Well-funded, organized attacks require strategic counter-defense strategies
Enterprise CIOs and CISOs in government and the private sector are still assessing the full impact of the advanced supply chain attacks uncovered in recent months.
“A high-profile supply chain attack was bound to happen. But as an industry, we did not invest enough in mitigations,” says Yassir Abousselham, chief information security officer at Splunk, in a new CyberScoop podcast. Attacks like the supply chain attack via a SolarWinds application, initially revealed in December, and the Hafnium attack revealed in March, underscore the gravity of lateral threats.
“The fact of the matter here is that cyber is where the new wars are being fought and supply chain attacks are a winning playbook for the state-sponsored attackers,” he stresses.
The adversary is well funded, persistent, and highly technical; therefore, it is important for security leaders to accept that there’s no one vendor or technology that can defend against supply chain attacks.
In this podcast, underwritten by Splunk, Abousselham says CIOs and CISOs need a broad security strategy that includes a combination of doubling down on security hygiene and instituting more advanced initiatives, such as zero trust and security operations center (SOC) modernization.
Key capabilities for a successful zero-trust strategy
“Attackers rarely compromise the system containing the most sensitive information from the get-go,” he says. “They rely on lateral movement to get to high-value targets.”
The zero-trust security philosophy can be invaluable to organizations as they try to mitigate cyber risks, or at least slow down an attack, because a lateral movement typically relies on credential harvesting, or privilege escalation.
Abousselham describes several components of a strong zero-trust strategy to guide IT leaders on those security capabilities which they should be focusing on, including:
- Continuous strong authentication, so that if an attacker achieved an initial compromise, they would have to successfully authenticate multiple times which is either not possible or would trigger some alerts.
- Machine identity, to restrict access from endpoints.
- Security requirements based on least privilege access, to limit users or machine accounts from accessing the rest of the system.
- Trust boundaries that use a combination of roadblocks and detections to trigger anytime users attempt to cross those boundaries, for example placed around high-value assets.
Modernizing the SOC to prevent threats
“Effective security measures are typically multi-layered and achieve a balance between prevention and detection. The fact of the matter is that we cannot predict every single tactic that the attacker may use,” says Abousselham.
And that’s where aggressive detection is a key part to mitigate against advanced attacks spreading in the environment.
Abousselham suggests that SOC modernization should focus on increasing analyst efficiency, improving the ability to detect high-risk events, and reduce dwell time, or the time between when a compromise first occurs and when it is detected.
He discusses how technologies, like risk-based alerting and automation help take away mundane and repetitive tasks from security analysts and allow them to focus on high-value work.
“The fact of that matter is that security talent is scarce and will continue to be scarce and the attack surface will be expanding. There’s pretty much no way back,” he says. “It is extremely important that we weave security into everything that we do as an industry. But also that we aggressively go after and deploy these more advanced techniques to have a chance defending against these types of advanced attacks.”
Learn more about how Splunk brings data to every mission so that your organization can better defend itself from the next attack.
Listen to the podcast for the full conversation on using zero trust and SOC modernization to respond to the changing threat landscape. You can hear more coverage of “IT Security Modernization” on our CyberScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn. This podcast was produced by CyberScoop and underwritten by Splunk.
Yassir Abousselham oversees security at Splunk in addition to supporting Splunk’s customers with their data-driven security practices. Prior to Splunk, Yassir has held various CISO and security leadership roles at Okta, SoFi, Google and EY. He is an active member in the cybersecurity industry and holds two U.S. patents in trusted network communication.