What Really is Cyber Risk?

Managing-Cyber-Risks-630x330

Concerned and Confused about Cybersecurity and the Risks Your Business is Faced With?

Most business are.  Rocus Networks views security and risk management as a formula. Although risk can never be reduced to zero, all organizations can greatly improve their security posture by focusing on the variables that will have the greatest impact in reducing their risk exposure.

Risk = Threats x Vulnerabilities x Consequences

THREATS - The threat variable is understood through intelligence and is the most difficult to solve for since it remains out of most organizations’ control and always changing. Understanding the various threats and types of attackers is important but changing the threat landscape is impossible. Therefore, it is best to first concentrate on eliminating the vulnerability variable and reducing the consequences.  Let’s first examine vulnerabilities as they account for almost 85% of the attacks.  

VULNERABILITIES are addressed utilizing security controls and technology.  When deploying security controls, most security experts utilize a defense-in-depth strategy.  Here is a snippet of an article recently written on CSO Online, which is a very well-respected source of information for security professionals and executives.

“Defense in depth was originally a military strategy, which was meant to slow the enemy’s advance until a counter-attack could be mounted. Counterattacks in cybersecurity are a more recent development as information security systems were largely passive, but security defenses have been typically established at multiple layers in an attempt to thwart intruders. If the intruder broke through one barrier, there would be more and different barriers to circumvent before any damage or breach could occur. 
With defense in depth, multiple layers of security are applied across the entire information technology (IT) infrastructure and extend to include personnel procedures and physical security. The idea is, the more layers of security that exist, the harder it will be to breach all the defenses to steal digital assets or cause disruption.
The core concept of defense in depth is still viable but must be continually re-adapted as computing technologies and threats evolve. It is a challenging task to remain updated on current trends and changing vulnerabilities, but this must remain a main objective for information security teams.”

There are a couple of key points in this article that many organizations are challenged with addressing due to lack of expertise. This lack of expertise is either internal with a small team of IT professionals sharing the workload of cybersecurity or relying on an outside firm who predominately focuses on managing IT infrastructure such as servers, desktops, networks and telephony.  

It is critical that multiple layers of security controls are deployed and then almost more important to remain updated on current trends and changing threats and vulnerabilities.  The security controls that most small and medium businesses have in place are lacking in depth and are outdated in their effectiveness to block attacks. 

1. Email Security - Most small and medium businesses have no email security in place.  When it comes to a defense in depth strategy, it is critical to have controls in place where the majority of attacks originate.  Otherwise, you are left to rely on controls after the attack has been initiated.  According to the Verizon Data Breach Investigation Report, over 90% of cybersecurity breaches and incidents originated from an email phishing attack.  Most businesses of this size utilize a cloud email platform such as Office 365 or Gmail, but only have some type of spam filtering in place. Spam filtering is not email security and will do nothing to prevent a phishing attack. In addition, since email exposes the weaknesses of your employees, incorporating an employee awareness and training program is essential for every organization. Building a culture around security and empowering your employees be good stewards of your company’s digital assets will go a long way in preventing a successful attack on your business.  

2. Endpoint Security - The last line of defense is an organizations’ endpoints (computers and servers).  The majority of small and medium businesses are utilizing traditional anti-virus solutions.  It is proven every day that traditional anti-virus solutions such as McAfee, Symantec, Trend Micro, etc. are ineffective at protecting computers from the sophisticated attacks today.  Every day we hear about companies getting hit with ransomware because it is easy to by-pass these outdated technologies.  There are now much more effective technologies that leverage Artificial Intelligence and data analytics to effectively block these new attacks.  

3. Vulnerability Management - Most organizations are not running periodic vulnerability scans in their environments.  It is critical to consistently patch software vulnerabilities, but you can’t rely on software vendors to notify you when vulnerabilities exist. Best practice it to proactively run frequent scans to identify vulnerabilities and patch appropriately. 

4. Encryption - Most computer hard drives are not encrypted.  This should be a policy control that is enforced for all computers.

5. Trusted Access - Most organizations do not have multi-factor authentication deployed.  If you access systems, either company owned, or cloud based, multi-factor provides a second layer of authentication for accessing critical information.  This prevents unauthorized access to personal identifiable information (PII) if login credentials are compromised.

