldn’t be exposed to the internet, as well as weak passwords is mind blowing. Patching vulnerabilities as they are released takes away from these “quick wins” and forces attackers to harder methods of exploitation.
10. Automation and machine learning
In contrast to traditional controls, modern day tools are moving more and more towards automation, AI, and machine learning. The security industry has come up with network AI solutions and next-gen antivirus, some touting them as be-all end-all solutions. While we agree they are effective in some scenarios, these solutions tend to be relied upon completely, or a lot more heavily than they should be. Any automation should be taken with a grain of salt. Again using our consultants as an example, we constantly come across these solutions and find ways to bypass them. Once bypassed, the real question lies within the teams sitting behind the automation: “can they see me?” It should be assumed that if we can do this as a consultancy, then adversaries are able to do so as well.
The insights above were gleaned during the Gartner 2019 event, but perhaps you took away something different? We’d love to hear your take.
If you have any questions on any of these insights please don’t hesitate to reach out to us.