Sure, conducting a penetration test can find a weakness. But to truly identify key areas of risk, organizations must start to think more creatively, just like today's hackers.
You’d be hard-pressed to find a business or IT leader today who would deny the importance of cybersecurity. But awareness is different from having the resources and strategy to combat them. In trying to keep pace with end users’ expectations for fast roll-outs of the latest technology, the fight to ward off cyber threats has become more strenuous and stressful.
Fewer than half of information security professionals feel their organizations’ security is completely up to par, according to CompTIA’s 2016 study Practices of Security Professionals . The daily drumbeat of news about successful cyberattacks serves as validation of the beliefs of these security professionals.
Many businesses have thrown money at the issue. Enterprise security spending surpassed $75 billion in 2015, on its way to the $100-billion plateau by 2019, according to estimates from research concern Gartner. Much of this money has been spent on hardware and software solutions. But investing in infrastructure and security solution providers is only one element of survival in today’s constantly mutating landscape.
At best, these solutions represent only table stakes when it comes to securing companies effectively. At worst, they lead to a false sense of security. Recent attacks on leading cloud and mobile device providers suggest that another approach is necessary.
Beyond implementing tactical changes, IT leaders have to initiate a mindset shift throughout their teams, focusing on their ability to evaluate complex issues and create innovative security solutions.
Pivoting to a Data-driven Offense
The repeated mantra has been to “think like a hacker to stop a hacker.” Yet attacks continue to grow in spite of the increasing numbers of white hat and ethical hackers that have entered the workforce. A new approach is necessary.
The key is to properly analyze today’s networks to see where traditional security measures fail. This approach does more than simply devise an attack to see where security falls through the cracks. Merely conducting a penetration test may find a weakness. But conducting a creative analysis of the network and carefully analyzing the results will truly identify key areas of risk. Security professionals who can sniff out abnormalities in their IT network and applications can foil intruders’ plans before they escalate. This is a far different approach than simply finding a single weakness and then declaring “mission accomplished.”
Along with this mental adjustment comes another transition, one that few businesses have mastered. This approach involves both building up an IT department’s detection and analytics capabilities, along with proactively testing an organization’s IT environment to identify any potential vulnerabilities or security gaps.
In addition to focusing on the right hardware and software, it’s vital to focus on the “wetware:” the minds of people who are securing today’s networks. It’s time to focus on an essential shift in how today’s cybersecurity minds approach today’s IT infrastructure. By encouraging security professionals to figure out what makes their organization an attractive target in the first place and hunt down any points of exposure (the same steps hackers take), IT leaders can accelerate this paradigm shift and get ahead of future incidents.
It is often said that attackers are always figuring out new ways to get into systems. They don’t change their tactics and strategies often simply because they are attracted to new techniques or attractive, shiny new cyber objects. Malicious attackers change their tactics because they have very carefully analyzed the victim’s network and have come up with a creative solution. The answer, then, is for today’s cybersecurity professional to be equally as creative.
We’ve seen organizations conduct traditional “red team” and “blue team” competitions, designed to teach penetration testing and defense techniques. Over the past few years, a third team has been added to these competitions: a “white team” responsible for analyzing the tactics and strategies of the other two teams. These developments demonstrate that the traditional “anti-hacker” mind set has morphed and grown to embrace complex analytical skills. Sometimes, even big data approaches are used to help identify network weaknesses.
The traditional anti-hacker approach just can’t discover these issues in a timely way. But a data-driven approach can help. Tackling cybersecurity from a new, data-driven viewpoint will help organizations start to think creatively, just like today’s hackers.