6. Application and User Control - Attackers use either malicious applications or compromise perceived, good applications to launch attacks.  It is critical to control and monitor application usage based on the users who access information.

7. SSL Inspection - Over 50% of the traffic on the internet today is encrypted utilizing SSL (Secure Socket Layer). Although this helps keep data safe, it is also a way for attackers to hide malicious activity. It is best practice to have technology that decrypts this traffic and inspects for threats and/or exfiltration of critical data.

CONSEQUENCES - Now that we have addressed vulnerabilities, we will now address how to reduce consequences.  There are two important principles to follow on reducing the consequences of a successful attack but must first state that it is important to have a mindset in security that assumes an attacker will get into your environment.  Having this type of mindset, forces you to build a plan to reduce the consequences.  

The first principle is to segment your most critical assets from the rest of your environment.  Depending on where your critical data is, you want to have controls in place that prevents an attacker from getting what they are ultimately looking for.  This is often referred to as the “crown jewels”. This can be an organization’s most important data residing in a data center on premise or in the cloud. This can also be an organizations’ highly critical systems, such as heart rate monitors in a hospital or an assembly line in a manufacturing facility.

A new global study based on 500 interviews conducted by The Ponemon Institute on behalf of IBM finds that the average amount of time required to identify a data breach is 197 days…

The second principal is having the correct “Detect and Respond” tools and resources in place to identify an attack as quickly as possible and remediate so no critical damage is done.  Most small and medium organizations, along with many larger enterprise organizations, do not have a Security Operations Center (SOC) in place with the technologies and experts to detect and respond to attacks within minutes rather than days or many months. Reducing the consequences of an attack on your business requires quick detection and remediation but is very expensive to build on your own. Partnering with a reputable security organization who can provide these services at a reasonable cost is the best approach for most companies.

Rocus CyberFusion® – Built for Small and Medium Organizations…

All of these gaps mentioned are addressed with our Rocus CyberFusion platform.  CyberFusion is the security-as-a-service solution designed from the ground up for any size business and provides all the necessary cyberFUSION_securitycircletechnology, processes and resources that enable small and medium business to have enterprise-level prevention, detection and response at an affordable price.

Prevention-First Solution - All organizations, regardless of size, must deploy multiple layers of security controls that work together, with prevention as the primary line of defense. Not to dismiss the need for detection technologies and skilled resources to respond to critical incidents, prevention should always be the ultimate goal within the discipline of security. Protecting your digital assets is very similar to protecting your home with locks and doors along with a reputable security company monitoring activity 24/7/365 in the event your preventative measures are by-passed. Our Rocus CyberFusion platform provides the controls required to prevent attacks, along with the proper detection and response technologies, processes and people to stop a successful attack.

Leaders in Cybersecurity - Our operations team is led by the top cybersecurity experts in the industry, working to keep your business safe. We also have the fresh knowledge and experience from constant inspection of large amounts of data from a multitude of companies. You would need to employ 4-6 cybersecurity experts, monitoring 24/7, to achieve the level of protection you get with Rocus CyberFusion.

Highly Scalable, Flexible and Modular - Rocus CyberFusion uses cloud-based technologies, making it highly scalable and flexible. You can add users, services and controls as needed without purchasing additional hardware. The modular design enables us to deploy the latest technologies as they arise to combat the newest or most pervasive threats.

Your Own Rocus CyberFusion Dashboard - Rocus CyberFusion includes a dashboard on your screen giving you instant, by-user visibility to applications used, websites accessed, files accessed and shared, bandwidth consumed, malicious activity and viruses blocked.

Enterprise-Class, All-in-One and Affordable - Many of the best technology solutions are neither cost-effective nor available to the SMB market, and you have to piecemeal various tools and hope they work together. Rocus CyberFusion provides integrated, best-in-class security without the high costs of procurement, deployment, and maintenance. You get the same superior technology as the world’s largest organizations, simplified and affordable.

Download our CyberFusion information from our Resource Page...

The solutions on the market are confusing and don’t fully address the requirements for small and medium organizations…

There is a poor focus towards small and medium enterprises within the cybersecurity market. Providers tend to fall in one of several categories defined below.

