Most of us are familiar with the phrase security through obscurity: the idea that my organization is small enough I can't possibly be on the radar for a cyber-criminal or nation-state. It's time for everyone to realize that this simply isn't a valid strategy and it isn't working. Every day we witness yet another small to medium organization struggling through this painful new reality. The organization that will survive the current and future threat landscape is forward-thinking and making security a part of every strategic and tactical discussion.
Tim Marley, CPA CIA CISSP CISM CISA GSNA CIPP/US PCIP
Director, Risk Advisory Services, True Digital Security
Two More City Governments Pay the Ransom
When the small, municipal government of a Florida town boasting only 35,000 residents pays $600K to get their data back after being hit with ransomware, you would reason that people would finally quit saying, Oh, we're just so small. Attackers don't have any interest in what we have here, so I'm not worried about that. That would be a reasonable response. Then, when news broke that a second city just miles away, with only 65,000 residents, paid nearly $500K to the same ransomware gang, in the exact same scenario, surely it would hit home.
Yet, every day, small city governments, mid-level organizations, and even small businesses continue to justify putting off cybersecurity measures that would protect them. They assume those are perks reserved only for enterprise-level companies. Most often, those mid-level and small organizations look at the spendв which is often less than 10% of what they'll pay in ransomв and with pursed lips, announce that their budgets just won't allow for such a frivolous spend. That's right, SECURITY_frivolous_as if any of us would refuse to put solid locks on our doors or alarms on our homes. Yet when ransomed, these same organizations suddenly realize that without any ability to take payments online, service their clients, or otherwise generate revenue through their IT and online systems, they're willing to pay into the hundreds of thousands of dollars to criminals in hopes of restoring systems. That is not investment funding. It does nothing to advance their IT strategy, security posture, or meet any other goals. It's a one-time payment that will only serve to put them back at just below ground zero so they can begin again trying to set and reach goals. $500K and $600K, respectively, in budgets that they can't ever get back. Over half a million dollars' worth of lost initiatives. Lost progress. So what's the alternative?
Security Engineered From Day One
- First, if they had engineered their IT systems securely to begin with using an integrated IT-Information Security provider, they would already be a step ahead. Simply selecting a superior provider wouldn't necessarily cost them any more than it did to design function-only IT systems, nor did it have to be any sort of massive undertaking. We are talking about simply using a provider who has the expertise to architect security engineered solutions, instead of one who doesn't.
- Secondly, it doesn't take an expert to know that you should probably elect all available security options built into that same technology.
- Thirdly, what kind of discussion was had around network monitoring? Who and what dataвif anyвinformed that conversation? If you ask an IT-only specialist, she or he might tell you that security measures can be added gradually, as necessary, over time, but that your focus should be functionality. So no need to implement network monitoring right away, right? Maybe ask the Riviera Beach and Lake City, FL City Councils how that one goes.
Instead, we would point you towards Key Biscane, the small Florida village that caught and announced a security event just one day after news broke of the Lake City breach. At this point, we don't know how advanced the attack became, but one thing is clear by their early announcement, engagement of outside counsel, and hiring of a forensics team, at least they are following some sort of incident response plan. Was that a pre-existing security program that resulted in the protection of a town's municipal networks, or was a team put together in a hurry, when they learned about their neighbors' attacks? Who knows, but the point is, they caught it. Nobody starts out firing 100%. The important thing is to start. Village officials took the time to have someone, internal or external, look into their systems in an effort to identify any malicious activity, they found some, and now other protocols are being taken. Had no one been looking with a careful eye, attackers would have been able to stay in the systems longer and launch a more significant attack.
Putting Trained Eyes on Your Network
System monitoring and remediation, around-the-clock, is the only way to truly know you are going to catch security events before they become catastrophic, because the reality is, cybercriminals will find a way in. The payoff is simply too good for them to quit trying. So when you look at this from a financial perspective in your own context, the payout on a ransom and the cost of operational downtime dwarf the cost of proper monitoring as part of your layered security measures.
