When you think of cybercrime, you probably picture menaces lurking outside a company – identity thieves, ransomware attackers, or other hackers. But what I’m hearing time and again from our customers is that some of their toughest security challenges originate within their own IT estates.
Every situation is different, but some common themes emerge when talking about companies’ thorniest security issues.
Complex IT estates
Most organisations today have extremely complex IT environments, whether it’s due to legacy applications, acquisitions, or multi-layered organisational structures. That complexity allows for many points of entry, and once an attacker has gained a foothold, they can navigate around until they find a way to steal data, install malicious software, or encrypt files for ransom.
One of the biggest cyber security threats isn't a security issue at all, but an issue of how IT estates are run. It takes a comprehensive understanding of the many components and IT infrastructure, how they are connected, and who needs to access them.
Aside from presenting more points of entry, this complexity makes it hard for companies to understand, monitor and implement security tooling across the entire estate. Without this comprehensive coverage, as the adage goes, companies have to be lucky all the time, and the threat actor only has to be lucky on
Often companies come to us because they failed to detect a threat, or they couldn’t respond quickly enough despite having security policies and tools in place.
We hear many tales from the trenches. For example, ne customer had very good, comprehensive tools in place that automatically alerted the security team when certain incidents or conditions occurred. Unfortunately, threat actors worked out how to get around that security by infiltrating a part of the organisation that had been neglected from a security monitoring standpoint and was left exposed.
Not just a security issue
Thus, one of the biggest cyber security threats isn't a security issue at all, but an issue of how IT estates are run. It takes a comprehensive understanding of the many components and IT infrastructure, how they are connected, and who needs to access them.
Interconnectedness without holistic management often leads to issues with access and permissions. In one ransomware case, an attacker was able to exfiltrate data from an application with sensitive financial and customer information by exploiting a dormant privileged account. The authorised user had moved to another part of the organisation, but the account hadn’t been deprovisioned.
Focus and prioritise
Securing today’s IT estates requires an enormous amount of discipline and attention to detail to get things right, as well as understanding and trying to stay ahead of the threat actors. It can seem overwhelming, but there are ways to make it more manageable.
One key is to prioritise: Identify the applications that deliver the most mission-critical services and contain sensitive data, then ensure they are in hardened environments with sufficient protective tooling. The obvious ones to start with are email, anything internet-facing, and anything involving directory services such as Microsoft’s Active Directory, which manages permissions and access to network resources.
Another key is proper governance – assigning responsibilities and ensuring transfer of knowledge about how systems are configured and secured. Too often we hear companies say, “The person who used to do that is gone and we just left it as it was,” or “We don’t really know how this works because it’s in another part of the organisation.”
When choosing security tools, companies also tend to spend too much time debating what technology to use when they should be focusing on business risk — and having a future view of what technologies and best practices might eventually serve the enterprise.
Other obstacles: The unknown, time and new technologies
There are several other key themes we hear from customers as they endeavor to stay on top of security challenges.
Implications of new technologies: Some threat attackers, as in the case of Solar Winds, have exploited the very characteristics of new technologies that made those tools attractive to companies, such as the ability to view comprehensive information for network monitoring and management. That’s why it’s important to carefully assess the security implications and vulnerabilities of any new technology before implementing it.
Time pressures: Most companies face slow-burn business risks, such as new competition in the market, that can be addressed in a thoughtful, unrushed manner. With cyber risk, however, the state of protectiveness can go from very good to awful from 1 minute to the next. A comprehensive IT view and holistic security approach enables companies to gain a commodity that is in desperately short supply during a breach — time to respond before an attack is launched or critical data is accessed.
AI and ML can help with unknown threats: No matter how much you know about existing cyber threats, there will always be the new type of threat or threat actor about to emerge. You can’t find what you don’t know to look for, but with new tools that harness AI and behavior analysis, you can look for abnormal patterns. One example of this is what we call the impossible logon, where an employee might log in and resolve to an IP address in their home area of New York, then 5 minutes later show up with an IP address in Hong Kong.
Security needs to be embedded in every aspect of the enterprise technology stack, from software development to data centre, network and cloud infrastructure configuration, to workplace environments and analytics programs.
Get the latest threat updates
Protect your enterprise. Subscribe to DXC's monthly report on the latest threats, breaches, cybercrimes and nation-state activities.
Embed security into everything you do
In addition to knowing your IT environment, security needs to be baked into every part of that environment. It should be embedded in every aspect of the enterprise technology stack, from software development to data centre, network and cloud infrastructure configuration, to workplace environments and analytics programs. Companies shouldn’t spend valuable time figuring out how to put in security tooling after they’ve deployed some new technology; they should implement the security component simultaneously, and if available, use native security protections for that system or environment.
Because that’s what security is really about — enabling you to see what’s going on across the company, identify anything that looks abnormal and react effectively — the rest of it is just running tools.