“Business thinks IT has a crystal ball, but the truth is the CISO doesn’t always know what’s going on.”
That was the conclusion of Paul Furtado, VP analyst at Gartner, speaking at MES IT Security in Indianapolis this week.
There are some persistent security challenges – the skills gap, shadow IT, hybrid work – but Furtado focused on the newest threats facing security teams in 2023, along with an action plan to address each one.
While attacks are evolving, one of the biggest threats today is the expanding perimeter/attack surface.
Furtado pointed out that security regulations “don’t differentiate between cloud, on-prem or SaaS – they just care about the data.”
* Perform attack surface gap analysis – “A regulator’s not going to give you a free pass because you say, ‘I didn’t know we were using that application.’”
* Evaluate attack surface management technologies to visualize external digital footprint.
* Consider pen testing, breach simulation, etc to provide regular assessments.
* Test your response.
While most people – including Furtado, later in his presentation – recommend bringing business and IT together, he recommended keeping conversations about responses to a security separate.
“As soon as you start talking tech you’ve lost the board, and once you start talking about cyber insurance and marketing you’ve lost your tech team.
“It’s the same scenario but two different people.”
Identity Threat Detection And Response
“Identity is the new perimeter,” said Furtado. “[It] is the crux of your network, the core of your network, and you need to have very strong identity discipline in your environments.”
Weak identity discipline leads directly to things like credential compromise, which is still one of the main reasons companies are breached.
* Prioritize the security of identity infrastructure with tools to monitor, protect, detect and remediate.
* Use the MITRE ATT&CK framework (or similar) to correlate ITDR techniques with common attack scenarios.
* Invest in foundational IAM security best practices like least privilege.
* Modernize IAM infrastructure using current and emerging standards.
“We’re seeing more and more organizations struggling simply from the fact that they don’t do a good job with fundamentals. They don’t do necessarily a good job of adapting their current models to be leveraged across their entire environment.”
Digital Supply Chain Risks
Businesses have become increasingly dependent on their digital supply chain, to the extent that if a critical vendor like Salesforce, Microsoft or Amazon were to crash some firms would have no recourse.
“Does your organization really understand the risks associated with your vendors?” Furtado asked.
More to the point, do your teams understand the risks they are associating with your business by bringing new tools into the organization?
* Develop a joint governance model with business stakeholders, who need to understand the risk of making some decisions.
* Classify major digital supply chain partners by their importance to the business.
* Require regulated or high-risk partners to provide evidence of security best practices. Anyone can say they’re ISO27001 certified or have a SOC2, but sometimes those are exaggerations at best. Look at their security reports.
* Build detection and resilience capabilities for mission-critical supply chain partners, i.e. Salesforce.
“If a vendor tells you they’ll inform you of any security risk in your environment, you say ‘No – tell me of any risk in your environment.’“