The evolution of cyber-threats and the confluence of new systems and legacy systems are the most significant current challenges for security teams, according to a panel of CISOs speaking during a virtual event organized by HP Wolf Security.
Moderated by Ed Amoroso, chief executive officer of TAG Cyber LLC, the session began with a simple question to the CISOs: why are we still getting hacked? Deneen DeFiore, vice president and CISO at United Airlines, noted that in 2021 “there was so much evolution in the kinds of threats we saw.” This included attackers frequently finding new ways to breach organizations; for example, discovering new zero-day vulnerabilities. DeFiore added that the growing innovation of attackers means “it is becoming commonplace for organizations to have vulnerability responses and be concurrently running their operations.”
The increasingly professionalized approach taken by threat actors was highlighted by Kurt John, CISO at Siemens US. He said it is important to recognize that most attackers are motivated by financial gain and have adopted innovative practices to maximize their revenue opportunities. “They innovate and collaborate and share the spoils,” he explained. “These are really business-minded folks in it for money for the most part.” This factor is driving the evolution in attack techniques, making life harder for security teams.
John also highlighted the security challenges posed by the “intricacies” of IT and OT convergence. This has led to a “confluence of older and newer hardware and software.” To undertake modernization programs securely, he advised organizations to “have a joint IT/OT strategy so that decisions that are being made in those spaces are not being made in a vacuum, but they’re being woven together so they are better integrated.”
Joanna Burkey, Global CISO HP Inc., described the impact of supply chain attacks, which has completely changed the traditional one-to-one attacker-victim dichotomy. Incidents like SolarWinds have shown this can be turned into “one-too-many.” Here, “the attacker got efficient and they realized we don’t need to go one-to-one all the time, we can find a commonality between 100s or even 1000s of victims – let’s compromise that commonality.” Therefore, all organizations have to consider how they may “unwittingly” be a part of this equation and avoid that.
"The attacker got efficient and they realized we don't need to go one-to-one all the time, we can find a commonality between 100s or even 1000s of victims"
Legacy systems are a major challenge when dealing with the increasingly sophisticated threat landscape, according to Ian Pratt, global head of security at HP Inc. He noted that many of the systems used to this day “have their roots in the 1980s, built at a time when security was not front and center of what people were worried about.” He continued: “There’s this enormous legacy of vulnerable technology that’s out there and an infinite supply of vulnerabilities for attackers to exploit.” While organizations are improving at replacing these legacy systems, Pratt expects this problem to continue over the next couple of decades.
Encouragingly, Pratt pointed out that there are numerous security principles that have stood the test of time regarding standing up to attacks. These include least privilege, access rights and isolation. These principles should continue to be applied, and organizations need to work out how to “retrofit them to existing systems by running them in containers.”
The panelists then detailed some emerging threats they are particularly concerned about. Kurt highlighted two key examples. One of these is targeting the growing number of mergers & acquisitions, which he sees as a variant of supply chain attacks. In this scenario, attackers compromise smaller, start-up companies and wait until an acquisition happens “so they get a foothold into a larger organization.”
The other is the evolution of insider threats, where threat actors are contacting employees to offer them a cut of a ransom payment in return for actually deploying the ransomware into their organization. “It’s a fascinating insider threat scenario, which is very forward-leaning because entire generations are coming up to whom cryptocurrency means a lot more,” he noted.
To develop more effective cyber-defenses amid the modern threat landscape, it is important to look at how different threats affect organizations differently, according to Burkey. Therefore, when analyzing cyber-risks, “making the right decisions for your enterprise is all about the right governance.” This will help organizations understand what resiliency means to them and plan their security strategy accordingly.
Pratt advocated finding ways to tackle “whole vectors of attack” rather than focusing on individual techniques. “There are so many vulnerabilities out there ready to be found and exploited that if you’re operating at that level, it’s going to be a case of trying to detect what’s happening and then catching up.” Instead, “you need to look at approaches that deal with classes of issues.”