STE WILLIAMS

Many chief information security officers view their responsibilities through the National Institute of Standards and Technology’s (NIST) model of Identify, Protect, Detect, Respond, and Recover. There’s been a focus on detecting and responding to endpoint threats over the past few years, yet new priorities are arising: migration to the cloud, new heterogeneous devices, and custom applications, all of which have greatly expanded attack surfaces.

I recently spoke with seven CISOs. Many are from the Fortune 500, and several are influential in the startup community, advising for YL Ventures. What follows is a recap of their top five concerns and two-year spending priorities:

1. Identity Management in a Multicloud World
The old days of breaching a network’s perimeter technologies and slowly hacking laterally across systems is less of an emphasis thanks to the cloud. With stolen credentials, a device is often one hop from accessing the crown jewels of privileged data in the cloud. Microsoft Corporation CISO Bret Arsenault strikes at the heart of the matter. Today, he says, “hackers don’t break in, they log in.” In line with that thinking, Microsoft’s security organization believes that “identity is our new perimeter.”

What makes managing identity complex is that it spans many personas. As Juniper Networks CISO Sherry Ryan explains: Security teams must “know who is accessing your network, whether it be a customer accessing your portals, or a partner, a supplier, or your own employees.”

Cloud apps often require authenticating with single sign-on and Microsoft Active Directory. Yet most CISOs in this discussion say they also attempt to reduce the “blast radius” with additional identity and authorization silos. They’re still working out architectural best practices but are investing in password-less, biometric, and behavioral-based authentication.

To that end, identity and access management (IAM) is a product category CISOs continue to purchase despite the challenges involving the multiple vendors needed to cover employees, the supply chain, and customer identities. Piecemeal IAM adoption is now easier, yet some of the CISOs believe that a one-size-fits-all solution doesn’t yet exist.

2. Protecting Assets with Encryption and Zero Trust
The cloud transformation is enabling CISOs to ditch on-premises legacy systems. Many are enthusiastic about building cloud security right from day one, and zero trust is a big part of this. Zero trust limits role-based access by default. It ensures users are who they say they are, and that their devices meet reasonable security standards before connecting.

Besides locking down configurations, CISOs are building zero trust with multiple technologies. They mention leveraging things such as multifactor authentication (MFA), mobile device management (MDM), and vulnerability management. But ensuring that data is only seen by trusted users is an ongoing issue.

At the same time, as the industry finally confronts the dynamic nature of data, encryption is being deployed by many of these CISOs: “It’s really a hard problem to get to the point where you’re identifying every communication trying to access a piece of data” observes F5 Networks CISO Mary Gardner, noting how valuable information is copied, moved, and accessed by numerous applications and people. Granular controls and encryption must protect data across its life cycle, she says.

Markel Corporation CISO Patti Titus explains the complexity in this context: “As an organization, we have to determine when to encrypt, obfuscate data” and ensure “encryption in transit and at rest.” And then there’s “the challenge of encrypting data that has to be usable for the data scientist.”

3. The Rise of DevSecOps
Even the most analog company is developing software to run its business. This includes customer web portals, mobile apps, and APIs exposed to customers, partners, and hackers alike. Organizations are increasingly automating manual activities and relying on analytics and artificial intelligence. Educating software developers into better practices is key, and a strategic initiative is securing applications with DevSecOps.

Many CISOs are also “moving left” and purchasing static analysis tools that operate on code and flag issues before runtime. In keeping with a common theme, the CISOs prefer seamless approaches that are easy on humans. This means integrating DevSecOps technologies into the daily routine of developers. “Continuous integration is where we’ve spent a lot of time and focus so that developers are securing their own code, they’re testing their own code,” says Fannie Mae CISO Chris Porter.

While further along with static analysis tools, many of the CISOs in the discussion also indicate a desire for dynamic analysis. Dynamic tools operate during runtime, monitor applications, and log information for incident response.