1. Original Equipment Manufactures (OEMs)– These are the manufactures of various security technologies and some will either have a primary focus on SMBs or an offering for SMBs. Some claim they have a security as a service offering but they are not comprehensive and tend to only address a particular security control such as a firewall or anti-virus.

2. Managed Services Providers (MSPs)– There are thousands of MSPs in the US. The majority of the MSPs are very small businesses who focus on providing a fully managed IT service to businesses from 5-100 employees. Most MSPs are focused on a specific geography within a 90-120-mile radius as they provide on-site troubleshooting support. They include basic security services within their full IT-as-a-service such as firewall management, software patches, anti-virus and data back-up. Some may provide some higher-level services such as monitoring and email security, but this is the minority, and even those who provide monitoring, have not developed a security operations center (SOC) with the right tools, processes and people to effectively detect and respond to security events and incidents. They rather rely on network engineers, who lack the proper security skills and tools, to manage security technology and respond to security incidents.

3. Managed Security Services Providers (MSSPs)– MSSPs tend to be larger organizations who have built a Security Operations Center (SOC) to offer security monitoring and alerting solutions to customers. Many MSPs also offer vendor agnostic management of customers’ security technologies such as firewalls, intrusion prevention and detection systems, endpoint security, and web gateways. Their services and pricing models are mainly focused to larger enterprises and not the small and medium businesses. Although pricing is usually a barrier for smaller organizations, the main reason MSSPs are not a viable solution is that they generally only provide alerts for security incidents and events. This may be effective for larger organizations with security resources who can understand and respond to these alerts. However, smaller organizations lack the knowledge and resources to be effective at mitigating a security incident. Most MSSPs rely on a portal for reporting and customer interaction and do not provide a “white-glove” approach to handling security for their clients.

4. Managed Detection and Response (MDR)– The MDR market is relatively new and mostly aligned with the Rocus CyberFusion solution. The one shortcoming of most vendors in the MDR market, is that they focus mainly on detection and response but don’t do much to tighten the preventive security controls in place. Because they ultimately assume that all the preventive controls will fail, they leave their clients more vulnerable to an attack and offer a price point that is relatively high for smaller organizations. Because the MDR market is only a couple of years old, offerings vary from vendor to vendor. However, most vendors differentiate themselves in several ways from traditional MSSPs. MDRs generally deploy some type of network sensor technology and also endpoint agents to monitor activity on the network and computers/servers. Different from MSSPs, they do not rely on the log information from customers’ existing security technologies. Another key difference is that MDRs not only detect security incidents, but also respond and look to contain and remediate before a successful attack can occur. This is very different than MSSPs who generally only detect and provide alerts to their customers. MDRs target the small to medium business who lack the knowledge and resources to effectively to detect and respond to security incidents. They take more of a “white glove” approach and constantly communicate with the customers and assist in improving their overall security posture. Many MDRs also perform periodic vulnerability assessments and provide virtual Chief Information Security Officer (CISO) services to help plug security gaps and assist with meeting compliance and regulatory requirements that many small and medium business are faced with.

Final Remarks...

Although the MDR market has addressed a major void in the market and many of the gaps that small and medium business have when it comes to securing their businesses, they still fall short at addressing the entire lifecycle of cybersecurity. As mentioned earlier, 85% of attacks can be prevented by deploying, managing and updating the appropriate security controls. When the most effective preventative security technologies are layered into an organization and then coupled with the correct resources to manage, the security operations center can be much more effective at detecting and responding to the most sophisticated attacks. It is true that the majority of smaller organizations are at a major disadvantage against attackers and are now primary targets. Therefore, it is critical that these businesses partner with an organization who has the expertise to detect attacks, but also constantly hardens the environment to prevent these attacks from ever happening.

 

Build an Adaptive Security Architecture Into Your Organization

Screen Shot 2019-01-02 at 1.40.58 PM

At Rocus Networks, we take an Adaptive Security (developed by Gartner) approach to protecting our clients from the enormous amount of cyberattacks. Rather than just focusing on just a portion of security and leaving the rest to chance, we manage the entire architecture with automation leveraging artificial intelligence and machine learning coupled with some of the best security talent in the world.

Before we recommend any solutions to a potential client, we start with a complimentary risk assessment that will provide you with a likelihood vs. impact analysis of your most critical digital assets along with recommendations on building an adaptive security architecture for your organization.