Prevention is Not the (Only) Cure
Risk management is the strongest cybersecurity tactic, outweighing the roles of prevention and detection.
Our clients often indicate they’re looking for a solution that detects and blocks threats, while preventing infection.
This may seem perfectly natural upon first glance. After all, what’s the point of detecting malware once your network is infected? An ounce of prevention is worth a pound of cure, as they say.
However, this approach overlooks the role of risk management in cybersecurity.
The Unrealistic Risk Management Task: Attack Prevention
Preventing attacks is impractical and a massive drag on resources.
There is always some sort of trade-off between security and usability. Want to detect and prevent a passenger boarding a plane with a shoe-bomb? Request that all passengers takes their shoes off before passing through the security checkpoint.
When it comes to cybersecurity preventative measures, the trade-offs are usually pretty painful. These measures typically delay a user from completing an objective.
Attack Prevention: A Case Example
For instance: a user must wait an inordinately long time to load a web page so that the anti-malware tool can scan the site. Chances are, the user will abandon their effort and visit another site that loads faster. Alternatively, imagine a salesperson in the midst of making a pitch to a prospective client. A critical email for the event is trapped in a testing sandbox for analysis, causing that salesperson to lose a sale.
Preventive measures tend to focus on high-confidence indications that something is malicious. (We explore reduced sensitivity to these indications in my previous post). These measures let stuff through by design.
Managing High-Impact Risk
It might not make sense to try to prevent all risk. Looking at risk matrixes, we can see that a very rare risk carries unacceptable residual risk if the impact is high enough.
There is usually a large number of these high-impact/low-probability scenarios. The law of diminishing returns makes it difficult to justify layers upon layers of security without breaking the bank.
Let’s say you’re worried about the availability of machines in your data center. You should probably not be trying to prevent disruptions caused by floods… and fires… and earthquakes… and armed conflicts… and meteor impacts… and so on.
If prevention is not the solution, what then? There are other risk mitigation strategies that can be used.
Step 1: Accept the Risk
First, organizations must accept the existence of risk.
However, many organizations look at the cost of prevention and balk. If deemed too expensive, the organization may choose to proceed without protection, and live with the consequences if breached.
Accepting risk is not a tactic unto itself. For organizations that value risk management, acceptance of risk is the first step in a more in-depth process.
Step 2: Transfer the Risk
Second, organizations can transfer their risk.
Operational insurance ensures the cost of a breach is covered (in part or in full). For a monthly payment, a mere fraction of what it would cost if a breach occurred, insurance companies will provide peace of mind that your operation will survive if risk occurs.
Before investing in cyber insurance, there are a number of things to consider:
Check your coverage: Each cyber insurance policy is unique. The risks and costs the policy covers might differ greatly from the anticipated risks and costs. Review prospective policies very closely before signing on the dotted line.
A ransomware policy may cover the cost to hire a firm to restore systems after an attack but may not cover the lost revenue from missed deliveries. Data breach coverage might cover the cost of stamps to send notifications to clients, but not the damage to your reputation.
Reduce your risk: Insurance companies do not like risk. If your organization’s risks are deemed too significant, your organization might not be eligible for insurance. In some instances, the cost of insurance would be too prohibitive. The best practice is to reduce risk within your organization.
Cyber Insurance Does Not Replace Cybersecurity
In that light, cyber insurance is not a replacement for cybersecurity. Only cybersecurity reduces organizational risk.
Don’t rely on insurance money: Cyber attacks are often correlated. A new vulnerability may generate a wave of attacks, and can be problematic if layered defenses aren’t in place. There are a number of instances where insurance companies declined to pay due to risk management practices. Organizations may sue their insurer to get a payout, but if the cost of a lawsuit on top of the cyber damage might be the organization’s downfall.
Insurance payouts may assist in recovery but will not guarantee survival.
Even with a cyber insurance policy in place, an organization must have some tolerance for risk. That requires the adoption of a risk mitigation approach.
Step 3: Mitigate the Impact
Risk has two components:
Risk = Probability x Impact
Instead of focusing on attack prevention, what if we reduced the impact of cyber attacks instead?
A wide range of countermeasures become available to us. They come in two broad categories: Spatial and Temporal.
Spatial measures limit what attackers may access if a breach is successful. Spatial measures typically force the attackers to launch additional attacks to achieve their goal. These attacks can be prevented or detected using countermeasures, including a “least privileged adoption” or increasing network segmentation.
Temporal measures limit the attackers’ access to the compromised system to a finite amount of time. This restrictive access forces attackers to attempt to compromise a system multiple times to achieve their goals. Typical examples of countermeasures in this category include implementing mandatory password reset lifetimes and security monitoring.
Temporal impact mitigation is near and dear to our hearts at CYDEF; our SMART-Monitor service falls into this category. With this tactic, attackers may only access an organization’s network for a few minutes or hours. Spatial measures, on the other hand, allow attackers to reside in a network for days or months. The damage that can be done over a longer time frame is profound. An attacker, left undetected for long enough, can compromise a laptop, infect the host domain and launch a full-fledged “human-operated ransomware” attack or an industrial espionage attack.
Risk Management Support: How SMART-Monitor Can Help
Focusing exclusively on prevention is an all-or-nothing strategy. The attacker is either blocked, or they access the network and take as much time as they want to do their work. Transferring the risk only promises some financial respite from the storm caused by an attack. Impact mitigation is key to surviving a cyber attack.
Services like SMART-Monitor can be a game changer in risk mitigation and management. By reducing the dwell time and putting more obstacles in front of an attacker, SMART-Monitor detects attackers as they jump through hoops to infect a domain.