4. Responding to “Alert Fatigue”
A CISO’s operation involves spotting security breaches through the noise of false positives and low-priority alerts. It’s an endless challenge. Antivirus, firewalls, and other security technologies often produce millions of daily events.

To move beyond manual processes, almost every CISO interviewed for this article bought security orchestration automation, and response (SOAR) products. They are generally happy with them. Some want more help getting started. Many feel SOAR performs only as well as the quantity and quality of alerts fed into it.

CISOs are also on the lookout for new approaches to alert fatigue but find the number of technologies coming out each year “overwhelming.” These security leaders are hopeful that the new tech they deploy will increase coverage yet are skeptical of the efficacy of more alerts.

“Our philosophy has been to flip the model,” explains Blue Cross Blue Shield CISO Yaron Levi. “We are actually looking at alert fatigue from a threat modeling and risk management perspective. [We] model vectors for that potentially harmful attack and then develop our defenses.”

Levi is employing threat emulation as a new approach to alert fatigue. The starting point is emulating attacks from recent industry breaches safely within Blue Cross Blue Shield’s network. This verifies if common real-world attacks are even seen, after which these alerts receive the top priority for building response plans and automation.

5. Educating Employees to Think Like a CISO
Noting that security focuses on people, processes, and technology, LogMeIn CISO Gerald Beuchelt strongly believes that it really has to be in that order. “We have to get people on board with what security needs to do…. No security team can grow big enough to protect such a complex and large organization by itself.”

Many of these CISOs agree that it’s important to take advantage of Cyber Awareness Month using educational tools such as games, humor, and shorter training sessions to motivate their user base.

Related Content:

• 8 Trends in Vulnerability and Patch Management
• The Uphill Battle of Triaging Alerts
• Raising Security Awareness: Why Tools Can’t Replace People

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops’“

Prior to becoming an independent analyst, Paul Shomo was one of the engineering and product leaders behind the forensics software EnCase. In addition to his work in the digital forensics and incident response (DFIR) space, he developed code for OSes that power many of today’s … View Full Bio

Article source: https://www.darkreading.com/cloud/5-cybersecurity-ciso-priorities-for-the-future--/a/d-id/1336325?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cybercriminals are increasingly targeting hospitals, doctors’ offices, and other healthcare organizations, with attacks using Trojan malware climbing by 82% between the second and third quarters of this year.

Cyberattacks against healthcare organizations jumped 60% in the first nine months of the year, compared to all of 2018, according to a report published this week by anti-malware firm Malwarebytes. 

While the healthcare industry is currently the seventh-most targeted industry by online malware, attackers seem to be aiming to infect more organizations, especially via Trojan malware focused on compromising and controlling computers. While Malwarebytes saw a growth rate of 45% in threats between Q3 and Q2 this year, Trojan attacks climbed by 82%, according to the firm’s Cybercrime Tactics and Techniques: The 2019 State of Healthcare report.

“We were able to determine that healthcare is one of the top sectors that is being affected by cybercrime,” says Adam Kujawa, the director of Malwarebytes Labs. “You think about some of the attacks we’ve seen, such as what happened with WannaCry and the UK’s National Health Service … and you figure they would have focused more on security.” 

While attacks on local government agencies and public schools continue to make headlines, healthcare has been under constant attack since 2016, when Hollywood Presbyterian Medical Center acknowledged a ransomware attack had infected its systems. The healthcare group’s lack of preparedness forced them to pay $17,000 — an inexpensive lesson, compared to today’s ransoms. 

Other threats, such as security research focusing on attacking medical devices and medical breaches, has forced other segments of the industry to pay attention to its security as well. 

The Malwarebytes report may signal that healthcare companies have to continue to focus on cybersecurity. 

