HubSpot Video

 

More than six months since Log4j made the headlines, the threat of zero-day exploits, or previously unknown vulnerabilities, looms large over the heads of business leaders and cybersecurity teams. For financial services organizations, the stakes are even higher because they deal directly with people’s livelihoods and are amongst the most targeted industries– and breaches can have far-reaching financial, reputational, and regulatory implications.

Unfortunately, zero-days are inevitable. The increasing complexity of software code, as well as the intrinsic nature of how software is developed, mean that vulnerabilities are bound to occur, some surfacing long after an application is deployed. We are a lot further along the path to identifying and managing them, but the risk is never truly gone.
That doesn’t mean that nothing can be done or that hope is lost. While malware is continuously morphing, there are practices every organization can start doing today with the resources it has available to ensure they make it through the next zero-day threat unscathed.

There’s No Silver Bullet

When it comes to zero-days, there is no “silver bullet” technology that will address the issue in one swoop and prevent all future attacks, such as installing a firewall. Instead, businesses should be taking an approach more akin to building and training a muscle. This involves more than just technology – people and processes should be accounted for as well.

Take Log4j, for example: when the vulnerability was discovered, CISOs and security teams around the world worked tirelessly over the course of several days to ensure their systems were patched and adequately protected. While necessary, this all-hands on deck response is not sustainable or scalable for several reasons.

For one, not everyone has the resources to quickly address vulnerabilities. Smaller banks and credit unions often face the same threats as larger financial institutions with much larger security teams, but may only have teams of one or two people on their security teams.

Patching often comes up as another “quick fix” approach, but that too requires balance. Patching too quickly comes with its own operational risks, including sometimes unforeseen vulnerabilities within the patches themselves that may lead to more problems down the line.

Finally, trying to manually patch every vulnerability like this regularly is a recipe for burnout for stretched-thin teams. In an already strained and competitive cybersecurity hiring landscape, people should be priority number one.

Working the Muscle

So, how can organizations “work out” the muscle of their cybersecurity practice to prepare for the next zero-day? These are just a few steps organizations can start planning and implementing today, tailoring them for their specific needs and stakeholders.

1. Practice Cyber Hygiene: I’m sure you’ve heard this phrase before, but it’s for a good reason – hygiene and operational rigor are key for priming organizational response mechanisms to act quickly and efficiently. For example, something as seemingly simple as keeping regular inventories and making information available in a readily accessible, automated manner with assigned owners can make a world of difference. It’s not the flashiest or most exciting activity, but it can be one of the most important.

2. Introduce Appropriate Baselining: Baselining, through proper instrumentation and detection, alerts your teams on a variety of different activities. At a very simple level, this starts with identifying what is considered “normal” within your environment. Then, leveraging the tools appropriate for your organization’s size and needs (such as machine learning), you can better analyze your environment and identify potentially anomalous behavior. For example, this may look like two servers that don’t typically communicate suddenly communicating with each other, or a user interfacing with a system in an irregular way. However it manifests within your organization, the baselining takes time to implement, but the end result is incredibly worth it.

3. Set Up Blocks to Contain the Blast Radius: When an attacker does successfully breach one of your systems, one of the best things you can have in place is a series of blocking mechanisms to stop them from gaining an inch. Having central control points, internal or external, to rapidly enforce controls is critical. An example of this is microsegmentation, which allows you to stop lateral movement at an incredibly granular level, so the effects of a potential attack are significantly mitigated.

4. Don’t Rely on Non-Scalable “Heroics”: As previously mentioned, relying on security and operational teams to quickly spin-up their efforts for every zero-day vulnerability is not only unsustainable and will burn your team out, but it’s simply not scalable. Implement tooling and capabilities over an extended period of time so you don’t have to be caught in the whirlwind of the next zero-day.

On a practical level, these steps will look different based on the size and scale of your organization. Some of these processes may need to be internally managed rather than automated or managed by a third party. Some organizations have a complex external footprint while others are simpler.

But, for all these steps and for all organizations, two components are key: time and process. Like going to the gym, you likely won’t see results in a day. But, with in-depth instrumentation set to a consistent process over the long-term, the resulting security posture will leave your organization more ready than ever to face the next zero-day.

The Insight

Zero-day vulnerabilities are, unfortunately, inevitable. Instead of expecting cybersecurity teams to leap to the rescue if one impacts your systems, an incremental approach that includes robust cyber hygiene, baselining what “normal” looks like, and setting up a series of blocks to contain the damage can help your team be prepared and build the muscle to respond the next time one occurs.

© 2022 FS-ISAC, Inc. All rights reserved.

Listen on

FS-ISAC members around the world receive trusted and timely expert information that increases sector-wide knowledge of cybersecurity threats.

Learn More