This piece by Sherri Ramsay, originally appeared on Homeland Security Today on November 28, 2018.
Every day our computers and networks are being attacked. Sometimes it takes the attackers only minutes to selectively target a vulnerability and compromise our systems. Then they are able to quickly exfiltrate our data, while avoiding our defenses. There is an extensive set of attackers – nation states, criminals, hacktivists, terrorists, and even “lone wolves”. Corporate entities and governments no longer have the luxury of only worrying about powerful nation states. They must be prepared to defend against any of these attackers. The harsh reality is that these attackers collaborate across the spectrum while we continue to operate mostly in independent stovepipes, defending ourselves as if we are each on an island. The cyber threat is asymmetric; the playing field has been leveled.
Every cybersecurity headline serves as a warning that no organization is immune from attacks. So what can we do? Breaking the current cycle will require a fundamental shift in thinking. It will require leadership. Consider the following three-part strategy.
First we need to make our networks defensible; that is, we need to harden our networks. The best place to start is the comprehensive approach offered by the Center of Internet Security’s Top 20 Critical Security Controls. The controls are a prioritized set of best practices created to stop the most pervasive and dangerous threats of today. The controls provide organizations with a highly focused set of actions that are implementable, useable, scalable and compliant with global industry and government security requirements. The controls also serve as the foundation for many regulations and compliance networks, including NIST 800-53, ISO 27002, PCI DSS 31, CSA and HIPAA.
Secondly, once our networks are hardened, we must actively defend them. This is a mindset change. We can no longer have system administrators who only “administer” the networks and IT departments who only maintain the networks. We need to change the culture to one of network defense, where everyone who has access to the network has a role to play. The defenders must continuously assess both the network and the behavior of the network, monitoring the network itself and the network traffic for anomalies. And they must be prepared to take immediate actions.
The third part of the strategy is collaboration among and between industry and government, taking a page out of the attackers’ playbook. We, the “good guys” must share our relevant information, pool our expertise and connect our responses in a timely manner. We must collaborate both on threat intelligence and mitigations/solutions. In effect, we are crowd-sourcing our cyber defense. By crowd-sourcing in a timely manner, we are more likely to have actionable intelligence giving us the ability to address vulnerabilities and to take responsive actions that will keep attackers from stealing our data.
The oil and natural gas industries have implemented this approach, collaborating to combat the vast cyber threats facing the energy sector. The American Petroleum Institute (API) just released a report that was co-sponsored by the Oil and Natural Gas Subsector Coordinating Council (ONG SCC) and the Natural Gas Council, along with all member organizations, demonstrating the industry-wide approach to cyber security, and not allowing politics to influence response and actions. The collaboration across energy industries is crucial given the globally critical importance of oil and natural gas. Any cyber attack on the oil and natural gas industry would not only affect the US, but would have an immediate international ripple effect.
The bad guys will continue to exploit our networks as long as we let them. We must (1) harden our networks, making them defensible, (2) actively defend them, and (3) crowd-source both threat information and response actions. It is time for us, the good guys, to change our model and successfully gain the higher ground. Let’s use a winning strategy!