As security practitioners are painfully aware, it is not a matter of if but when their organization will come under cyberattack. Given this year’s geopolitical events, the likelihood of falling victim to an attack has exponentially increased. And while the cybersecurity landscape will continue to evolve; many organizations seem to be holding on to the belief that deploying more preventive security tools will result in greater protection against these threats.
According to Gartner, organizations are expected to spend $172.58 billion on IT security and risk management technologies in 2022 alone. Despite this level of investment, hardly a week goes by without a new high-profile cyberattack (e.g., Los Angeles Unified School District, Samsung, KeyBank, Okta, DoorDash, and Twilio). Reality is that we can never eliminate cyber risk entirely, but we can manage it more effectively with “Left and Right of Boom” processes and procedures, creating a winning strategy by splitting an organization’s cybersecurity investments between strategic preparedness, prevention, and incident response.
The term “Left of Boom” originates from the military, whereby forces engaged in operations in Iraq and Afghanistan were tasked to research on how to detect Improvised Explosive Devices (IEDs) and detonate them harmlessly, or to infiltrate and disrupt bomb manufacturing to minimize the amount of casualties and damage to military personnel and material. About 15 years ago, the idiom began to be applied to cybersecurity, where the risk management continuum values the investment in protection to mitigate the negative consequences of a cyber incident. The primary job of an organization’s security team is to exercise continuous diligence in reducing risk, within the risk appetite and risk tolerance of the company, so that the likelihood of a boom is low, and the corresponding magnitude of harm is limited.
Essential “Left of Boom” Processes
Getting started on such a path can be intimidating, especially for smaller organizations with limited resources, but in a recent discussion (see video below), a group of industry-leading cybersecurity practitioners called out some of the critical steps to be considered on the path to “Left of Boom”:
• Understand hardware and software inventory to have the necessary visibility to create meaningful metrics and assess security efficacy.
• Move to the cloud to leverage the major providers’ inherent security measures and subsequently reduce the attack surface.
• Implement multi-factor authentication (MFA) and least privilege to minimize the risk of lateral movement.
• Make the endpoint resilient, as in a work-from-anywhere era all devices constitute the new enterprise perimeter.
• Apply network segmentation to minimize the risk of lateral movement.
• Run anti-malware and make sure the software is not only installed but functioning as intended.
• Establish Zero Trust principles by adopting a “never trust, always verify” mentality for cybersecurity and risk management.
Unfortunately, there is no such thing as 100 percent protection. Therefore, we cannot solely focus on “Left of Boom” processes, but also have to talk about the “Right of Boom”.
Fortunately, some “Right of Boom” processes and procedures can inform some “Left of Boom” activities, providing a valuable feedback loop. In fact, it can almost be argued that “Left of Boom” exists as an idiom because “Right of Boom” has happened too often. Many industry-standards and government regulations mandate some form of “Right of Boom” processes (e.g., disaster recovery and business continuity planning). However, these processes are too often managed as a paper exercise and don’t consider the need for cyber resiliency when it comes to an organization’s recovery efforts.
Create Your Go-Bag for “Right of Boom”
Most businesses lack what really matters for a complete recovery — pro-active resilience or the ability to bounce back when struck down and come back as strong as ever. Like people who live in an earthquake zone, businesses need to have a cybersecurity “go-bag” that they can grab as soon as disaster strikes.
Historically, IT and security professionals’ top priority regarding cyber resiliency has been securing and restoring critical infrastructure, such as servers and key business systems. Yet, in today’s “work-from-anywhere” world, the threat of cyberattacks is greatly exacerbated by the geographic distribution of endpoints. This new model has expanded the potential attack surface, lowered barriers to entry, and reduced IT teams’ visibility into devices. In fact, “The Value of Zero Trust in a WFA World” report (PDF) found that 97% of surveyed IT experts believed that remote workers are exposed to at least some added risk, with roughly 47% believing the risk was either high or extremely high.
Gone are the days when workers could simply walk over to the IT department to address their security problems. Therefore, organizations need the right tooling and technology to secure their endpoints remotely, at scale, so they can effectively remove malware and restore their critical applications after a crippling attack.
To ensure the highest level of cyber resilience and enable endpoint reconnection after compromise, businesses must have persistent defense technology with firmware-embedded capabilities. This is because any form of defense that lives on an endpoint can only be effective if it remains operational and functions as intended. In doing so, organizations can measure the health and compliance of endpoint security controls and promptly identify when applications are disabled, misconfigured, or otherwise exploited. And they can empower those mission-critical applications to self-heal and recover automatically without user intervention, even when starting from ground zero after a complete wipe. Considering the associated benefits, it’s not surprising that the National Institute of Standards and Technology (NIST) is propagating the use of these survivable, trustworthy secure systems as part of a balanced “Left and Right of Boom” strategy.
Ultimately, finding the right balance between strategic preparedness, prevention, and incident response has become essential in determining an organization’s ability to anticipate, withstand, recover from, and adapt to attacks, or compromises on cyber resources.