Organisations need to think differently about cybersecurity if they want to mitigate risk and recover quickly from an attack.
There are about 1.3 million ransomware attacks a day worldwide, according to recent research, and organisations average over 270 days to identify and recover from a ransomware incident. That’s the scale of the cybersecurity problem and operational impact that organisations now face. It’s not just about being hit. That’s bad enough, but it’s also about how long the organisation takes to identify the problem, discover the root cause, recover fully and ensure that a breach won’t happen again.
Unfortunately, it’s a common story. You only have to look at the big-name organisations that spend millions on cyber security – major banks, Government departments, retailers, law firms, universities, major airlines and so on – that have been attacked over the past few years to realise that this is not just about throwing money at the problem. It doesn’t matter how high you build the wall; the cybercriminals get bigger and better ladders.
Or they create a Trojan Horse in the form of phishing and walk right through your technical controls. Recent research from Stanford University claims that around 88% of all data breaches are caused by an employee clicking on a link in an email or downloading an attachment. Organisations invest heavily in cybersecurity awareness training, while at the same time migrating to cloud workflows that rely heavily on users clicking links embedded in emails!
In fact, some of the worst security operations centres (SOCs) are those with the most people and the most products, that haven’t been properly operationalised to reduce the likelihood, and especially the impact, of an attack. It begs the question; is there something fundamentally wrong with the way in which organisations buy security products and structure their operations?
As a World Economic Forum (WEF) and Accenture report Global Cyber Security Outlook 2023 suggests, the threats are getting worse, with 86% of business leaders and 93% of cyber leaders saying that global geopolitical instability is likely to lead to “a catastrophic cyber event in the next two years.”
The traditional, transactional model of buying additional products year-on-year rather than focusing on operations that truly move the cyber risk needle leads to more alert fatigue, more infrastructure to manage, more user friction, less agility and more attack surface.
To combat this we need to move from a cybersecurity approach to a cyber resilience approach. That means rethinking expectations on whether or not the organisation will suffer an attack. Organisations need to accept it is a probability, not a possibility, and with this will come a different set of priorities.
The focus is then on response and recovery to minimise impact. How do organisations get to a Recovery Time Objective (RTO) of zero, down from the 270 day-plus average? How can organisations stop and then root out the cause of the breach?
Backups are absolutely key when the systems you need to investigate for root cause are encrypted or wiped. If digital forensics capabilities begin from the start, at incident response, we can essentially create a ‘clean room’ in which we take a more surgical approach to recovery – in effect, identifying, isolating and investigating those compromised systems in a safe environment, giving SOC analysts the superpower of time travel across the entire incident timeline. Modern data management platforms support near-instant instantiation of these point-in-time snapshots and orchestration via APIs which allow Security Orchestration and Automated Response platforms to manage complex response and recovery security operations workflows. Some data management solutions have even baked some of these security operations capabilities to classify data, hunt for indicators of compromise and identify vulnerabilities into the data management platform itself.
But this also brings in a business continuity strategy as how will any organisation know what will be online and offline after an attack? It’s no good just backing up files. Organisations have to think about how to get communications, security systems and identity and access management systems recovered first.
The temptation of course is just to press ‘backup’ and restore the whole system but there is a danger here that this will just lead to another attack. Unless the incident is fully investigated, the organisation will not know whether or not the backup is compromised. In former roles, I have personally been involved in breach response in multiple organisations that have made the business decision to recover without fully understanding the nature of the incident and how it happened, then closing the vulnerabilities and removing the artefacts. In every incident this was the approach, systems were quickly attacked again, further delaying the recovery time of critical services.
The reality is, unlike traditional business continuity and business continuity incidents, the Recovery Time Objective in cyber attacks isn’t on first recovery. Organisations have to start thinking about their backup strategies, how the backup is needed for the security operations response process following a ransomware attack and how they can use the cloud to isolate systems, create backup clean rooms and use workflow data automation to enable faster recovery. As more organisations cater for remote working and therefore data flowing outside of the perimeter, this becomes an increasing necessity.
James Blake, EMEA Field CISO at Cohesity