October is Cybersecurity Awareness Month. This has been true for the last 14 years. As each year passes rather than becoming aware of how to better protect ourselves, we seem to be made aware of more severe security problems. This month we have seen a steady stream of information about hacks involving Equifax, Yahoo, and NSA—and we are not yet even halfway through the month.
Statistics from Cisco’s 2017 Security Report show that it takes an average of 200 days for a company to uncover a hack. Once a company knows, they hire a forensic firm and retain counsel. They typically don’t disclose what they know until forced to do so under a myriad of state data breach notification laws or news of the hack leaks. This extends the amount of time adversaries can continue hacking until a problem becomes public and defensive measures are deployed. Sigh.
There is some good news to report though. Tens of Fortune 500 companies have recognized that it is critical to have a real-time understanding of cyber events underway around them. For example, having access to data about active hacks exploiting Apache Struts vulnerabilities, participants were able to map attacks that were underway against companies in real-time since US CERT released the CVE on Apache Struts in March.
How we were able to see these attacks? Because participating companies from organizations like the Cloud Security Alliance elected to report events to each other in real-time without attribution through a common technology exchange and correlation platform. These events are typically not “breaches,” but data about suspicious activity identified by security systems and operators. When individual company data streams are correlated against other organizations, the findings are astounding. Their knowledge is enriched. Not only can companies understand attacks underway against others, but they can also see how data provided by other providers—including the Department of Homeland Security—corroborates their own data. Data associated with trending malware against known CVE’s is available and easily exportable to other companies in the exchange. This allows “tip-off” of problems, which saves time, assists with resource allocation, and reduces risks to the company.
This leaves the question of when not knowing of attacks underway is acceptable. The answer to this question lies with the risk tolerance of CEO’s and their boards of directors—not the company’s security team.
While NIST’s security framework encourages participation in information exchanges, there is no requirement for companies to be cognizant of events underway against other companies being hacked. This seemed like a bridge too far. However, we now know such data is available on a real-time basis. This data comes from CEOs with a commitment to engage and a realization that contributing to a common understanding of attacks underway is critical to managing growing risks to their companies.
A transformation is underway. The question for other CEO’s is: when is not knowing acceptable to you? Ask Equifax’s former CEO.