Security Assurance: The Power of Knowing
Here’s the scenario. An intruder has been lingering in your network for eight months. Since first gaining a foothold by compromising the HR Director’s computer, the intruder has been able to quietly scope out the network and now has an excellent picture of the servers, data stores, cloud data centers, users, networking equipment and IP-enabled monitoring systems in the labs and in the manufacturing center. From his initial point of control, the attacker is now entrenched in five other computers, including one that gives him top admin privileges.
Using his strong position, the attacker has read a number of interesting and highly confidential documents and delved into some important data. The intruder has reviewed the company’s revised business plan, a product strategy document and two-year roadmap presentation, perused the customer database, looked at entities in the accounts payable system and gained access to the development server that technologists use to collaborate in creating a brand new product.
To date, the intruder has done nothing other than to explore, observe and become more deeply entrenched in the network. Like most enterprises, this one has no idea that an attacker is present and has been lurking for months. What’s his motivation? Will he sell confidential information to competitors or unscrupulous investors? Will he threaten to publish all the company’s secrets unless a substantial payment is made? Will he manipulate the accounts payable system just enough to avoid detection for months while siphoning money to various bank accounts? Is there another extortion play? Can he secretly manipulate the new product for extreme leverage after it has been released? What is his next move?
Unfortunately, this scenario is more reality than fiction. Currently, attackers are entrenched and hidden in numerous networks. Rogue or malicious insiders are also at work. Only a handful of enterprises can detect an attacker currently at work on their networks. The attacker’s success is virtually guaranteed.
Today, after years of unrelenting data breaches as well as deeply disturbing incidents that signal what else might be possible, executives and those with a fiduciary or regulatory responsibility for an organization must be able to know if an attacker is present in their network. Board of Directors, CEOs, CIOs, and others must ask the question of their security or IT teams: is there an active attacker in our network? How would we know? What is our degree of confidence?
Of course, the ability to find an attacker—whether an insider or an externally-based bad actor—early is crucial. Organizations need to detect an attacker before theft or damage can occur. Most do not have this capability today, but it is rapidly becoming a must-have.
The opposite is also becoming a necessity. There is great value in knowing that your network is free from active attackers. In being able to answer this question with confidence, one can satisfy a growing requirement for boards and top executives—to attest that the network is safe and have a strong level of confidence that if an attacker did penetrate the network they could be found quickly and accurately. Security Assurance is something that those with corporate or organizational responsibility should demand and that security teams should be able to provide. The basis should be complete visibility of the internal network with the ability to distinguish the operational activities an attacker must perform once they have a foothold in a network.
Seeing an in-progress attack is the most important ability, but knowing the network is safe is also essential. In 2017, enterprises must start delivering Security Assurance.
LightCyber has added a report to its Magna platform designed to attest Security Assurance. It is well-suited for executives and board members.
If you’re not currently a LightCyber customer, ask to schedule an evaluation of Magna in your own network with a Security Assurance report as one of the deliverables. You could even go a step beyond and secretly arrange a simulated Red Team attack during the evaluation period. Will your existing tools and security team be able to detect the attack? Will Magna find it?
Besides the need to protect the enterprise, executives will soon be held accountable for what they have done to safeguard customer data. The concept is inherent in the General Data Protection Regulation (GDPR) that applies to any organization with personal information of consumers residing in the EU. The SEC, FTC and various Attorney General offices are starting to take a hard look at whether enterprises have taken reasonable steps to protect the data they have been entrusted with and whether they are protecting the integrity of their business, particularly if shareholder value is needlessly put at risk.
Is there an attacker in your network right now? How would you know?