Threat actors will always win. Let that sink in for a second, accept it, hate it, disagree, it is proven time and again that a concerted actor will gain access to your systems and assets if the reward is high enough or the order is given.
I don’t say this as a method of inciting fear, rather, in the hopes that I can convince you this is just like any other business risk. Car manufacturers are suffering from a chip shortage and it costs X amount of dollars. So too do cyber security losses have loss in X amount of dollars. Loss of production, loss of consumer confidence, loss of privacy data in an increasingly risky space, Loss of intellectual property, etc.
I say this to bring a concept I have preached for years “Live Compromised”. It is a nebulous concept I agree but what I mean is take the time to think about where your Data is, Who Owns it, and How much it is worth. Think of ways to implement Principles of least privilege, and ask the questions “Should this user have access to this data”, and “Do they need access to this data to perform their job functions?” If you are borrowing a consumers private data, its cost is increasing state by state and eventually nationally. Nascent privacy laws in California, New York, and Colorado really have the ability to put companies who treat privacy data non-fiduciarily out of business. If you try to Live Compromised, you will start to rank data, set increasing barriers to whom should have access. Additionally, as the data value grows, the authenticated user should be under under ever escalating constraints as to which devices the authenticated user should be allowed to touch that data from. Some of those factors will be Device Health, Known device?, Device Encryption Status, Device security toolset functionality assessment, Device Compliance with baselines, and many more creative ways to reduce risk.
Everyone thinks security is this anti-virus, or that SIEM, but it is not. Security is about data. The CIA Triad is our code. Confidentiality, Integrity, and Availability. Our industry is still in the flashy tools phase of our birth, much like I imagine the foundation of modern medicine must have felt. Medicine went from “Oh, this new syringe thing helps deliver medicine”, and “now we have respirators”, and “now we have antibiotics”, in a very short time frame. Over prescription of Antibiotics today is still a devastating problem in modern medicine; creating “superbugs” like MRSA that is so resistant to antibiotics there are only a few left that can treat it. So too is the over prescription of modern Security tools. To clarify, Security tools prescribed without any understanding of where the data is, what it is worth, who owns it, etc, are like doctors prescribing antibiotics that only affect bacterial infections, when the patient is suffering from a non bacterial issue creating the aforementioned issue of antibiotic resistance. In our world, “More SIEM, SOC, EDR, XDR, SOAR, Intelligent AV, AI, will save us” is being screamed without educating practitioners that the tools do nothing without intent, operationalization, and contextual data awareness. We need to educate about more focus on data, controls to protect it, decisions of whether it should even be stored, and iterative processes.
We should use these controls so that when a threat actor eventually compromises an identity, the value of the data can be known, and limited. How many companies still have an “S” Drive or one huge SharePoint site with all users having access permissions? These practices mean that if compromised, you are totally compromised. If you use POLP and RBAC practices, you can significantly reduce from “Full compromised” to a much more limited subset of your choosing, and a very defensible one if done correctly against meeting due care and the reasonable person rule.
Thanks! Please feel free to reach out to discuss!
Matt