“Medical institutions are fighting an uphill security battle, as budget dollars are often diverted to research, patient care, or new technology adoption,” the report says. “Cybersecurity, then, is an afterthought, as doctors use legacy hardware and software, staff lack the security know-how to implement updates and patches in a timely manner, and many medical devices lack security software altogether.”

In particular, attackers have targeted organizations with flexible programs that compromise systems and then allow attackers to infect the system with even more malicious code. Malwarebytes’ software detected, and blocked, more than 12,000 attempted installations of Trojan software in Q3, dominating other types of malware. Ransomware, the No. 2 threat, accounted for less than 2,500 attempted installations during the third quarter, the report stated.

Trickbot Emotet

The main culprit recently is Trickbot, a Trojan that aims to compromise bank accounts and steal credentials. More recent versions of Trickbot have been used to spread ransomware and cryptocurrency mining software. The Trojan surged during the summer and fall of 2019, becoming the top threat to healthcare organizations, according to Malwarebytes’ telemetry data. 

“Trickbot has not slowed down around the world,” Kujawa says. “But we are seeing it focused on the medical industry right now.”

Emotet, another former banking Trojan, surged at the beginning of 2019, according to Malwarebytes report. The malware is a modular framework that can be tailored to different attacks. It can drop additional programs such as ransomware, but also has spam functionality, hijacking e-mail conversations to make phishing attempts seem more real.

In 2018, attacks against enterprises using Trickbot and Emotet surged. The US Department of Homeland Security deemed it the most destructive threat to state, local, tribal, and territorial (SLTT) governments.

“Emotet continues to be among the most costly and destructive malware affecting SLTT governments,” a 2018 DHS advisory stated. “Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.” 

Because they perform a critical service for a nation’s citizens, healthcare organizations need to improve their cybersecurity against the threat, Malwarebytes Kujawa says.

“Unfortunately, healthcare has treated cybercrime as an afterthought,” he says. “These organizations, across the board, do not seem ready for — not even what was out there yesterday — nevermind what is out there now or what is coming down the future.” 

While the report focused on healthcare, Malwarebytes found that the education sector continues to be the top target of attackers. In 2016, security firm BitSight used external signs of compromise to identify the education sector as the most compromised. 

Related Content

• Enterprise Malware Detections Up 79% as Attackers Refocus
• Cybersecurity The Internet of Medical Things
• Healthcare Breach Expands to 19.6 Million Patient Accounts
• Hollywood Hospital Hit By Ransomware Attack, FBI Investigates
• Education Now Suffers The Most Ransomware Attacks

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Poll Results: Maybe Not Burned Out, But Definitely ‘Well Done’

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/attacks-on-healthcare-jump-60--in-2019---so-far/d/d-id/1336364?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

SANS Institute and Trace Labs have launched a joint effort to tackle missing persons cases. Together with law enforcement agencies, the two organizations will host an Open Source Intelligence (OSINT) Missing Persons Capture the Flag competition with the goal of finding new leads and speeding case closure.

As many as 75 ethical hackers who are researchers from within the SANS community will work on teams of up to four and examine Trace Labs data and open source information. Points will be awarded for each piece of discovered data not previously known to law enforcement.

The SANS OSINT Missing Persons CTF is scheduled for Dec. 13 to Dec. 14 in conjunction with the SANS Cyber Defense Initiative 2019 (#SANSCDI) training event taking place in Washington, D.C. 

Read more here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “8 Backup Recovery Questions to Ask Yourself.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/capture-the-flag-planned-to-find-missing-persons-information/d/d-id/1336365?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Building Security In Maturity Model (BSIMM) is now in its 10th iteration. It continues to evolve as the only detailed and sophisticated “measuring stick” for software security initiatives (SSIs), also known as application or product security programs.

