It used to be the case that when you thought of Sony, you thought of movies, entertainment and high end electronics.
If you’re in IT, or if you are a business executive, Sony will probably bring to mind security problems, which shows that the challenges of maintaining cyber security are now part of the mainstream public consciousness. The business and technical situation regarding security is definitely different than it was even just a year ago.
Why have times changed? And importantly, what do those changes compel us to do differently?
How times are different
First, the direct cost of any breach can now be astronomically higher for any firm that is compromised. A judge has recently ruled that a company can be held liable by its partners. In the case of a retailer, for example this means that banks can now sue merchants to recoup the losses that they suffer in a data breach. In one case, just the cost of replacing the stolen credit cards was roughly $400M. In other industries, similar liabilities – and costs – will apply. This shows that all firms must proactively secure their systems to the highest possible level or be subject to potentially devastating expenditures.
Second, the velocity of attacks is much higher than it has ever been. In other words, there are thousands of highly active and extremely motivated attackers that will use any means necessary to compromise the systems of their targets. Because important vulnerabilities are highly publicized, they are exploited more quickly than ever before. This means that all organizations are under threat more quickly than ever before, and so all organizations must be more vigilant in protecting themselves against attacks. Further, when any vulnerability is publicized, firms must act quickly to correct their internal systems because the threat is more likely to be exploited.
Finally, “perimeter defense” is not as effective as it used to be. Previously, organizations could rely on setting an effective defense around their network, and mostly assume that within their firewall, the systems would be safe from attack. No longer. Security and Risk professionals must now adopt a “Zero Trust” model where all internal systems are secured. Because systems are so highly interdependent and interconnected – the massive data breach at Target started through access granted to one of its HVAC vendors – all systems within your organization must be catalogued and protected.
How to respond
Because of these three reasons – the dramatic increase in the direct cost of a breach, the growth in the velocity of attacks, and the declining effectiveness of perimeter security – business and technical professionals must respond in two key areas.
First, organizations must respond more quickly to known vulnerabilities. One key friction point that inhibits companies from updating systems in a timely manner is the separation between the security team, which is responsible for identifying vulnerabilities, and the operations team, which is responsible for maintaining performance and availability of operational systems as well as for updating those systems to correct vulnerabilities. This SecOps gap is gaining recognition by analysts and companies as one of the key problem area to address to reduce the time that a company is vulnerable to any given security issue.
Secondly, companies must secure all internal systems, not only the most vulnerable. One highly publicized breach came initially through a third party that had access to only peripheral systems. At Sony, the breach started on a single compromised server and spread from there. Of course, some systems are more critical to secure than others. However, it is now clear that even seemingly innocuous systems can be the gateway to a massive security incident.
For information on how hundreds of firms use BMC Software to respond to the new requirements of security and compliance, see www.bmc.com/compliance.
These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.
See an error or have a suggestion? Please let us know by emailing firstname.lastname@example.org.