Now more than ever, nation-state threat actors are challenging government and industry cyber defenses by targeting trusted technology providers. The SolarWinds cyber attack showed the outsized danger this trick poses to all kinds of digitally dependent organizations. And the next abuse of software supply chain vulnerabilities could be even more disruptive and destabilizing to global security and business. That’s because stealthy hacks of this kind can go from espionage to sabotage in a blink. But fear isn’t the answer. Here are 4 ways changing your security mindset and tradecraft can counter emerging threats.
1. Rethink your risk management – Organizations must focus on enterprise risk, third-party risk and beyond, software providers, and the entire supply chain. It is imperative to apply an adversarial mindset when assessing and managing risk. The White House supply chain executive order (EO) issued in February and the cybersecurity EO released in May are steps in the right direction. But government and industry leaders must stay focused on driving risk management changes that yield measurable improvements in security and resilience. Due diligence checks against vendors are essential. And building a vendor risk management program can take months, so organizations should move with deliberate speed. It is also essential to update such programs regularly to account for all new vendors.
2. Upgrade your security blueprints – Organizations often focus too much on buying cybersecurity products and services, using technology-centric controls, and keeping up perimeter defenses. To be sure, there are no cybersecurity cure-alls. But organizations can create better security blueprints with a zero trust mindset. Zero trust—highlighted in the May cybersecurity EO—is driven by core principles: assume a breach; never trust, always verify; and allow only least-privileged access based on contextual factors. In a zero trust architecture, all individuals, devices, applications, and traffic flows are distrusted by default—they must be authenticated and authorized before accessing or communicating with other resources. Organizations can embrace this approach now and demonstrate increasing maturity over time by implementing controls around seven pillars (user, device, network/environment, application and workload, data, visibility and analytics, and automation and orchestration).
3. Focus on identity – Zero trust is about more than identity—and yet focusing on identity should be a priority when adopting this mindset. Think of identity as the new perimeter. In a zero trust environment, organizations can address uncertainty about who is on their network. The solution is to create a holistic identity and access management (IAM) program. When such a program is tightly managed, identity management supports access management and enterprise governance runs throughout. And when threat hunting uncovers trouble, organizations can use IAM to block the spread.
4. Get hunting – Relying on raw security information and event management (SIEM) logs for protection isn’t enough. Actively hunting hackers in the network is vital. Normalizing, processing, and analyzing security data can uncover stealthy threats. In addition, threat hunting capabilities can expand over time by leveraging more automation to generate insights on threats, vulnerabilities, and risks. The SolarWinds attack might have been able to dodge some zero trust defenses because the threat both altered a trusted application in the supply chain and involved a protocol flaw that could be used to modify user roles or even create new users. But threat hunting enabled by zero trust could still detect such a threat via continuous assessment of huge volumes of data. In addition, tools like the Cybersecurity and Infrastructure Security Agency’s CISA Hunt and Incident Response Program (CHIRP) tool can help network defenders strengthen security against known risks—and that, in turn, helps threat hunters focus on spotting new hidden threats.
At Booz Allen, we work closely with federal agencies and departments entrusted with national security missions and with leading businesses across the range of critical infrastructure industries. We deliver integrated solutions for cyber defense—and we hope these takeaways from our client work are useful for your organization. Contact us to continue the conversation.