More users begin to familiarize themselves with cybersecurity, especially as threat actors tend to lurk inside a system for days or even weeks before taking action.
A successfully executed attack might have devastating consequences, but discovering a threat that’s been in your system for a while is just as – if not more – alarming. But what can an organization do to avoid such threats?
Vaughan Shanks, the CEO and Co-Founder of Cydarm, a company that helps with case management for cybersecurity operations, told Cybernews more about the best approaches for dealing with and preventing future cyberattacks.
How has Cydarm evolved since its launch in 2017?
When the company was founded, we assumed it would always be a traditional on-premise enterprise application due to data sensitivity, but soon our customers told us we were wrong! Many modern organizations now have a cloud-first strategy and are willing to store their data on a SaaS platform as long as they are confident about the security. So we built a SaaS offering inside a secure enclave, giving new customers a convenient choice when their policy allows.
Can you tell us a bit about your platform?
The Cydarm platform achieves cyber resilience by enabling cybersecurity operations teams to perform better and faster. What sets us apart from other solutions in this field is that we believe that collaboration and preservation of human agency are critical success factors for cybersecurity operations. Due to these critical success factors, the platform is based around the idea of case management as a core capability.
We implement best practices in incident response based on sources such as NIST, and have embraced open standards wherever possible, such as STIX, to ensure our platform is interoperable in best-of-breed Security Operations Centers (SOCs). The user-friendly platform allows cybersecurity analysts to collaborate across different levels of experience and trust by providing integrated playbooks and a powerful and fine-grained access control system.
What does incident response entail? Can everything go “back to normal” after an attack?
Incident response, as defined by NIST best practice, is a cycle, phases of which typically include Preparation, Detection, Analysis, Containment, Eradication, Recovery, and Lessons Learned. Cybersecurity experts agree that the speed of the response is critical, especially during Detection, Analysis, and Containment. However, an effective Lessons Learned phase is often not achieved due to resource constraints.
In a cyber resilient organization, the Lessons Learned phase feeds back into Preparation, so rather than things going “back to normal” after an attack, they evolve to an improved state. This process of constant improvement is similar to the concepts of antifragility and hormesis. Our platform assists cybersecurity operations teams in preparing feedback from Lessons Learned to inform Preparation.
Do you think the current global events will influence the way cyberattacks are carried out?
Without a doubt, current world events are causing short-term disruptions to the operation of ransomware gangs. The increased threat of kinetic warfare has caught many nations by surprise, and there is no doubt about an increased appetite to gather information about the capabilities and intentions of potential adversaries, and to prepare the battlespace in case conflict should spread. To avoid retaliation, rational actors will avoid open confrontation as long as possible, so we can expect “gray zone” activities, such as cyber espionage, to increase.
What security measures should every user implement to combat these emerging threats?
Organizations and individuals need to accept the reality, which is that everyone is potentially a target. Even if you are not interested in information warfare and cybercrime, information warfare and cybercrime are interested in you. To achieve a strong cybersecurity posture, it’s important to get the basics right. Strong and constant authentication, including multi-factor authentication, is essential. Application of the principle of least privilege should be the norm. Systems need to be cataloged in an asset register, then kept up to date with patches and constantly monitored – every IT asset is also a security liability that needs to be accounted for. Presenting a small attack surface is also important, including minimizing points of ingress but also egress, as we learned in the recent Log4Shell incident.
What are the most common vulnerabilities that, if overlooked, can lead to severe problems for a business?
Email is a very common attack vector that relies on human vulnerability by fooling people into visiting malicious websites or opening malicious attachments in the absence of controls to prevent the execution of untrusted code. Unpatched and Internet-facing systems are a common vulnerability, including web sites, firewalls, and connectivity solutions such as remote desktop services and file transfer platforms.
In your opinion, what do cybercriminals typically look for when choosing their next target?
If we consider ransomware operators, there will be qualification criteria. For best return on effort, they will be looking for victims who are willing and able to pay a ransom. They will also be looking for targets with weak perimeter defenses, such as vulnerable Internet-facing applications that allow remote access and subsequent lateral movement. Unpatched systems are much easier to compromise because there are known vulnerabilities with automated attack tools to exploit them.
Setting up a security system might seem like a lengthy and complicated process. What are the first steps a company should take?
The first step in setting up a security system is to determine what valuable assets a company has, the value of the assets to the company and to a potential attacker, who has access to them, where they are located, and what protection they have. Based on this information, a threat model can be developed, and a risk assessment conducted. The work of building a security system is never entirely complete, but a risk assessment can help prioritize the most impactful security controls and processes.
Would you like to share what’s next for Cydarm?
The team is currently working on a new feature to implement hybrid orchestration and easier sharing of incident response tradecraft between organizations. We are also constantly building new integrations to make cybersecurity operations faster and more interoperable. And we are hiring!