Cyber Awareness Month: When is Ignorance of Attacks Acceptable?
Written by Paul Kurtz, Co-Founder & CEO @TruSTAR Technology
October is Cybersecurity Awareness Month. This has been true for the last 14 years. As each year passes we seem to be made aware of more severe security problems rather than learning how to better protect ourselves. This month we have seen a steady stream of information about very serious hacks involving Equifax, Yahoo, and NSA — and we are not yet even halfway through the month.
Statistics from Cisco’s 2017 Security Report show that it takes an average of 200 days for a company to uncover a hack. Once a company knows, it hires a forensic firm, retains counsel. and might call the FBI. A company typically doesn’t disclose what it knows until forced to do so under a myriad of state data breach notification laws or news of the hack leaks. This extends the amount of time adversaries can continue hacking — using the same techniques — until the problem becomes public and defensive measures are deployed. Sigh.
There is some good news to report though. Tens of Fortune 500 companies have recognized that it is critical to close the gap and have a real-time understanding of cyber events underway around them. For example, by having access to data about active hacks exploiting Apache Struts vulnerabilities, participants were able to see attacks underway against companies in real-time as soon as US-CERT released the Common Vulnerabilities and Exposures (CVE) on Apache Struts in March. This vulnerability, as readers may know, was exploited at Equifax.
How were companies able to see these attacks? Because companies in organizations like the Cloud Security Alliance elected to report events to each other in real-time without attribution through a common technology exchange and correlation platform. These events are typically not “breaches,” but data on suspicious activities identified by security systems and operators. When company data streams are correlated with others, the findings are astounding. Their knowledge is enriched. Not only can companies understand attacks underway against others, but they can also see how data from other providers — including the Department of Homeland Security — corroborates their own reporting. Trending malware against known vulnerabilities is available and easily consumable by others involved in the exchange. This allows “tip-off” of problems saving time, resources, and accelerating mitigation while reducing risks to the company.
This leaves the question of when remaining ignorant of attacks underway is acceptable. The answer lies with the risk tolerance of CEO’s and their boards of directors — not the company’s security team.
While NIST’s Security Framework encourages participation in information exchanges, there is no requirement for companies to be cognizant of events underway around them. This has seemed like a bridge too far for legal and technical challenges. Legal fears have been eased by the Cyber Security Act of 2015 which identifies the types of data that can be exchanged without liability risks. Technical challenges have been overcome through technology to remove attributable data such as personally identifiable information (PII) on the fly and permission-based enclaves to preview correlations with other events before it is shared with others. Enriched data is now available on a real-time basis. This insight comes from CEOs with a commitment to engage and a realization that contributing to a common understanding of attacks underway is critical to managing growing risks to their companies.
A transformation is underway. The question for other CEO’s is: when is not knowing acceptable to you? Ask Equifax’s former CEO.
Sign up for an Enclave on TruSTAR today.
Storm Ventures is an investor at TruSTAR, with Storm Managing Partner Tae Hea Nahm serving as a current board member and Arun Penmetsa serving as board observer.