Well-known cybersecurity firm Crowdstrike greets travelers who arrive at San Francisco International Airport with a rather bold claim advertised throughout the terminals. The advertisements pose a pernicious yet seemingly tidy answer: “Yesterday’s Antivirus Can’t Stop Today’s Cyber Attacks. Crowdstrike Falcon Can.”
Irresponsible hyperbole? Or is it a pitch made in good faith, albeit one as confident as it is ignorant? It doesn’t much matter. It is 2017, and we now have ample evidence proving that the false promise of so much cybersecurity — that risk can be entirely eliminated with one simple program — will, barring a technological revolution, never be realized.
The data is in: Cybersecurity is dead. Even as global cybersecurity spending is expected to balloon to over $100 billion by 2020, the frequency and severity of cyberattacks continue to grow, with seemingly no end in sight. While exploits and hacking tools become even more widely available and simple to deploy, there has been little commensurate progress in beating back attackers, who continue to find success striking at persistent, common weak points. How is this possible?
The answer is one that must chagrin any CISO spending exorbitant amounts of money on cybersecurity programs: The entire conception upon which cybersecurity rests — of constructing a castle, against which any marauding attackers stand little chance of breaching — is barely of use.
It would be mildly amusing but for a simple fact: The integrity of sensitive data, ranging from your grandmother’s medical records to your personal financial information, relies on its secure storage by a dizzying array of institutions. It is no exaggeration to say that cyber risk — the accumulated potential for the exposure of privileged data — is a matter of life and death, as seen in the frightening effects of cyberattacks on the healthcare industry across the world. The existing conceptions of how IT systems can be secured and protected must be discarded in favor of a new and more diffuse understanding of cyber risk.
The concept embodied in the Crowdstrike ad — that, at last, here is the program that will, like the little Dutch boy, plug the hole in the dam — is insufficient for combating the real and growing threats looming across the digital landscape. Unsurprisingly, ransomware is exploding in popularity, as the low-cost, easily usable malware proves continually effective at extracting money. But there are grander threat vectors looming: crimes such as electronic bank robberies, digitally enabled high-seas piracy and cyberattacks against electrical grids are not science fiction premises; rather, they are real crimes that will only grow more common. The false promises of cybersecurity doctrines have been repeatedly laid bare over the course of the past few decades. Antivirus programs, once relentlessly promoted as an indelible part of any IT configuration, are now dead even to their creators, having proven thoroughly ineffective in combatting cyber risk — indeed, even posing to be a liability at times. The “set it and forget it” model, with its focus on an endpoint solution to be instituted without much thought, typically relies upon an out-of-the-box program sold by a third-party vendor. If even the most seemingly impregnable of such barriers are laid down, hackers will be able, with time, to build a higher ladder.
Even more irresponsible is the suggestion that breaches can be forever prevented. Laying down firewalls or perimeter security measures, paying premium prices for executive intelligence on emerging threats, adhering to checkbox compliance regimens — whatever benefits such measures bring, cyber resilience is not among them. For most consumers and enterprise customers, they believe cybersecurity programs will be able to protect systems against all hacks and breaches — a belief more or less encouraged by such providers. The reality is no company can do that.
Such defenses, of course, assume that cyber risk is a matter of malicious hackers overcoming paltry defenses. According to Gartner (paywall), mere misconfigurations, not vulnerabilities waiting to be exploited by hackers, account for anywhere from 75–99% of all breaches depending on the platform. And as seen in the recent cyber assault on the United Kingdom’s National Health Service, in which badly outdated IT systems had not received critical updates, hackers rely less on their own (often limited) talents than upon the unfortunate fact that an overwhelming abundance of technologically degraded targets makes their nefarious business easy. Far too easy.
The latest antivirus software will not be the cure-all for this full-spectrum threat any more than the thousands of such programs that came before it. A better conception would involve viewing risk as an inescapable fact of doing business using any internet-facing devices. There is no such thing as a knockout blow that will ensure the integrity of systems; cyber resilience, the intelligent means of managing and mitigating cyber risk, requires best practices be followed every day.
Simply put, fostering cyber resilience is a full-time job, one that must be integrated into every layer of the toolchain when provisioning, configuring and managing IT systems. From documented processes to constant updating to automation, changes in management and visibility, true cyber resilience is the product of inviolable work — the kind of critical IT management that can never be cast to one side as extraneous. Beyond these requirements of maintenance, IT administrators — and their superiors, all the way up to the C-suite — must understand that full visibility into their systems is a prerequisite for mitigating cyber risk.
Only by gaining full insight into the real state of IT systems can stakeholders ensure systemic integrity and, in the event of a breach, begin to quickly and adequately respond, as seen in the WannaCry contagion. That is the future of cyber resilience.
By: Mike Baukes
Source: Forbes.com — JUN 6, 2017