The BSIMM is an observational model. While it’s useful for some industry experts and pundits to prescriptively document what worked for them that one time in that one situation, the BSIMM took a different path. The BSIMM observes what’s happening in hundreds of organizations and tells everyone how firms are actually spending their time and money to achieve an appropriate level of software security across their entire software portfolio. Since its creation over a decade ago, this data-driven approach has evolved through the analysis of nearly 200 SSIs globally. BSIMM10 represents real-world data from 122 organizations over eight industry verticals: cloud, Internet of Things (IoT), independent software vendors (ISVs), high technology, healthcare, insurance, financial services, and retail.

The BSIMM started in 2008 with a set of 110 activities. Over time, one activity was removed and 10 activities were added. Why? Because that’s what we observed in the world of software security. To help everyone understand how frequently each of the 119 BSIMM10 activities are observed across the current 122 firms, we use frequency analysis to sort the activities into levels. Commonly observed activities — across all verticals — are tagged as level 1, while sparsely observed activities are level 3.

That means we can use a high-water mark diagram such as the one below to illustrate how frequently various levels of activities are observed in firms participating in the BSIMM study as well as in a particular firm. The diagram shows that the current 122 firms are collectively putting effort into more activities in Strategy Metrics, Compliance Policy, and Standards Requirements compared with Attack Models and Architecture Analysis, whereas the ExampleFirm places value on Attack Models, Code Review, and Penetration Testing. This view acts as a proxy for overall maturity but can also be broken down on an industry vertical basis to observe effort across activities and growth differences between various industries.

In highly regulated industries such as financial services, for instance, it’s not surprising to see a spike around Compliance Policy, whereas we typically don’t see that spike with ISVs or IoT. Most verticals measured currently within the BSIMM have a good handle on the foundational security activities.

We’re seeing some verticals collectively doing more than others in various areas for a variety of reasons. In certain industries, effort in particular activities is driven by legal reasons relating to regulations, statutes, and contracts. In others, customer expectations and preferences, along with perceptions of privacy, may drive which of the 119 BSIMM10 activities are emphasized over others.

Let’s take medical device manufacturers as an example. The software built into the monitors and devices produced for hospitals and doctors’ offices is going to be out there for 20 years, perhaps even longer. Imagine what software attacks are going to look like in 20 years! Now, imagine doing that 20 years ago and predicting what software security mechanisms would be needed for today. As you can see, this is a very complex problem and different firms in the vertical approach the problem differently.

Different verticals emphasize different security activities based on their different perceptions of risk. We see that reflected in their spider diagrams, which in turn reflects the foundational activities and the more uncommon activities they implement to help build out their particular SSI.

It isn’t reasonable to say that Healthcare Company X is more mature than Retail Company Y because this would be like comparing apples to oranges. Why? Because each firm will build the right program for its needs. Even if they are in the same business, a firm doing 30 activities and a firm doing 50 activities might have the same overall maturity relative to their software portfolios. However, we can say that one group of firms within a specific industry vertical does things that seem to be collectively important throughout the vertical, while another group of companies in another industry vertical carries out completely different activities that seem to be important to them. They’re not the same things necessarily, and yet there are trends among each industry.

BSIMM10 is the first iteration of the study to formally reflect changes in SSI culture, observed in a new wave of engineering-led software security efforts originating bottom-up in the deployment and operations teams rather than top-down from a centralized software security group. Engineering-led security culture has shown itself to be a means of establishing and growing meaningful software security efforts in some organizations, though it struggled to do so even just a few years ago.

Along these cultural lines, BSIMM data also show that the DevOps movement, along with the growth in continuous integration/continuous development (CI/CD) tooling and digital transformation, is affecting the way firms approach software security for their software portfolios. BSIMM10 includes three new activities for this reason.

In recent years, as organizations have started using DevOps practices that pushed software to the cloud, we’re seeing that this is a big change agent in most firms. As DevOps culture and CI/CD toolchains intersect with cloud deployments, we’re realizing this is a game-changer in terms of software security. We don’t yet understand the full impact as we’re still in the early phases of the evolution of these technologies and strategies. Upcoming iterations of the BSIMM will certainly shed more light on what organizations are doing to get from DevOps to DevSecOps and to secure their cloud deployments. 

