Most information security professionals are familiar with Chaos Monkey, a tool developed by Netflix in 2011. It’s designed to test the resilience of the video streaming service’s IT infrastructure by randomly disabling computers in Netflix’s production network as a means of gauging how remaining systems respond to the outage.
Rick McElroy, head of security strategy for VMware Carbon Black, cited Chaos Monkey as an example of the kind of thing businesses of every size ought to be doing more of if they strive to build more resilient organizations.
Speaking at the CDW Tech Talk “Maximizing IT Resilience with Adaptive Security and Infrastructure,” where industry experts discussed modern cybersecurity and risk management issues, McElroy argued that organizations must build resilience into everything they do.
Business Haven’t Made Much Progress on Cybersecurity
McElroy said many of today’s organizations have advanced IT solutions built on crumbling foundations, especially from a security perspective. That’s the outcome of rapidly changing technology, evolving business models and other factors that have encouraged enterprises to simply deploy more solutions without addressing infrastructure.
As a result, businesses haven’t made enough progress when it comes to staying ahead of threat actors. For example, more than 20 years ago, average dwell time — the period it takes an organization to realize it’s been breached — was more than a year. Today, it’s still more than 200 days, a reduction of fewer than six months after two decades of trying.
“What you’re seeing attackers do is start to leverage ransomware to perform denial of service attacks,” McElroy said. “What’s compounding it is what I call the trickle-down cyber economy: You have very large nation-states that pay organizations to develop tools for offensive cybersecurity operations. Those tools are found in the wild, leaked and reverse-engineered.”
For example, a leaked National Security Agency cyberattack toolkit became “the primary source of lateral movements within organizations for WannaCry,” he said. The same capabilities found their way just a few months later into NotPetya, a global hack that cost $60 billion worldwide.
“Some people say we need a digital Pearl Harbor to create momentum to do something about this problem,” he said. “I say we’ve already had it, and we’ve had it several times over. The real problem for defenders is that it lands on us to defeat and defend against these advanced techniques that these nation-state actors are coming up with.”
Cybercrime will cost about $6 trillion next year, about the same amount as the world’s third-largest economy, according to Cybersecurity Ventures.
Businesses Are Using Too Many Security Tools
So, what’s the problem? Why hasn’t more progress been made, and what can businesses do?
First, organizations need to build resiliency into their systems from the ground up, or they could find themselves unable to control attackers who’ve breached their network. The saying in security that hackers only have to be right once is false in organizations with well-designed security infrastructures, which force attackers to continue to make the right guesses even after breaching a network to move around successfully within it.
Next, businesses must focus on simplicity. Many organizations are loaded down with too many security tools from disparate vendors. These so-called “point solutions” are not integrated with each other, provide inaccurate or incomplete data and leave gaps that security teams don’t see.
“We have gaps in prevention, investigation and certainly there are still massive response gaps,” McElroy said. He noted that simple application misconfigurations continue to be among the most common causes of breaches, a function of having too many tools that are too difficult to manage. “We need to integrate these tools from an information security perspective so we can provide the right data to the right team at the right time,” he said.
How to Build Resilient People and Processes
Organizations must focus intentionally on building resiliency into everything — not just their technology but also their people and processes. McElroy said resilient teams share the same “mental model” of teamwork, trust one another, are able to improvise and believe they can accomplish things together.
To get there, leaders need to make sure that their teams are well trained and empowered. When a security event happens, leaders should remind their teams of their resiliency and ensure they have everything they need to succeed, McElroy said.
A resilient process includes steps for planning, executing, checking results and then taking actions to improve. The final stage is crucial, he said; organizations must always improve their security processes because hackers are certainly doing so. “If the change didn’t work, go through the cycles again — with a different plan,” he said.
Automation is also critical, he said. The teams that have the greatest success are the ones that take an automation-first approach. “This is where I see teams winning, this is where you can take those 200-plus days down to minutes,” he said. “We have to think of every action we take, every process we follow, and look to automate it. If you do something five times and the results are the same, you should look to automate that.”
Follow BizTech‘s full coverage of the event here. Insiders, register for the event here. Those who are CDW customers should include their account information when asked; others should full out that field as “N/A.”