For many, cybersecurity evokes images of security engineers battling to prevent cybercriminals gaining access to their systems and data. It’s seen as a high-octane, technical endeavour. Yet the reality of cybersecurity is far more nuanced and complex. While cyberattacks are a significant threat and technical controls are vital, organisational culture and operating models have an equally important role to play.
This blog addresses cybersecurity from the holistic perspective of ecosystem enablement. For a deeper exploration of risks and technical controls check out these blogs on protecting personal data in serverless cloud, personally identifiable information in regulated organisations and getting cloud security off to a strong start in Amazon Web Services.
A Branched Approach to Cybersecurity
Cybersecurity in the enterprise encompasses environmental and technical factors. Considering them as two branches simplifies and streamlines approaches across teams, processes, and technology disciplines, providing structural enablement for broad-based cybersecurity practice.
Environmental – this branch correlates with the messier human-centric origins of vulnerabilities and threats. These include the external operating environment, corporate culture, and societal factors that influence business operations. Security products, engineering controls or technical activities which can mitigate enterprise cybersecurity risk exposure are not the central point of focus here. It’s about understanding, responding to, and shaping the human element as part of a functioning, holistic cybersecurity plan. So, the threat environment, human behaviour and the security culture of the enterprise are central. Additional considerations might relate to the industry sector, regulatory requirements, the sensitivity of data and the potential impact of data breaches on wider business objectives.
Technical – this branch covers internal policy measures, processes, and technical controls which address issues related to the environmental branch. It’s about ensuring cybersecurity risks are maintained at a tolerable level through strong governance-establishing policies. These policies dictate standards which inform the objectives that controls seek to address. Governance is central to everything. It must be strong enough to enable accountability, responsibility, defence in depth, and ongoing processes which ensure controls remain holistic and fit for purpose.
The Environmental Branch
Within the environmental branch are five key interconnecting factors. These range from human and cultural elements to technical sprawl and threat intelligence.
Social Factors and Human Behaviour
It’s important for risk, security, and technology teams to understand how human behaviour can compromise processes, systems, or people. Identity fraud, social engineering or even blackmail can be used to gain access to information and credentials. These threat vectors are complex and may be challenging to detect, but a strong understanding of them drives effective policy and controls. Measures such as regular training to educate staff on security and social behaviours that may indicate underlying issues help mitigate this risk or reduce its impact.
Technology Environment Complexity and Sprawl
On-demand cloud services and DevOps practices are increasingly used to enable the adoption of self-organising teams. While this brings many advantages, enterprises also need to be mindful of associated risks. Such ease and speed of technology use can lead to sprawl and potentially uncontrolled attack surfaces. An enterprise’s risk culture, compliance policies and associated controls need to be implemented to scale with teams using these progressive methods. Guardrails can be very effective here, allowing teams to develop rapidly without stepping outside the boundaries of a secure environment.
External Threats and Threat Intelligence
Many malicious threats originate outside the organisation, including state and non-state actors (organised crime). Recent media reports have shone a light on this issue. Understanding the patterns of techniques, tactics, and procedures used by relevant threat actors plays a central role in defence strategies. It enables the implantation of preventative and detective controls that target those patterns. Many of these threats can be mitigated via third party services and partners, especially if they’re known to intelligence sources. Leveraging an external view into the operating environment is a vital component of cybersecurity strategy.
Cyber Security Talent
The ability to plan and execute a broad, scalable cybersecurity strategy is contingent on access to relevant talent and partners. Without dedicated expertise, enterprises cannot plan or design controls for ‘unknown, unknowns’ due to experience shortcomings or cognitive biases.
Organisations must plan how they will budget for and accommodate cyber roles, including:
- Threat intelligence SMEs
- Cyber policy analysts
- App Security and Cloud DevSecOps personnel
- Cyber Security Incident Response Team members (CSIRT).
Corporate Security and Risk Culture
An all-encompassing cybersecurity strategy begins with effective corporate risk culture, training, consistency, alertness to threats and mindfulness of policy compliance. Together, these factors represent the cornerstone of effective security posture for any enterprise seeking to control cyber risk exposure.
Compliance with security policy directives must become inherent to organisational culture, underpinning all decision-making processes and technical enablement endeavours. Recent high-profile corporate cybersecurity compromises may have been rooted in technical expediency. Delivering a business solution without due consideration of ongoing security needs can lead to subsequent data breaches. It is often flaws in the organisational risk culture that can lead to these exposures.
The Technical Branch
Items within the technical branch are generally driven by the enterprise’s cybersecurity policies, standards, and guidelines. They must also be grounded in an understanding of data criticality and sensitivity as well as environmental threats and vulnerabilities.
Control Ownership and Traceability
Isolated controls offer insufficient protection against an evolving threat landscape. Clear and accountable ownership is needed, as well as plans to maintain controls’ ongoing currency and effectiveness. A clearly defined mechanism for control tracking and accountability can avoid a ‘tragedy of the commons’ scenario whereby confusion leads to neglect and cybersecurity breaches. Such breaches are not the result of a lack of effort to understand or prevent issues. They indicate deficiencies that prevent the approach working at scale, resulting in risky assumptions and misunderstandings that undermine control effectiveness.
Risk Traceability and Accountability
Enterprise CEOs and boards must be constantly aware of ongoing risks to their operations, especially in regulated industries. Before the era of DevOps, cloud, and software as a service, annual audits provided adequate understanding of corporate risk exposure. There were physical limitations to the speed of technology estate growth and configuration. However, modern ways of working render annual audits of risk posture obsolete due to their inherent rate of change. Risk, audit, and reconciliation against policy objectives must become a real-time data-driven practice. This is the only way to balance the need for business agility and velocity with awareness of risk posture.
