At the convergence of digital transformation, an industry-wide focus on SASE, and the effects of the continuing COVID-19 pandemic, there are key forces that security practitioners need to be aware of and operate within. This is the second blog in a series of three detailing these forces and how security leaders and practitioners can adapt to them in a digitally transforming, SASE-enabled world. This blog covers the forces of Organizational Culture and Adversaries and Threats.
Force 3: Organizational Culture
Organizational culture can have a significant impact on the security program. A shift in executive leadership or board often changes the organization’s risk appetite and priority of the security program. Most boards are now requiring a minimum report to the full board and quarterly report to the audit subcommittee of the board.
Impact of the Pandemic
The most significant change we have seen in changing organizational cultures is the rise of the remote worker amid the COVID-19 pandemic. Whilst traditional organizations prefer to see people in the office and collaborate face-to-face, the goal for most employees is to be flexible in their working environment. Pandemic planning aside, most workers will choose their employer and ask questions at the interview stage on this flexibility to ensure they have the best work-life balance. In addition, the next-generation workforce will demand this level of flexibility. With concerns over health, rising house prices, the increasing cost of affordable housing near workplaces, and the costs of travel assessed against salary, most workers will need this flexibility. As organizations reimagine their strategies, understanding their mobilization of the workforce will be critical. The mentality of work from anywhere, at any time, from any device, access any application, and share any information, is supportive of this cultural change. This shift away from the traditional office is evident in most industry sectors today.
Organizations Risk Appetite
With a flexible and innovative workforce, there also comes a shift in an organization’s risk appetite. So, how is that changing? Risk management was traditionally used to block high-risk activities and maintain alignment with company and security policy. It was a simple binary approach that most employees understood. However, as organizations become more complex in the offering of their goods and services through digital transformation that involves complex supply chains, these simple approaches no longer scale. New risks need to be identified based on behavior specifically on the most critical asset an organization has: its data. As more risk management programs become data-centric, so must their measurements on the likelihood and impact of these risks. Organizations today have become more open and willing to take new risks that, when managed appropriately, can increase their revenues.
Changes in Financial Policy
Chief Financial Officers are looking closely at the savings they can realize moving away from capital investments and moving to subscription-based contracts. Investment in technology is no longer a barrier with cloud services on a pay-as-you-innovate model. However, some industries such as critical national infrastructure (CNI) may still have a risk-averse culture and a more restrictive security strategy that is appropriate. Generally, this is where today’s CISO must be able to adjust to new technologies, new controls, more open policies that allow for a more open and collaborative culture to excel.
Force 4: Adversaries and Threats
The threat landscape is a baseline measurement of the current threats observed by most organizations. However, the threat landscape is only accurate if we identify and measure against all threats. One example is that phishing is still talked about at every organization as one of their primary concerns. This is obvious as phishing produces a visual identifier in the form of a phishing email that can be traced to the start of an incident.
Now, let’s talk about other common threats that are not always visible. Both cloud and web-based attacks continue to grow in numbers and according to ENISA (the European Agency for Cybersecurity), are a top-three threat, yet many organizations may not have a true visibility of this threat. For many, encrypted traffic to and from the organization is not always analyzed for threats. Even worse, traffic to and from cloud applications is often overlooked. More than 50% of internet traffic related to SaaS and cloud apps contains business essential information, therefore we should assume that this traffic should be analyzed for threats from not only an external threat actor perspective but also from an insider or accidental threat perspective.
As we broaden our visibility into this traffic we also must ensure we understand that data is no longer on a computer we own or control. The movement from on-premise applications to third-party developed applications provides a new threat kill chain to be considered. New models and updates to existing threat kill chains should also be acknowledged and considered for remote workers when the attack surface is multiplied. Similarly, they should also address how CISOs are required to manage and apply security controls to both remote staff and third-parties that threat actors may use to gain trusted access to the real target.
From an adversarial and threat perspective, an important strategy, control, and measurement should always be to reduce attack surface and dwell time. Dwell time can be measured as the duration a threat actor has undetected access to a network, system, application, device, etc. until access is identified and removed. Measurements for dwell time MUST extend to cloud applications and web services to further protect these environments from a confidentiality and data integrity perspective. Not identifying a threat actor with access to an organization’s IaaS platform or data lake will cause a significant impact to the organization.
The “insider threat” has been one of the greatest threats since the beginning of IT and over the years, the insider threat still remains dominant. Some of the biggest security breaches are due to an insider being focused on a business process and did not result in a public disclosure of regulated data. These types of breaches go vastly unreported due to the brand damage they bring to the company and, without a requirement, executive teams will often decide to not prosecute the case. Breach notification statistics recognize the number is only a small portion of the actual breaches that occur.
Complex business systems and access requirements have enabled a different insider. One that is looking to do their job just not the way you intended. These insiders, power users, and untrained users shoot the gaps in our systems and processes to be more efficient. They do so in the name of the customer and the business, many times in the heat of the moment. Often doing all the wrong things for all the right reasons. This insider, while well-defined, is evolving. As users move to cloud, SaaS, and web applications they have more access to more and more data and systems. The trends suggest that targets for common attacks, such as phishing, whaling, spear phishing, and business systems compromise, are going to intensify using SaaS applications as the threat vector, with email being the primary means for attackers to target their prey.
The Evolving Insider Threat
Looking forward to 2025, the insider threat is going to continue and will only grow in frequency and difficulty to detect due to the mobilization of the workforce. The movement of systems from on-premise to cloud applications makes it more difficult to detect an insider or threat agent posing as an insider. The data is not in the applications or organizations hosted, does not ride on the networks we built, and no longer resides in systems we own or control.
An insider can now be at our company or at the application providers company. With the paradigm shift in the consumption and delivery of business systems and data, one would think the programs would need to have rapid change as well. While there is rapid change in the technology there is no rapid change needed in the program and approach.
Insiders are largely triggered by emotional events. While these events are not ones that a company can easily support, the identification, education, and systems to support a strong insider threat program cannot be any easier to deploy. First, strong background checks, general awareness, and targeted education to high-value employees is key in turning an insider from a malicious one to a benign one. The systems most of us have can let users know while we don’t always see them, our systems, processes, and culture does. Alerts, daily action reports, and notices to users on their behavior will make them think twice about their actions. It also can be leveraged to coach an unknowing or untrained user to do the right action like leverage a secure file transfer system provisioned by the company over email or other systems. This awareness will also help users identify if they have been targeted as they know their actions better than we do.
Analytics for Insider Threat
Another control we all can leverage, and historically have not been able to use, is analytics. Systems using strong statistical analysis are a huge game-changer. These systems are only becoming smarter as they are supercharged with AI and ML analytics and engines which can learn what is and isn’t normal. While these technologies and approaches are at your fingertips the trick is executing the pivot your program must take to get the visibility, control, and ability to notify the users of their actions. Start by taking a look at your systems and adjust your strategy for insider threat management to include the growing evolution of the threat from “Cloud First” or “Cloud Only” IT strategies and how this impacts your security strategy. Next evaluate your ability to do deep analysis on the traffic understanding the user, the data, the actions, the source, and the destination. These are your context for baseline in your analytic systems but also the baseline for education and awareness. Lastly make sure you have inline support to stop and, in some cases, get justification for the users’ actions. Many times this simple step will stop the user from proceeding, but it also will break many automated scripts that are trying to exfiltrate data to cloud systems.
Want to learn more about the remaining forces? You can read my first post here, and keep an eye out for my next blog post discussing the last two forces.
While it is true that 2020 has changed the landscape of cloud security, Netskope was purpose-built for SASE. Let us show you why during our SASE Week! Click here for more information!