Advanced Persistent Threats (APTs) have forced organizations to reevaluate their approach to security. But the adaptive nature of APTs requires much more than a shiny new security box and some spackle to protect your corporate network. The people in your organization need to adapt too, and that is true from end users and security practitioners all the way up to executive leadership. Security in the era of APTs is everyone’s problem, and to truly adapt means each team in an enterprise has to push itself out of its traditional comfort zone. Let’s look at some of these challenges.
End-users are the front-line targets of APTs and cyberattacks, and for good reason. In general, there are a lot of these users, they need to communicate and click on things during the course of their days, and security is usually not the first thing on their minds. What that means to an attacker is a range of soft targets susceptible to persistent attacks. To deal with this challenge, end-users need security training, and to be held accountable when their individual behaviors lead to security events.
This doesn’t mean you should hand out draconian punishments to someone who gets compromised. Even the most security-conscious person can make a mistake or simply be fooled by a sophisticated phishing or watering-hole attack. However, end-users do need to understand that they play a very active role in the security of the enterprise and the places they go on the Internet, the applications they use, and the links they click on make a big difference. They need to be held accountable; if users don’t feel a personal responsibility when it comes to cybersecurity, all the training in the world won’t change their behavior.
While end-users are the initial targets of an attack, it is up to IT practitioners to directly defend the organization from attacks, and APTs obviously present unique technical challenges. Advanced threats are known for using customized, obscured, or evasive threats in order to avoid the layers of enterprise security. This means that IT security teams have to go beyond the automated blocking and review of security logs. Additionally, they need to be thinking of what sorts of threats they might have missed.
This could mean adding new layers of security such as behavioral analysis to identify new or unknown exploits or malware. But the challenge goes far beyond simply deploying new security technologies – they need to creatively engage in security analysis. What anomalies have been seen that could indicate the presence of an APT? What servers, applications, or users have shown changes from their norms that could indicate an infection? This type of monitoring is easier said than done, and requires time, creativity, and focus, Time is obviously in short supply in most IT organizations, so it is critical that these teams get the resources they need from their managers and executives.
In addition to empowering their teams, IT managers are being forced to tear down some long-standing walls that usually keep IT groups apart. In a traditional management structure, the network team is strictly segmented from the security team, and likewise end-point security teams are also often separate. Each team has its own priorities, needs and budgets. But while those silos have organizational benefits in the office, APTs don’t respect the boundaries. An advanced attack leverages the network and end-points in a variety of ways over time, and never presents so convenient a solution as “deal with it in xyz end points.” A coordinated attack demands coordinated defenses, and if teams are in silos, their political fiefdoms play right into the hands of the attackers. The long and short of it? Work together or you’re robbing the greater team of valuable context to find and stop an APT.
While much of the APT conversation focuses on the technical aspects of threats, it’s important to remember that the ultimate goal of an APT is to steal or destroy an enterprise’s most critical assets. This could be intellectual property, trade secrets, customer information, or access to business partners. These are the very items that ultimately define an enterprise and can often make or ruin its reputation overnight. That’s precisely why a strategic discussion of APTs has to reach the C-level. CFOs, for example, need to model for the financial impacts of important assets being compromised so that they can properly assess the potential risk and also ultimately understand the true value of security. You can adjust the need-to-do for any other C-level viewpoint – CEO, CIO and CISO especially – but the takeaway must be that security is a strategic topic for the organization from top to bottom.
The good news is most organizations are not starting this process entirely from scratch. IT security teams are more often than not actively engaged, if still divided, when it comes to threat assessment. Even C-level executives who don’t “speak security” have seen enough headlines to make internal inquiries about how well protected their companies are – no one wants to be another Heartland or Hannaford and talk to shareholders, customers and the press about what mistakes were made.
So let that interest be the basis of a deeper discussion. Behavioral change management is an uncomfortable thing at most organizations, but an APT is cause for a new discussion. Whatever your level, get out of your comfort zone and be the change agent your department, your division or your management team needs.