Risk tracking should offer a live view of risk exposure. It achieves this by combining logging data from technology posture and policy opinions (both organisational and industry common practices) to provide risk triage dashboards. The following sections discuss control ownership and responsibility. Ideally, any real-time enterprise risk observability solution should also reconcile the owners of assets or controls that breach risk appetite to drive visibility and accountability.
Control Design and Layered Defence
Layering is an important aspect of technical control implementation within an enterprise’s technology ecosystem. It should be both horizontal and vertical to avoid single points of failure which can lead to catastrophic breaches.
- Horizontal Layering involves stacking controls at the same level as the technology stack. For example, Identity and Access Management layers would include:
- Preventative control (implementation of least privilege access structures).
- Detective control (detection of a user assuming elevated access to the role of a resource).
- Corrective control (invocation of response procedures).
- Vertical Layering sees the insertion of controls at different levels of the technology architecture and operating model. If one layer is breached, the threat is contained and can’t traverse to other areas of the service or operations, rather like flood compartments in a ship.
So, at a high-level, protecting a web-facing app with vertical layering might involve:
- Security event observability and triage for the entire stack.
- Network intrusion detection and triage for the entire stack.
- Identity and Access Management, encryption controls, key and secret management, and backups for the database.
- Encryption and authentication controls, and API authentication, for the business logic layer.
- Encryption, authentication, volumetric, and WAF controls for the web layer.
- Encryption and Identity and Access Controls for code repos.
- Role-based access controls and peer-review approval chains for orchestration media such as CI/CD pipelines.
For a deeper dive into controls and layered defence for consuming cloud services, check out this whitepaper.
Controls Assurance and Red/Blue Teaming
Any technical branch requires a layer of assurance to confirm that controls behave as intended. This is about ‘checking the checkers’. It’s a safety measure, ensuring controls have not been misconfigured or subject to ‘drift’ between their efficacy and the nature of the threat.
In a progressive DevOps environment, the pace of release is rapid and driven by cross-functional self-organising teams. One way to ensure controls remain effective is to adopt red/blue game days along with security tools that perform automated assurance. So, red team members act as security SMEs or DevSecOps engineers. Their role is to develop frameworks, tools, and activities within the blue (release) team. This tests blue processes, code configuration, control layers and security response plans, ensuring they are strong and meet compliance objectives.
Data Analytics and Event Correlation
To detect and respond to cybersecurity events, enterprises must be situationally aware of their technology assets and what is happening across them. This involves making sense of large volumes of real-time security logs and metadata so possible cybersecurity events can be triaged effectively. Failure to apply security opinions to this data risks overwhelming security response teams with ‘false positive’ and ‘negative’ security events. Fortunately, security in the cloud is a shared responsibility between cloud provider and customer. Combining platform security with third party security SaaS tools enables enterprise security teams to understand and respond to security posture in real-time. They can also customise rules and opinions for triage and response activity across the business.
Predefined Response Plans and Forensic Capability
An observation from recent events is that when cybersecurity breaches happen, enterprises can find themselves caught on the back foot. It’s not always immediately clear to them what has happened or which services and/or stakeholders have been affected.
Businesses with less mature cybersecurity enablement may lack a pre-baked response for major breaches. This challenge is likely compounded by underinvestment in data analytics and forensic tools which quickly determine an event’s impact to enable rapid and concise delivery of stakeholder communications. Structured, well-rehearsed responses to cybersecurity events feed into the public’s perception, giving confidence that the organisation can manage the impact.
Guiding principles for effective response planning include:
- Clarity of roles and functions: who does what when a cybersecurity event is detected by analytics tools and processes.
- A rehearsed plan: steps to be implemented when a cybersecurity event or data breach occurs.
- Readiness to conduct forensics: tooling, skills, and some rehearsed standard operating procedures should be in place. (The effectiveness and speed of forensics-driven event clarity will be affected by the sophistication of the breach itself, but having these mechanisms in place means that response teams are not reacting on the fly in the aftermath of a cyber event.)
- Predefined steps and playbooks: think about the cadence of stakeholder communications, i.e., shareholders, media, government etc.
Square up to Evolving Cybersecurity Risks
Organised cybersecurity threats are increasing across all industry sectors. Geopolitical actors, organised crime, and opportunistic lone wolves create a constantly contested, at-risk cyberspace. Nevertheless, the nature of some recent compromises indicates they may have been possible because the affected parties lacked holistic cybersecurity or had suffered critical control failures.
Reputational damage, financial loss and regulatory scrutiny will continue to mount for organisations with a piecemeal approach to cybersecurity. However, protection can be found in policy mechanisms, threat analysis thought leadership, technical controls engineering and management lifecycles. Reinforcing this with controls assurance further enhances the defence. Organisations that invest effort and capital implementing and refining these measures will be best placed to withstand evolving security risks.
Our Cloud Security Assessment will help you identify where improvements are needed. Find out more here.
Matt Coombe has over 17 years of experience in the technology sector, specialising in the financial services industry and regulatory ecosystem across Australia, New Zealand and North America. Matt has led the planning, execution and operation of the hybrid cloud transformations on Microsoft Azure, Google and AWS platforms for some of the largest and most security-conscious banks globally.