The theme of this year’s RSA conference is Resilience, and I think that is a very appropriate theme given the tumultuous year we’ve had in cybersecurity. In the last 14 months, we’ve had to adapt, evolve and innovate. We adapted to a fully remote workforce, we evolved to keep our businesses operating, and we innovated to secure ourselves against increasingly sophisticated threat actors.
As the RSAC organizers highlight, “we are linked by a mission to take on cyberthreats that are, by nature, relentless” and as an industry we are responding to these unprecedented attacks “by searching ever deeper within ourselves to create solutions that can withstand and quickly recover from whatever adversity is thrown at us.”
Last week brought news of yet another major Ransomware attack, this time against Colonial Pipeline that is causing fuel shortages up and down the U.S. East Coast. This latest attack perfectly underscores the RSAC Resilience theme – the need to build systems that are resilient to attack and the need to deploy capabilities (people, processes, and technology) that allow us to quickly recover from these attacks. So how do we get in front of this and stay cyber resilient and secure?
There is certainly a technical component to this, and our cybersecurity industry continues to innovate and improve our ability to detect and respond to “whatever adversity is thrown at us”. I’ve written quite a bit about this in the past and believe my blogs on shifting to proactive defense and defending against the full spectrum of cyber threats cover this pretty well. The bottom-line message in these blogs is that:
Another major component of resiliency is building cyber resilient architectures. For these, you need to take on a military mindset and develop systems that can operate through attacks to allow you to complete your mission (albeit at a degraded capacity). When you are designing a next generation fighter jet (or a fly by wire commercial jetliner for that matter), it’s not acceptable for the pilot to pause midair, hit the Ctrl-Alt-Del button, and restart the system. The system needs to be designed to partition, isolate, and protect mission critical functions.
And that is just what we need to do to manage risk to our business-critical functions – know your risk tolerances, know your business-critical functions and the data and systems that support those functions, and secure your business-critical assets sufficiently to stay within your risk tolerances.
Looping back to the recent Colonial Pipeline attack, we need to factor into our resilient architectures the partitioning, isolation, and protection of OT systems (and IoT, 3rd party partner systems, BYOD, the Internet, etc.) to prevent bleed over of an attack from IT to OT and vice versa. This is a challenge as IT systems are generally used to interconnect OT systems. The NSA recently published an informative report on this topic that highlights the need to isolate and partition OT from IT (and monitor the boundary between the two) and Fidelis has some interesting solutions in this space including our deception technologies that allows you to deploy fully instrumented OT deception decoys within your environment to better detect attacks against OT devices.
If you’d like to learn more about our Deception technology capabilities, our VP of R&D for Deception, Rami Mizrahi, is hosting a webinar on Tuesday, May 25th at 12 PM EST on Attacking & Defending in Stealth Mode with Deception (Claim your spot for this event on the last day of RSA – spots are limited!).
The last area I will touch on is getting to the root cause of the accelerating pace of cyber-criminal activity – ransom payments. I realize this is a touchy topic and the decision whether or not to pay a ransom is a difficult decision for any company or organization knowing that by paying the ransom, they are financing and further expanding this criminal activity. Cyber insurance companies are contributing to this as well as it is usually cheaper in the long run for them to payout a ransom then to pay the costs to recover and reconstitute affected data and systems.
We need to look at the resilience of our Incident Response and Disaster Recovery processes and procedures as well as the resiliency of backups for our business-critical data and systems. If we were able to more quickly and automatically reconstitute our business-critical data and systems, there would be less pressure to pay the ransom. This unfortunately does not help if the attackers have exfiltrated data and are holding that for ransom.
To address that part of the equation, we need to dis-incentivize the selling of stolen data. The industry-based Ransomware Task Force recently published their report which focuses on the need for industry, Government, and international cooperation to “disrupt the ransomware business model.” Their report outlines four primary goals: “to deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy; to disrupt the business model and reduce criminal profits; to help organizations prepare for ransomware attacks; and to respond to ransomware attacks more effectively” – and I believe these last two goals align nicely with the theme of resiliency. If you have an interest in strategies for combating ransomware, the report is well written and an interesting read.
To wrap this up, we should all applaud our strength, resilience, and hard work over the past year in combatting the “relentless” stream of cyber-attacks we have faced. And the Fidelis team of Cyber Warriors is always here to help you detect, hunt and respond to your most advanced threats. If you’re attending RSA, enjoy the show, join our webinar, and contact us if you have any questions or would like to know more from our team about our active defense solutions!