Prevent cyber attacks, don’t just react to them

Cybersecurity often becomes a top concern for CEOs only when a breach occurs and they are contacted by regulators or during discussions on the security and privacy implications of a new initiative or a future strategy. In fact, many Indian CEOs self-identify as being “reactive” when it comes to implementing cybersecurity measures that treat the symptom but not the disease. These band-aid measures only offer an illusion of security. 

With the number of cyber-attacks increasing, It’s clear that existing security measures are not sufficient, requiring a shift in the way we approach cybersecurity. This translates to having both preventative and proactive security controls that complement reactive controls. 

Most organisations today focus on reactive security solutions. Reactive controls take on an event-based approach. They look at events, logs, and traces that show activities that have already taken place. These controls cannot prevent attacks but most often serve the purpose of incident response.  

Preventative controls, on the other hand, focus on the existing state of security on a given asset and assess where attack vectors exist. A good analogy to differentiate these two is this - reactive strategies are like your neighbour telling you that a van showed up and the driver robbed your house and drove off with all your things an hour ago.  

Additionally, when organisations adopt and focus on preventative security strategies, not only can they address more potential risk before it causes damage, but their existing reactive controls can be more effective and efficient by dealing with a smaller number of breach events and security incidents. It lays a strong cybersecurity foundation allowing for better overall risk mitigation.  

Let’s consider reactive controls like endpoint security for instance. Without the right context, security teams would have no idea if existing attack vectors have been closed.  

So, the number of events each reactive control has to respond to will be massive leading security teams to struggle to identify when these controls fail and whether attacks have successfully gotten through. By proactively preventing more attacks from happening in the first place, the endpoint security tool will have fewer events to respond to, increasing the chance of stopping a malicious event as it’s happening and generating fewer false positives. 

Another drawback is that these point solutions generate so much data that much-needed context is lost in a sea of spreadsheets, leaving organisations blind to understanding whether they have effectively reduced cyber risk. It’s evident that investments into purely reactive controls are simply not sufficient for today’s modern attack surface. On the other hand, when preventative measures like exposure management are adopted, organisations will have the added context of the possible attack pathways and assets that are most vulnerable. 

With the right blend of proactive and reactive strategies, organisations will not just have a line of defence to protect their assets from successful attacks that make their way into the environment, but they also provide a bit of time for defenders to remediate the exposures identified by preventative controls. 

So how do organisations go about adopting preventative security strategies? The first step is identifying and assessing risk for all assets. This means gaining visibility into not just servers and workstations but also the security state for web applications, cloud infrastructure, code repositories, containers and other virtualization platforms, public-facing assets, and especially credentials and operational technology devices. In today’s interconnected world, any of these assets could be used to stage an attack against the rest, and if left unsecured, it results in massive blind spots in the attack surface. Without a comprehensive view of all the assets in the environment, it’s essentially impossible to make realistic decisions on mitigating risks in a meaningful way. 

Once organisations have full visibility, the next step is prioritising risk. Often organisations use Common Vulnerability Scoring System as a qualitative measure and while it helps with basic vulnerability management, it does not accurately reflect the real-world exploitability or attention that threat actors place on these vulnerabilities.  

What organisations need are unified solutions that can help identify misconfigurations, code flaws and other types of exposures, and understand the technical risk between different assets. Better prioritisation means using methods like threat intelligence, real-world exploitability context, business criticality and business impact context. And all of this is possible with exposure management. 

Also, once security teams have a clear picture of what risks to prioritise first, remediation becomes much easier. But, executing the prioritisation plan is not just about patching vulnerabilities. It must include policy changes, system configuration hardening, code fixes, workflow and process changes that address exposures in a relevant way — from a cost, process and feasibility perspective. 

Nathan Wenzler

---

Nathan Wenzler is the Chief Security Strategist at Tenable.