Related Content:

• 7 Considerations Before Adopting Security Standards
• How to Define Prioritize Risk Management Goals
• BSIMM10 Emphasizes DevOps’ Role in Software Security
• The 20 Worst Metrics in Cybersecurity

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops’.”

Sammy Migues is a Principal Scientist at Synopsys. He is an information security visionary with a proven record of entrepreneurial innovation, intellectual capital development, practical business solutions, and performance optimization. Migues is the co-author of the Building … View Full Bio

Article source: https://www.darkreading.com/cloud/bsimm10-shows-industry-vertical-maturity-/a/d-id/1336316?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Question: I’m setting up my company’s first bug-bounty program. What should I be thinking about?

John Bock, vice president of threat research at Optiv Security: Having a basic vulnerability disclosure process ensures that people outside your organization understand how to inform you of vulnerabilities they have discovered. The lack of a readily identifiable route to the security team can result in having to deal with a disclosure under negative terms, instead of being able to properly manage it. 

That’s why you’ll want to validate your process with a self-assessment. You can do this on your own by setting up a non-organizational email account and sending a test “Disclosure” that aligns with your product or service. The test submission should go into a security reporting alias if you have one, plus all other mechanisms for someone in the public to contact you should have policies to forward potential vulnerability disclosure messages to the security team. 

As part of your vulnerability disclosure policy, you may want to include a catch-all bounty statement that indicates you give rewards for vulnerability submissions. This will give the individual who discovered the issue more reasons to tell you about it first. 

It’s also important to set your rewards and bounty program to meet the common standard of your industry peers. Prior to launch, you should also run every available open source vulnerability scanner and whatever commercial tools you have available. You want to make sure you won’t be paying out bounties for trivial bugs. In addition, if your product generates false positives with certain tools, it will save time during triage.

Last, keep in mind that the researcher who discloses a vulnerability may not have been the first person to discover it and they have wandered around the environment more than they included in their report. If the bounty includes production environments or products with versions that were already in production, you will want to do a quick pass through the logs to check if it had been previously exploited. 

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/im-setting-up-a-bug-bounty-program-what-should-i-be-thinking-about-/b/d-id/1336366?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Symantec and McAfee have patched a near identical vulnerability in their respective endpoint protection software that would have made it easier for attackers with prior admin access to a system to create more damage.

In both instances, the flaws were reported by security vendor SafeBreach and stemmed from a lack of signature validation when code was being loaded into certain processes of the respective vendor software.

SafeBreach’s analysis shows multiple signed processes in McAfee’s endpoint protection software and one service in Symantec’s equivalent products attempting to load a dynamic-link library (DLL) from a path that didn’t exist.

SafeBreach researchers developed a proof-of-concept exploit showing how an attacker could have exploited that issue to bypass self-defense mechanisms and load an arbitrary, unsigned DLL into processes running in each vendor’s products.

All versions of Symantec Endpoint Protection prior to the just-patched 14.2 RU2 were vulnerable. All versions of McAfee’s Total Protection (MTP), Anti-Virus Plus (AVP), and Internet Security (MIS) up to and including version 16.0.R22 were vulnerable. Both vendors have patched the issue.

Peleg Hadar, security researcher at SafeBreach, says the now-patched vulnerability in the McAfee and Symantec products provided attackers with a persistence mechanism for deploying malware on endpoint systems.

An attacker also would have been able to operate under the context and behalf of the antivirus process on compromised endpoint systems, he says. Multiple parts of both Symantec’s and McAfee’s vulnerable endpoint protection software run as a Windows service with the highest-level privileges on the system.

By exploiting the flaw, an attacker could have potentially bypassed each vendor’s security controls and that of any other endpoint protection software that might be installed on the same system. Normally, even an attacker with admin access on a system wouldn’t be able to implant malware in the antivirus directory.

