You cannot defend what you cannot identify or see. You also cannot protect your assets effectively if you do not have insight into which assets are most valuable.
CISOs would likely agree. Yet many people tasked with defending organizations' cybersecurity struggle to effectively identify their "crown jewels." As a result, these assets are often poorly defended and at risk of being compromised. Lastly, if you don't know what to protect, you end up investing blindly without actually improving your security.
Throwing money at the problem will not help. While Gartner estimated that overall global IT spending would decline in 2020 due to the COVID-19 pandemic, spending on cybersecurity actually increased, with cloud security growing the fastest of all cyber defense sub-categories. With massive amounts of people working remotely for the first time, the challenges have only intensified.
It is not necessarily how much you are spending but how you choose to spend your cybersecurity budget. Fundamentally, getting it right means having the tools to ensure you can identify and protect your most valuable assets.
Why the Cybersecurity Industry Needs a Fresh Approach
Why are hackers still successful despite significant investments in security controls? Those responsible for security must research and evaluate piles of data without context. Moreover, they continue to be challenged by the complex and dynamic hybrid infrastructure.
Second, standard security controls must be put in place and kept up to date. However, too many security tools do not play well together or operate in silos. Not only is this a poor ROI, but it also prevents security from working holistically. Fragmented and ineffective security processes further inflame the problem.
These issues are often difficult to resolve because of a lingering disconnect between the security team and the C-suite. A CISO can't quantify the risk in business terms but only in technical terms, which doesn't really tell the C-level anything.
What is the result when all these elements are present? Confusion reigns, and suboptimal security follows. Organizations fail at the fundamental tasks of identifying and protecting their most critical assets, leaving them vulnerable.
What is the Solution?
Attack path management is the answer, which means that you continuously calculate all attack paths using simulated attacker techniques, identifying the most vital assets and attack routes. Context-sensitive, least-effort remediation advice empowers SecOps and IT teams to patch the exposures quickly.
Additionally, your organization's IT hygiene must be healthy. Continuously scan your network and identify exposures from exploitable vulnerabilities, misconfigurations, poorly managed credentials and risky user activities -- these are the attacker's golden nuggets, the essential elements required for a lateral move.
It is also crucial to identify the choke points that might allow an attacker to move laterally and reach other critical assets. Those must be automatically tagged with contextual information, instantly alerting your security analysts to the true importance of each incident. By eliminating or fixing issues with an individual choke point, you can quickly reduce overall risk and the number of potential attack paths.
In terms of technical tools, decisions should be viewed through a zoomed-in lens. Organizations must be able to identify their crown jewel assets, understand all possible attack paths from breach points and pinpoint the key fixes required to block these attacks – all of which should translate to a quantifiable risk number.
What to Look for
Security teams need a new approach that incorporates the attacker perspective to find and remediate critical attack paths across on-premise and multi-cloud networks. The right formula includes continuous and safe attack simulations across hybrid networks and prioritized actions that drive cost-effective and fast remediation of business risk.
Additionally, security teams need intuitive quantifiable risk reporting for the board, integration with the operational and technology ecosystem, and fast deployment and adoption through a SaaS platform.
These qualities allow organizations to easily identify and protect their most valuable assets -- and resolve the disconnect between the IT department and the C-suite through straightforward quantification of risk.
The Takeaway
For the CISO, having the visibility necessary to reduce risk is one of the most critical parts of security. However, if you are assessing your on-prem risk separately from your cloud risk, you have no way of knowing what risks they pose to each other. It's imperative to close the loop between on-prem and cloud risk assessment.
Looking at recent breaches, attackers are leveraging a mix of classical attack techniques with other cloud-specific methods. This is a major concern for organizations today. Deploying attack path management is what you need to mitigate within your hybrid cloud environments.
A single view across the battlefield is vital. The right choice for smart organizations must span across multiple segments, enhancing attack path management by adding the attacker's view to EP and SecOps and disrupting it by reinventing vulnerability risk management.