The following is a summary of a chapter (The cyberthreat in the digital age: Prevention: Can it be done?) written by Mark McLaughlin, CEO of Palo Alto Networks Inc., in the New York Stock Exchange’s definitive cybersecurity guide for directors and officers, “Navigating the Digital Age”.
This is the first in a series of planned instalments providing concise summaries of selected chapters from the New York Stock Exchange’s cybersecurity guide.
In this chapter, McLaughlin asserts that our digital lifestyles are constantly at risk of being totally ripped apart by a persistent onslaught of cyber attacks. “This is not hyperbole”, McLaughlin cautions.
There is a very fine line separating the smoothly functioning digital society we know and a chaotic breakdown in society brought about by the total collapse of those digital capabilities.
Machine vs. human
McLaughlin explains the cybersecurity battle using a mathematical formula.
One of the negative consequences of an increasingly digital world is cyber criminals’ ability to launch numerous, sophisticated attacks at lower and lower costs. These adversaries continue to develop and use unique tools that cause great damage to businesses, governments, and organizations. As technology becomes less expensive, the cost of launching automated attacks decreases, which allows the number of attacks to increase at no net increase in cost. See figure 1 (click to enlarge).
In the face of this increasing onslaught, the defenders generally rely on decades-old security technology, “often cobbled together in multiple layers of point products; there is no true visibility of the situation, nor are the point products designed to communicate with each other.”
Humans have little to no leverage in the face-off against machines
As a result, McLaughlin explains that responses are highly manual in nature. “Unfortunately, humans facing off against machines have little to no leverage, and cyber expertise is increasingly hard to come by in the battle for talent.”
He asserts that, by harnessing automation and integrated intelligence, the cost of creating a successful cyber attack can be raised significantly, which in turn would eventually decrease the number of successful attacks. See figure 2 (click to enlarge).
Prevention is not impossible
Although McLaughlin says it is unlikely that the number of attacks will abate over time (in fact, it will increase exponentially), he makes the case against the common assumption that prevention is impossible, and that all intrusions should simply be detected and responded to.
The fundamental problem with this approach is that no combination of people, processes, and technology can prioritize and respond to every intrusion.
Consequently, the strategy must be to significantly decrease the likelihood, and increase the cost, required for an attacker to be successful.
“When this point is reached, then we will be able to quantify and compartmentalize the risk to something acceptable and understood.”
The Sputnik analogy
McLaughlin uses the space race as an example of how, when the Soviet Union launched the Sputnik, mass hysteria prevailed about the threat of a nuclear attack. Once the US eventually launched its Mercury program, however, the leverage in the equation was changed.
“The space-based attack risk was not eliminated, but it was compartmentalized to the point of fading into the background as a possible but not probable event.
“It was at this stage that the panic and confusion receded from the headlines and daily reporting.
“In much the same way, technological innovations could reverse the cost of successful attacks. A prevention philosophy is much more likely to result in prevention capabilities being developed, utilized, and continually refined over time.”
Is prevention possible?
Most security professionals would agree that total prevention is not possible. But McLaughlin believes that prevention is possible to the point where the incidence of successful attacks is reduced to something manageable from a risk perspective. He says it is an imperative that cost leverage is gained in the cyber battle.
“This leverage can be attained by managing the cyber risk to an organization through the continual improvement and coordination of several key elements: technology, process and people, and intelligence sharing.”
Traditional or legacy security technology is failing at an alarming rate. This is due to things such as security technology that is deployed in a siloed approach, consisting of vendors that do not collaborate with one another, the use of outdated technology, and other macrotechnology trends (such as Cloud computing and the Internet of Things), which mean that security professionals have less and less control over data.
McLaughlin proposes the following solutions for improving the security of technology:
- Advanced security systems must be designed on definitive knowledge of what and who is using the network being deployed.
- These capabilities must be as natively integrated as possible into a platform such that any action by any capability results in an automatic reprogramming of the other capabilities.
- The platform must be part of a larger, global ecosystem that enables a constant and near-real-time sharing of attack information.
- The security posture must be consistent regardless of where data resides.
- He also warns that security should not hold back high productivity deployment scenarios based on the Cloud, virtualization, etc.
Processes and people
McLaughlin advises that it is the executive team’s duty to ensure their technical experts are managing cybersecurity risk.
Under executive leadership, it is very important that there is continued improvement in organizational processes for security.
People must be continually trained to identify cyber attacks and on the appropriate steps to take in the event of an attack.
“Many of the attacks that are being reported today start or end with poor processes or human error.”
He also cites the sharing of personal information on social networks as an easy way to target employees in sophisticated phishing attacks. It is important that technology, processes, and people are coordinated, and that training is done on a regular basis.
Given the increasing number and sophistication of cyber attacks, it is difficult to imagine that any one company will have enough threat intelligence to defeat the vast majority of attacks.
If, however, multiple organizations shared attack patterns and information with each other in close to real time, then the combined intelligence would dramatically reduce the number of successful attacks.
In such a scenario, attackers would need to design and develop unique attacks every single time they want to attack an organization, as opposed to today’s scenario in which they can use variants of an attack again and again against multiple targets.
“This would significantly drive up the cost of a successful attack and force attackers to aggregate resources in terms of people and money, which would make them more prone to be visible to defenders, law enforcement, and governments.”
ISO 27001, the international standard for best practice in information security, supports the containment of information risks, including cyber risks, through the implementation of an information security management system (ISMS). An ISMS by its very nature takes a holistic approach to information security through the management of people, processes, and technology.
Read more about how to get started with ISO 27001 here.