With not just ransomware gangs raiding network after network, but nation states consciously turning a blind eye to it, today’s chief information security officers are caught in a “perfect storm,” says Cybereason CSO Sam Curry.
“There’s this marriage right now of financially motivated cybercrime that can have a critical infrastructure and economic impact,” Curry said during a CISO roundtable hosted by his endpoint security shop. “And there are some nation states that do what we call state-ignored sanctioning,” he continued, using Russia-based REvil and Conti ransomware groups as examples of criminal operations that benefit from their home governments looking the other way.
“You get the umbrella of sovereignty, and you get the free license to be a privateer in essence,” Curry said. “It’s not just an economic threat. It’s not just a geopolitical threat. It’s a perfect storm.”
It’s probably not a huge surprise to anyone that destructive cyberattacks keep CISOs awake at night. But as chief information security officers across industries — in addition to Curry, the four others on the roundtable spanned retail, biopharmaceuticals, electronics manufacturing, and a cruise line — have watched threats evolve and criminal gangs mature, it becomes a battle to see who can innovate faster; the attackers or the defenders.
“This is as old as any criminal activity in history,” said Marc Varner, VP and CISO at retailer Lowe’s. “One of the values that we [CISOs] give an organization is to start thinking about what is that next level? What are they going to pivot to next?”
For some industries, vulnerability exploitation and system intrusions have crossed from the cyber-realm and become matters of life and death.
Bristol Myers Squibb CISO: Availability is top concern
When it comes to preparing for and dealing with any kind of cyberattack, medication “availability is something that we’re incredibly concerned about,” said Sydney Klein, chief information security and data officer at pharma-giant Bristol Myers Squibb. “We want to make sure that we can reach our patients.”
This means thinking about the security posture of not just your own org, but also that of your suppliers, and making business continuity plans that account for supply-chain attacks, she said. “As a pharmaceutical, we’re concerned about every mile that needs to be driven to take our medicines to patients,” Klein added. “Well, what if there’s only one delivery driver company in the whole country that you’re working with? And that delivery driver system is hit by a ransomware attack?”
While big-game hunting may provide criminals with more lucrative payouts, they also require more advance planning and technical prowess. Smaller businesses remain the low-hanging fruit, and the cyber-skill shortage makes them easier targets. Ransomware and data-wiping malware can drive these smaller orgs out of business, and that affects global stability, according to Devon Bryan, global CISO for mega cruise line Carnival.
“Small business is really the engine that drives the US economy,” Bryan said. “Certainly what we’ve seen in the uptick in ransomware, destructive malware, is the adverse impacts that those attacks have on such a key part of our financial and economic sector.”
But before we spiral into too deep of a dark, hopeless pit, there is some sliver of hope in that organizations are learning from their own — and others’ — mistakes. Corporations are looking at what they can do to minimize the effects that a destructive cyberattack can have on their business operations, Bryan added.
“Stuff like making sure you have good, verifiable backups,” he said. “Making sure that you are implementing appropriate segmentation throughout your enterprise. Knocking that prevention will fail, so how quickly can you detect, how quickly can you contain, how quickly can you respond?”
The weakest link
While cyber resiliency plays a key role in recovering from an attack, securing corporate IP and other data inside the organization isn’t always enough to keep a business up and running. Third-party suppliers and developers highlight organizations’ interconnectedness, and “you’re only as strong as the weakest point,” Motorola Mobility CISO Richard Rushing said. “It can take a simple third-party logistic organization to shut down your entire organization at the same time.”
It can take a simple third-party logistic organization to shut down your entire organization at the same time
There’s also the sheer amount of data companies generate and then stand to lose in the case of a ransomware or wiper attack. Case in point: the Lapsus$ gang in February stole a terabyte of data from Nvidia, including blueprints and employee credentials, and then days later compromised Samsung and leaked 200GB of data including source code.
Cyber criminals “are in it for the money, and however they can squeeze money out of the turnip or rock or anything else, they’re going to try,” Rushing said. “If it’s not you, it’s your partners. And if it’s not your partners, it’s the partners of their partners … The bad day is going to be on your doorstep at some point.”
And this puts security operations teams in a bind. Threats are becoming increasingly destructive. Meanwhile IT environments are expanding, generating massive amounts of security telemetry and pushing the need for detection and response across networks and clouds. Who will man the security operations center?
The answer may be hybrid — some combination of automated processes, a small team on site to secure the crown jewels, and then managed security services that have the ability to scale and can provide round-the-clock threat hunting and response.
“The benefit that you get in hybrid is that you have some internal experts who really understand the company and the business and what you’re doing, but by leveraging outside resources, you are tackling some of the challenges that we all face when it comes to finding the right talent and bringing them into the organization,” Klein said, adding that Bristol Myers Squibb uses a hybrid SecOps model.
“The benefit that comes to people like us in a hybrid situation is that then you’re not just seeing what your company’s seeing,” Klein explained. “You’re seeing what all of their clients are seeing, and that’s really priceless.” ®