“But this vulnerability will bypass it,” Hadar says.

Post-Exploitation Issue
“During the post-exploitation phase, after the attacker has initial access to the victim’s computer, he can use the vulnerabilities in order to run malicious code within the context of the antivirus itself,” Hadar notes. Any malicious operation could be made to appear like a legitimate, signed antivirus process, giving attackers enormous leeway. For example, an attacker could have used the flaws to bypass application whitelisting controls.

The flaw in Symantec’s product is tracked as CVE-2019-12758 and in McAfee’s as CVE-2019-3648.

In a security bulletin Tuesday, McAfee acknowledged the issue and said McAfee MTP, AVP, and MIS use certain Windows files and files from other trusted software companies. “This practice is common across software vendors because it reduces duplication of functionality,” the vendor said.

The problem had to do with the fact that MTP, AVP, and MIS did not check that these third-party files were properly signed and loaded from the correct location. “McAfee is not aware of this issue being actively exploited,” it said. The vendor rated the issue as being of medium severity.

Symantec’s alert did not identify what the problem was but merely noted that updates have been issued to address it in the company’s Symantec Endpoint Protection (SEP), Symantec Endpoint Protection Manager (SEPM), and for the small business edition of the software (SEP SBE).

Flaws in security products can be especially problematic for organizations that use them. Not only are such products trusted, they also typically run with very high privileges on installed systems. They give attackers an opportunity to mask malicious activity and make it appear legitimate.

Data maintained by CVE Details shows that at least 17 flaws have been reported in Symantec’s products, 13 of which enabled some sort of bypass or privilege escalation or information leak. The database shows that a total of 34 bugs have been reported in various McAfee products, including those that enabled privilege escalation, bypass, code execution, and denial-of-service.

“I think that the broad takeaway for organizations here is mainly to stay updated,” Hadar notes. “There are a lot of security researchers out there that report these kinds of issues to the vendors, and vulnerabilities [are] getting patched every day. Keep your systems up to date.”

Related Content:

• The Increasingly Vulnerable Software Supply Chain
• Researchers Disclose New Vulnerabilities in Windows Drivers
• The Flaw in Vulnerability Management: It’s Time to Get Real
• 8 Trends in Vulnerability and Patch Management

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “8 Backup Recovery Questions to Ask Yourself.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/symantec-mcafee-patch-privilege-escalation-bugs/d/d-id/1336367?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The frequency and sophistication of worldwide cyberattacks continue to surge, with businesses falling victim to a ransomware attacks every 13.275 seconds, according to Cyber Defense Magazine. No agency, company, or organization is immune to the devastation a cyberattack can bring, and although companies are making progress in improving their efforts, they still face a growing number of challenges.

Challenge 1: Adversaries Are More Focused and Sophisticated
Using advanced techniques, attackers are increasingly seeking to lock critical systems and destroy data. According to Wombat Security’s “State of the Phish” report, 76% of businesses reported being a victim of a phishing attack in the last year, with the average cost to handle a phishing attack coming in at $1.6 million. To combat these threats, companies must first break free from “snapshot thinking.” This is the thought process that once a security strategy and solution are in place, all is well with one’s IT environment. To manage and stay ahead of evolving threats, risk assessments, information assurance road maps, system patching, and other security measures must be continuous and informed by threat intelligence.

Challenge 2: Investing in Cyber Tools Doesn’t Equal More Security
Cybersecurity expenditures are expected to reach $1 trillion by 2024. Even though companies continue to invest in cyber tools, spending alone does not ensure security for an organization. To get the most value from their investment, organizations should ensure they are fully optimizing the capabilities of tools they already have before buying new ones. They may find that available updates enable new capabilities that were not originally present. But if spending alone doesn’t ensure security, what does? The most important ingredient is a culture of good security processes across the organization predicated on buy-in and accountability at the executive level.

