Assuming a Breach Mentality
Due to the constantly evolving threat landscape, our approach to cybersecurity breaches, like ransomware, must develop alongside it. IT professionals often tell their clients and line managers to think that “it’s not if we suffer an attack, it’s when”.
However, security prevention measures and technologies implemented by adopting this mindset are not enough to guarantee safety from an attack. Therefore, I am suggesting a new mindset; already assume your business has been breached.
Assuming a breach mentality brings its own challenges, but it will reshape how we think about detection and response strategies and push business infrastructure to the very limit of the people, process and technology methodology. We call this new mindset the “assume breach” approach.
Using only technologies like anti-virus (intrusion detection systems), it is difficult to fully capture or mitigate the depth and breadth of today’s breaches.
While network edge controls might keep some perpetrators out, more resourceful and skilled cybercriminals will often find a way to get in. The result is that businesses are unprepared when faced with the harsh reality of the size and scale of an attack or breach.
Whilst some experts point out that assuming a breach mindset can have its flaws as a primary strategy, I would point out that “assume breach” is a mindset, not a framework.
The zero-trust model is a framework that is very much the way forward and has “assume breach” as one of its guiding principles. Interestingly, the US government has enforced that all Federal agencies have until 2024 to adopt a zero-trust strategy.
The Assume Breach mentality should help guide decision-makers when discussing investments in security technologies, operational best practices, and secure architecture designs. It aims to limit the trust placed in networks, applications, services, and devices (both IT and OT) and treats them as though they are insecure and compromised.
“Assume breach” changes the security focus by highlighting gaps in
- Detection of attack and penetration
- Response to attack and penetration
- Recovery from data leakage or integrity of compromised data
- Prevention of future attacks and penetration
It seeks to verify that protection, detection and response playbooks are properly implemented, with the aim of reducing potential threats from would-be knowledgeable attackers.
How to Implement an “Assume Breach” Mentality
People
Employees are both our biggest asset and our weakest link. Unfortunately, research shows that up to 90% of data breaches happen due to human error. For example, an employee unknowingly clicks on a phishing link.
Operating with the “assume breach” mindset reduces the chances of data breaches occurring by driving continuous education, awareness and caution. Under the “assume breach” paradigm, everyone learns to treat applications, services, identities and networks as though they are already compromised, limiting trust in them.
Instilling this approach requires using a good cyber security awareness training platform to educate all personnel on how to spot the signs of a cyberattack attempt, like phishing. Operate a ‘think before you click’ approach when sending and receiving emails, especially those with attachments or links. Keeping a log of user activity is highly recommended; what data was accessed, by whom and from where. This is even more applicable where data is of a sensitive nature.
Processes
Education arms employees with the tools to recognise the signs of a breach, and how best to avoid one. Education enforces new processes and formalises the application of these lessons. These might include an information security policy, an acceptable usage policy, and a bring-your-own-device (BYOD) policy. These form the “rules” that businesses must implement to help employees carry out their roles and responsibilities in protecting against and identifying breaches.
Restricting access to sensitive data reduces the potential for data compromise. Operating a policy of “least privilege first” is one method of enforcing this. Users only get access based on their specified privilege limits or by means of a signed approval process before being granted access. This multi-layered threat restriction approach makes the “assume breach” mentality very effective in trying to prevent supply chain attacks.
Creating an Incident Response Plan (IRP) is another vital component of the “assume breach” mindset. An IRP is a step-by-step approach to follow in the event of a breach. It includes who to contact, how to handle communications and how to identify lessons learned to prevent future attacks.
Technology
Implementation of technology solutions should focus its support efforts on two areas:
- Keeping threats out of the system: When it comes to keeping threats out, the best approach to be applied to security systems is to implement layered security or defence in depth. It entails assuming one layer will fail and setting up another protective layer to stop the breach from penetrating your systems.
- Remediating threats within the system: When a threat breaks through all defences, it must be isolated, confined and remediated ASAP. This is the stage that an IRP will prove its value and, together with a Zero Trust framework, will help keep the breach or attack isolated. You should review your IRP at least annually to keep it up to date and still effective.
This blog post was contributed by Jason Scanlon, Virtual Chief Technology Officer, Numata Business IT.