We as defenders continue to elevate our ability to defend against the latest threats. At the same time, the adversary elevates their ability for success.
A bit of cat and mouse!
When we analyze many of the breaches that have taken place, there is a common theme we can use to elevate our defensive game. Now most organizations have the basic tenants of security in place this includes endpoint detection prevention and response, email security, multi factor authentication, next generation firewall, content inspection, even levels of macro or zoned base control, and more.
Now, this tends to be fragmented but we are doing the best we can with what we have currently in place. We essentially become the system integrator which leads to design limitations and operational challenges – we spend a lot of wasteful time here and not the focus of this discussion. Maybe later in a future article.
The thing to consider is many of the organizations that have been breached have followed a very similar defensive path that you are currently following or about to follow.
This includes following frameworks such as NIST, operationalizing best of technologies, building sophisticated teams, and tightening up and maturing incident response processes. The bottom line is compromise still happens and the impact is significant.
So, what’s the secret defensive opportunity? Lateral movement (Tactic TA0008) tends to be leveraged as high as 70% of cyber breaches. Wow! That screams opportunity.
Even with layers, we are never going to provide 100% security effectiveness 100% of the time. We need to go where the adversary is going to go. If we assume breach, it will provide us with better defensive outcomes.
Let’s take out the adversaries’ greatest opportunity once an initial compromise happens. Time to build our defensive armor with strong, prescriptive based controls throughout the ecosystem.
Today, technology exists to drive surgical network, workload, and application-based segmentation without the complexity of building policies across an agnostic set of controls. This must include the ability to safely introduce these controls without disrupting production.
Again, no defensive capability will ever provide 100% efficacy 100% of the time but restricting this tactic significantly improves our chances.
I am challenging organizations to invest time solving the lateral movement risk that exists. Defenders need to take the very thing that adversaries leverage to cause the greatest amount of impact.
More on how in Part 2.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media