Taking this one step further, though, we need to define proper monitoring:
- Are we talking about an MSP who takes a look at your firewall logs once a day, between 8-5pm, during their normal M-F work week?
- What about other kinds of logs that you could be reviewing to catch events earlier?
- What happens when you are breached at 6pm on a Friday, and your MSP is home for the weekend? That's the best time to launch an attack, and criminals know this. They are betting you haven't invested in security, and that by the time your internal IT team or MSP returns to work on Monday, the damage will have been done, and they will already have cleaned up their tracks.
The Importance of Tuned Alerts and Escalation Protocols
So once you have someone looking at the network all the time, what happens with alerts when an event does occur? Riviera Beach's IT Director had been properly notified of an attack, a security analyst would have called immediately to walk them through the processes of locking out attackers, quarantining ransomware, and getting systems securely back online without missing a beat, and before hanging up the phone. If, however, they simply got one more email to an inboxвone of hundreds per day letting them know there has been an event on their network, it likely would have been ignored due to alert fatigue. In contrast, an analyst who has detailed documentation of your network, familiarity with your environment and your staff's usage patterns, and a pre-determined protocol for escalation and remediation can save you not just time, but apparently hundreds of thousands of important budget dollars. The process of having adjusting those monitoring alerts to suit your unique environment and making sure only those alerts that indicate a real problem are escalated is called tuning, and it is essential to a successful monitoring strategy.
The Purpose of Engaging a Security Operations Center (SOC)
Some people choose to build their own SOCa, while others outsource SOC Services to take advantage of steep cost savings, as well as gain access to experts who do nothing but learn the newest and most advanced techniques for catching security events and implementing remediation strategies. Our Security Operations Center at TRUE offers a number of options for system monitoring, depending on your current needsвall of which would be very expensive, not to mention difficult for a single, internal staff to man around the clock. Since we are monitoring and performing incident response services for a large number of customers at one time, we are able to maintain staff, training programs, and a 24/7/365 schedule that is well beyond what our customers could do on their own.
These services include:
- Managed Security Event and Information Monitoring (SIEM): Virtual Sensors at the network's edge, Analysis and Remediation
- Network Security Monitoring (NSM): Physical Sensors reading all internal network activity, Analysis and Remediation
- Managed Detection and Response (MDR): A combination of Managed SIEM and MDR
- Incident Response Services (IR): NSM, Forensics, Remediation, and Recovery from a Cyber Incident в crisis intervention where effective .SOC Services were not previously engaged.
Leveraging the level of service appropriate to the customer environment, TRUE is able to deploy virtual or physical sensors into our clients' networks, examining all traffic coming and going. Network logs are collected, normalized, aggregated, and correlated with security feeds that go far beyond the norm, due to our certification as a security provider for core national infrastructure. Further, we can provide deep packet capture and leverage a process called sandboxing, which allows our security analysts to place any suspicious data packet attempting to enter a customer's systems into a sandbox environment that mimics a live production environment. That allows our trained analysts to then see what that data packet would do if unleashed in a customer's production environment and either allow it through or block it. Sometimes, those packets are innocuous and require no action, whatsoever. Often, however, our analysts catch malicious activityвinternal or external, escalating the event, engaging experts, and preventing disaster.
So in light of the advanced IT security available to organizations today, and the number of small to mid-sized organizations who keep finding themselves experiencing ransomware, business email compromise, or other debilitating cyberattacks, perhaps it is time to open dialogue with your leadership team about protecting your own systems. Your CFO will want to look at ROI, financial risks of doing less than is needed, and how you plan to take advantage of any new security measures. Let us know if you would like to talk to someone who can help you prepare for that conversation, but either way, please revisit your environment with a keen eye to any vulnerabilities hanging out there. We'd much rather see you in the news, receiving accolades for your efficiency and growth as an organization, than as the next poster-child for cybersecurity mistakes.
Learn more about navigating the variety of SOC Services available on the market and how to calculate your organization's Risk Tolerance.
To get help evaluating your current network security strategy, please reach out to us at email@example.com.