Security Challenges for 2023
Welcome, to taking your first steps into The Cyber Forest. This first publication is how can we navigate the cyber threat landscape going into the new year. As we are approaching the end of the year, this is the time where many teams look back and reflect on lessons learned from cyber-attacks, internal initiatives, and how to strategize and prioritize for 2023. As we enter the new year, security teams will face problems like those our industry has faced in 2022, although there are outstanding challenges for which many organizations have yet to account. For myself, these are the top three security issues I foresee many organizations will have to face in 2023.
Container Runtime Defense
Ah Kubernetes, the technology that is going to change the world. Don't get me wrong, I think Docker and Kubernetes are of great benefit to many organizations when architected and implemented correctly. The issue is that security has not reached the curve in successfully identifying active threats within containers during runtime. While we are focusing on shifting left and doing the best to prevent attacks early, we are leaving the running containers neglected. When comparing the security posture of Linux to Windows containers, it will make some security professionals burst in outrage or crawl in a fetal position.
The shift to containerd crippled many securities teams’ detection and monitoring strategies. This is because we have yet to have a solid solution to provide feature parity to enable efficient security operations. This is due in no small part to the differences between the Linux and Windows kernel and support by the operating system for low-level access. Especially now with Windows 2022 images being released, it makes security even more challenging -- to solve for problems that were never solved in the first place. Linux, on the other hand, is not as bad, but still has its niche problems. Visibility aside, containers pose unique challenges with container detections and prompt response plans. Many security organizations struggle with how to actively detect runtime threats, but as we know it's not entirely impossible.
By using open-sourced frameworks like Sigma, security teams can build many custom runtime detections. This can be expanded to identify specific techniques adversaries can leverage when exploiting a container. When talking about container security and runtime defense we are still only scratching the surface.
Insider Threat
Insider Threats are still, in my opinion, in the top 5 organizational risk factors when talking about data breaches or exposures of confidential/sensitive information. With everything else going across the wire, how can we actively monitor and prevent insider threats?
Recommended by LinkedIn
Like any successful function in the business it starts with people, process, and technology. First and foremost, it starts with the process. Enabling cross organizational collaboration with Legal, HR, and Security teams is critical to have a successful insider threat program. Establishing these relationships can give all teams transparency, thoughtful feedback, and prompt actions when trying to defend against insider threats. From a technology standpoint, there are low-level alerts security teams can implement to track activity and then expand that logic into watchlists for prioritized individuals that are entering or exiting an organization. Finally for people, it's having the right hires or through training where you have specialists that hone in on insider threats. Ultimately, what will truly elevate an insider threat program is user entity behavior analytics (UEBA).
UEBA at its core monitors the behavior of employees based on machine learning with a defined threshold of what is "normal". Today we see many compromised passwords in the dark web that exposes organizations which can make them susceptible to account takeovers that can lead to a data breach. Though it's harder for a hacker to mimic a user’s day-to-day behaviors or patterns. This is why UEBA is important, it digs deeper in uncovering anomalies from logins based on time and location, what files are accessed, what devices are used, along with many more use cases. All of which can tie into successful detections of insider threats. Leveraging this technology is critical to the enhancement and maturity of insider threat programs and mitigate additional threats before it's too late.
Data Classification
Most organizations don't know where their sensitive data resides. This imposes a huge risk for the business for many reasons, several of which are essential questions that security teams must face when dealing with a critical security incident such as what data was lost, what type of data was exfiltrated, and what files were accessed.
All three of those questions stem from a data breach, insider threat, or to just monitor sensitive information within the organization. Yes, there are data loss prevention (DLP) solutions, but for many security teams that isn't enough. Understanding where the company's “crown jewels” are ensures security teams can properly answer those questions in a prompt and efficient manner, especially when teams are up against the clock. Not only will data classification assist security teams, but also compliance. Having this type of information for compliance teams enables them to provide accurate risk assessments for the business and to complete many compliance framework requirements. This information will provide an understanding of how much of that data is considered sensitive or confidential to protect the reputation of the organization. In all, having a successful data classification initiative will enable transparency, promote awareness, and harmonize operations within security and compliance teams.
Conclusion
The cyber threat landscape is always changing. By the time we wrap up Q1 these priorities may change, but after looking back at this year this is what I believe is trending to elevate the security posture of many organizations. Now while these three topics may not align to your organizational priorities. This is something I hope you all found insightful and can think about when framing your strategy for 2023.
VP Strategic/Partner Sales at Precisely
1yGreat article Kyle, very insightful!
Connecting people is my superpower
1yReally cool initiative … also love the name.