Table of Contents
A CISO’s perspective
I just reviewed our latest Ransomware Report, and if I had any sleep left to lose, this would definitely make it harder to get rest. The challenge lies in trying to connect all the technical details in these reports to the broader business impact. Increases in percentages and increased attacks in different areas.
All of it is enough to keep the C-suite and Boards up at night, wondering, “So what does it all mean? What can we do? What should we do?”
As a CISO, my key takeaway from the report is how it aligns with my understanding of the threat landscape, ransomware risks, and business vulnerabilities. My role is to advise on operating at the speed of business while mitigating risks that could derail it.
The very first paragraph drops some alarming numbers: This year’s total number of attacks is the highest on record, and Q4 was the highest quarter on record for this attack. Those numbers are staggering. However, they don’t tell the whole story, which is even more unsettling for businesses and those of us who are tagged as addressing the risks that face those businesses.
These are only the reported numbers. It’s no secret that a significant number of attacks go unreported for various reasons. These statistics are alarming, yet I’m convinced they barely scratch the surface of the real problem. (Remember what I said about having no sleep left to lose?).
So, what do we do? Where do we start?
Let’s consider some of the primary threats and their vectors. By grouping identity-based attacks, misconfigurations, software vulnerabilities, and phishing, I can determine which threat or risk factor is most prevalent. The answer is people. That doesn’t make them malicious or foolish. Computers “don’t make mistakes.”
As Newton Crosby taught us in Short Circuit, “They don’t get happy, they don’t get sad. They don’t get angry; they don’t get mad. They just run programs.” That means providing our team with the necessary controls to stay productive while addressing potential threats.
Some critical steps include enabling MFA for all accounts, especially those accessing cloud systems. We also need to enforce the principle of least privilege and ensure IAM processes align with security best practices. Additionally, maintaining an up-to-date asset inventory and implementing a strong patch and vulnerability management program is crucial. Lastly, a continuous awareness program will keep our people informed.
It’s come up a few times already and was consistently present in the ransomware report, and that’s “the cloud.” So many of our systems and operations have been moved there, many making the move because they thought it would lead to a simpler level of security practice. Attacks weren’t being seen there; attackers were hitting our internal data centers and networks.
But now we see that the threat to our cloud infrastructure has increased, so what has changed?
Here’s where we can learn a lesson from Willie Sutton, the famed bank robber, who allegedly answered the question, “Why do you rob banks?” with the simplest of answers, “Because that’s where the money is.” Threat actors will go to where our valuables are located, and our valuables are our data. If we keep it all in-house, on-premise, then that’s where they’ll focus their efforts.
If it’s no longer being kept there but has moved to the cloud, then they’ll naturally shift their attention. “No one’s gonna rob us going down the mountain. We ain’t got no money going down the mountain.” A simple explanation during Butch Cassidy and the Sundance Kid holds true here. If there’s no value, it’s not a target.
We need to adapt our protective mindset to include the cloud. Security configurations, permission restrictions, and IAM are critical here. It’s not about replicating the steps that we used to use to protect our local networks but the same guiding principles and how to adopt them for the cloud. Moats made a lot of sense as perimeter protection for a castle during their time.
Now, think how effective a moat is now that we have planes that can fly over a target. The moat is useless. However, the intention of the moat and the principle behind having it as one of our levels of defense are still valid. It’s just a matter of determining how we apply the principle in a new paradigm.
While there are many numbers, the threats keep increasing, with no signs of getting better. It’s a matter of cutting through to the core. The “what” hasn’t really changed, just the “how” and the tools available to us to build our protections. If you can step back and look at it from a macro perspective, it becomes a little bit clearer.
But it won’t help my sleep any.