Challenge 3: Ever-Growing Networks Lead to Blind Spots
A growing number of interconnected networks, cloud connections, and third-party connections leads to new blind spots and decreased visibility into a network’s IT and operational ecosystem. Research found that a lack of visibility can lead to 20% to 40% of network and endpoint infrastructure becoming unknown or unmanaged by an organization. Organizations must take steps to safeguard enterprise software and their connected devices and also ensure continuous monitoring capabilities. The objective must be to know where your critical data and systems are in order to make it as difficult as possible for adversaries to achieve their goals while maximizing your chances to identify their presence, minimize their impact, and restore operations to normal. 

Allocate Resources to Key Areas of Focus
How does an organization stand a chance in keeping up with ever-changing vulnerabilities? By knowing where to focus. And we know where to focus by treating vulnerabilities like a business risk.

The CISO is responsible for identifying the risks and driving the plan, but those responsible for the planned actions exist across the business — in IT, communications, marketing, human resources, finance, procurement, and more. If this doesn’t happen, then your cyber-risks are not being managed as a business risk and your probability of success declines.

Using a Risk Approach Addresses These Challenges
Forward-looking, security-conscious organizations are shifting to a risk mindset, focusing on mitigation options, continuous monitoring, diagnosis, and remediation to improve security practices. Two well-respected references that can guide organizations towards institutionalizing risk management are the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the NIST Risk Management Framework (RMF) for Information Systems and Organizations (800-37).

The NIST CSF serves as a program framework to help organizations manage their cyber-risk awareness, security, detection, response, and recovery. Central to the framework are five core functions:

1. Identify: A risk-based strategy begins with the process of identifying and reviewing the complete range of risks an organization faces. By first assessing risks, you become actively aware of where uncertainty surrounding events or outcomes exists.
2. Protect: Based on risk prioritization, steps are identified to reduce risk or remediate a situation to protect the organization, people and assets concerned.
3. Detect: Being proactive in reducing risk requires making timely discoveries with continuous 27/7 monitoring and implementing auditing and alerting capabilities.
4. Respond: It is important to create, analyze, and triage potential threats. Once a threat is detected, take action with your established, robust response plan.
5. Recover: Restore functionality by instituting a recovery plan and create improvements to prevent future attacks.

The NIST RMF complements the CSF by providing a more detailed risk management process of execution. For example, the RMF specifically addresses sections from the CMF in its seven steps: prepare, categorize, select, implement, assess, authorize, and monitor.

Increasing cyber threats means you need a more continuous, end-to-end approach to protect your critical communication environment. Ultimately, this approach saves time and money by proactively confronting potentially hazardous situations before they become acute threats. A real-world breach scenario is not the time to discover your teams, tools, and strategies don’t hold up as you thought they could.

Related Content:

• 7 Tips for Communicating with the Board
• 9 Principles to Simplify Security
• To Prove Cybersecurity’s Worth, Create a Cyber Balance Sheet
• The Uphill Battle of Triaging Alerts

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops’.”

Troy Mattern is the Vice President for Product and Services Cybersecurity at Motorola Solutions. Having joined Motorola Solutions in June 2017, he leads all policy, strategy, and prioritization for cybersecurity efforts pertaining to Motorola Solutions Products and Services. … View Full Bio

Article source: https://www.darkreading.com/cloud/how-does-your-cyber-resilience-measure-up/a/d-id/1336312?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

They’re the first questions you might be asked in the heat of a disaster, DDoS, or ransomware attack: How soon before we’re back up? How good are our backups? Have the wrong answer to those questions, and it will feel like getting kicked while you’re down.

Good backups are essential to business continuity, but how do you know yours are “good”? And how do you know they’ll be ready when you need them? Start by finding answers to the following eight questions.

(continued on next page)

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/theedge/8-backup-and-recovery-questions-to-ask-yourself/b/d-id/1336360?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple