10 Jan Sizing up your cybersecurity strategies
As cyber threats increase, regional enterprises must overhaul their cybersecurity strategies and remediation procedures or face the consequences, warns Hadi Jaafarawi, Managing Director for the Middle East at Qualys.
The region has its collective eye on a sustainable future — a laudable goal to which everyone should aspire. But not all do. According to the 2023 edition of IBM’s Cost of a Data Breach report, the Middle East average cost of a data breach stands at US$7.97 million. The top three targets were the financial sector, at an average cost of US$9.4 million, the energy industry, at US$9 million, and healthcare, at US$8.7 million. These are crippling figures with the potential to weigh down organisations that are trying to create value for the economy.
To counter the onslaught, enterprises have had to rethink their security strategies. For many years now, we have been living with harsh truths like, “it’s a matter of ‘if’, not ‘when’”, “attackers don’t hack in; they log in”, and “it’s impossible to define the perimeter anymore”. The era of zero trust is one not of prevention but of remediation. However, despite this realisation, the Qualys annual Top 20 Security Vulnerabilities study shows a top five that includes legacy issues such as 2017 remote code execution (RCE) problems in Wordpad and another in Microsoft Windows Common Controls from 2012. These old problems are still causing havoc and contributing to staggering breach costs across the region.
Sometimes, applying a fix is not straightforward. The patch may have a knock-on effect on some core functionality. Another may require unacceptable downtime. Some fixes may call for multiple patches and reconfigurations. Nonetheless, given the proven consequences, we must improve our success rates around remediation.
Take a fresh look at system images and templates that you use to simplify IT management. They may make the deployment of new endpoints or cloud servers easy. They may even be critical to your development pipeline for new container applications. But these images can be subject to exploits over time and must be reviewed and updated where appropriate so that development teams do not blindly replicate vulnerabilities in their software. Preconfigured golden images and software container libraries must be habitually and regularly combed for potential vulnerabilities to prevent issues from cropping up in a live environment.
Triage in remediation has always been a tricky proposition. Security and IT teams must weigh factors such as the age of the vulnerability, its ease of exploitation, ease of remediation, criticality, and more, to determine what should be patched and when. Each of these considerations has its own complexities. For example, within ease of remediation, we see many of our previously mentioned issues such as downtime and performance degradation. Technical teams must come up with ways to rank the issues by a risk-reward trade off. And why not, in the age of advanced AI, let automation take over?
This reduces the burden on your people but also leads to greater accuracy in triage. Human analysts can concentrate on more critical systems. No more delays or missed updates.
Always, always, always keep track of what the security team is doing. This may seem obvious, but there are real-world examples of high performing security teams that suffered dips in morale because they did not see their vulnerability list shrinking. Upon review, it was discovered that these teams had merely forgotten to update the list. This was an easily fixable problem, but it is worth noting that mood is an extraordinary element in any team. By just showing accomplishments accurately and transparently, companies can prevent team erosion in a region that suffers from skills gaps. The reasons behind poor recordkeeping are many. A virtualised desktop environment that reboots each time a user begins a session may not have the latest updates deployed. Decommissioned assets may still be counted in the vulnerability tally. The SOC must account for such scenarios to ensure that an accurate measurement is taken of progress. Progress encourages more progress. Those who are waiting for the victory bell to sound will lose confidence if they hear nothing.
The review (Part 2)
Now we look at deployed software. This runs parallel to the check for vulnerabilities in images and templates. Some applications are no longer relevant to daily operations and are not used. But they can still be exploited. Uninstalling them is a quick fix to an obvious risk. One company was running multiple out-of-date browser versions on servers that had no use for the software. Removal brought several benefits. Not only were the intrinsic risks of the legacy tools no longer an issue on those machines, but the assets themselves required less maintenance. Another organisation discovered multiple versions of Java installed on a range of endpoints. In that case, the organisation’s overall risk score was cut by half just by removing the unused versions.
Patching can be an involved operation, often more so than an update. Reboots and offline systems are frequently necessary and will impact any business that has an availability pledge associated with its brand. A tug-of-war will ensue between security and other business functions. Leaders on both sides must find ways through the stand-off if the organisation is to engender a security-conscious culture. The CISO must present a risk-based narrative that uses some of the regional cost figures we have seen. Line-of-business executives will likely respond more positively to the patch when they are confronted with the potential operational downtime that results from the average cyber incident. When the fix is presented by the security lead, its downtime is a known quantity and should be discussed openly and contrasted with the potential downtime of a breach, which is unknown.
All patched up
Stick to these basics and watch your risk metrics fall. Patching and remediation need not be chaotic. A measured approach, supplemented by strategic automation and the raising of cyber awareness among non-tech colleagues, can futureproof the business against the worst-case scenario.