Security sprawl is a real challenge for most organizations, especially now as networks are expanding and evolving rapidly, and security resources are increasingly limited. If you’re like most companies, you’ve loaded your wiring closet with a hodge-podge of perimeter defenses over the years. Most of these tools operate in isolation, watching a particular gateway looking for specific types of threats. You try and keep your antivirus and antimalware systems updated, patch and update your systems with some regularity, and try to stay posted about active threats. You’ve also likely added some rudimentary tools to try and spot rogue insiders, and added various filters and password protections to stop your employees from clicking on things they shouldn’t.
And if something nasty does get through, you have a plan in place to deal with it. You know who’s responsible for what in terms of isolating and restoring damaged systems - and you’re all geared up for forensic investigations and learning lessons from what just happened to keep the security lifecycle rolling along.
This approach is the definition of a purely reactive security strategy. It relies almost entirely on being able to shore up your defenses before cybercriminals can target and exploit a new vulnerability, or responding to an alarm that indicates that your network has been breached. Such an approach to cybersecurity keeps you and your security team in constant firefighting mode. Still, it’s the way the majority of organizations implement and maintain their security posture.
The big question is: does this reactive strategy still work today?
Of course, NGFWs, antivirus, spam filters, multi-factor authentication, and a comprehensive breach response plan all have an important job to do. Turn off your traditional Layer 2-3 firewall and see how long it takes for your network to catch on fire. The issue rests with what’s missing.
When addressing threats that are already on the blacklist—those that have been encountered previously and that act in a predictable way—reactive security strategies can be enough. But for expanding threat vectors, emerging attack strategies, sophisticated cybercriminal communities, previously unseen malware, and zero day vulnerabilities and exploits—along with insiders capable of bypassing your edge-based protective measures—reliance on reactive security alone can leave you exposed.
Here are some of the ways to tell that a shift from a reactive strategy toward proactivity might be needed within your organization:
You may be confident that your perimeter defenses are robust enough to pick up on most threats. And in any event, you estimate that the risk of being targeted is low and that the loss to your business will be manageable. When viewed in this way, a purely reactive security policy may make perfect sense. After all, why waste resources on active threat hunting when you can take in stride any threat that comes along?
But we’re long past the age when being hit with a cyberattack was a once-in-a-blue-moon event or a case of bad luck. The reality is much different. Nearly half of all organizations experienced a cyberattack last year. Smaller businesses, which typically have smaller budgets and staff, had it even worse, with 67% percent of SMBs experienced a cyberattack in 2018. These breaches forced 60% of small businesses to close within six months of an attack.
According to FortiGuard Labs researchers, unique malware variants grew 43% in Q3 of 2018 alone, while the number of unique daily malware detections per firm rose 62%. Even worse, the average time to identify a breach is 197 days, with the average time required to contain a breach after detection is still a whopping 69 days. Most concerning is that according to one report, 73% of organizations have self-reported that they are unprepared for a cyberattack. Clearly, a reaction-based security strategy simply doesn’t work.
Of course, you could sit back and hope that your perimeter defenses catch those threats - but it’s increasingly likely that they won’t. In which case, organizations could well find themselves in a constant cycle of clean-up and damage control. It’s a strategy that can quickly drain time, money and resources. The more sensible approach is to adopt a more proactive, zero-trust strategy that starts with an assumption of compromise. If you knew that your network had already been breached, what would you do differently than you are doing now? What resources would you isolate? What control measures would you put in place? Those are the things you should be doing now.
Cybercriminals have long known how reactive cybersecurity tools work—and they make it their mission to circumvent them. On the one hand, we have polymorphous malware to deal with: malicious code with the ability to constantly change to evade antivirus (AV) detection. Even by blending malware with seemingly innocuous code, it can become possible to bypass an AV solution’s methodology.
And while malware-for-hire is readily available to multitudes of relatively unsophisticated end users over the dark web, the actual producers of those scripts tend to be much more professional. When a business gets an update from its AV provider informing it of the latest batch of identified malware variants, it’s a safe bet that the authors of that malware are signed up to the very same update. It’s their cue to launched their ‘new and improved’ version deigned to evade detection. With purely reactive security measures in place, businesses constantly find themselves one step behind the criminals.
Half of data breaches originate from insiders - whether through accidental or malicious actions. Such breaches also tend to be among the most difficult and costly to rectify.
You most likely have some protective measures in place to tackle the insider threat. Usage policies set out what behaviors are and aren’t acceptable, while solutions such as file fingerprinting and usage monitoring provide visibility into what’s happening across your IT estate.
But one of the biggest problems you face comes in the form of privileged users. These are the people who know precisely what reactive measures you have in place. They know how to cover their actions without triggering a reaction. And they also know where your most valuable data resides. When one of those actors becomes rogue, it can be impossible to respond effectively when your security defense system is built around a reactive model.
With GDPR about a year old, and similar legislation in place or on the horizon around the world, CISOs are facing a completely new data protection framework—including severe fines for the most severe non-compliance violations.
A data privacy breach resulting from a security compromise doesn’t automatically lead to a sanction. What happens depend on the account you are able to provide to the investigating regulator.
Were the reactionary security solutions you had in place reasonable and adequate? Did you regularly stress-test your security infrastructure? Compliance isn’t a one-off exercise—staying compliant demands that you invest sufficient resources to meet an increasingly complex threat landscape. Sticking to your current reaction-oriented security framework that only responds after an update or event occurs is no strategy.
Research conducted by The Economist Intelligence Unit suggests that those firms that have a proactive security strategy in place, backed by a fully-engaged C-suite, tend to reduce the growth of cyberattacks and breaches by 53% over comparable firms.
So what does a proactive strategy actually look like? Proactivity involves identifying and mitigating those hazardous conditions that can give rise to all manner of “nasties” cropping up - in whatever form they may take. Take the example of the malicious insider. His intention is to steal and exploit some of your most valuable data. He still hasn’t decided precisely how he’s going to do it - but he’s got numerous extraction options open to him. If you are very lucky, your purely reactive security measures might pick up on a one-off illegal action - but the chances are that the insider will be able to bypass them.
A proactive approach involves identifying the hazardous conditions that tell you something’s afoot: How has this individual’s behavior strayed from the norm recently? Has he been moving files to new servers? Is he logging in to resources he previously rarely accessed? Is data moving in unexpected ways?
Getting out of the trap of reaction-based security requires organizations to rethink both their networking and security strategies. Organizations need to begin by anticipating attacks by implementing zero-trust strategies, leveraging real-time threat intelligence, deploying behavioral analytics tools, and implementing a cohesive security fabric that can gather and share threat intelligence, perform logistical and behavioral analysis, and tie information back into a unified system that can preempt criminal intent and disrupt criminal behavior before it can gain a foothold.
Read our Q4 Threat Landscape Report to find out how to protect your business from bad actors.