More than six months since Log4j made the headlines, the threat of zero-day exploits, or previously unknown vulnerabilities, looms large over the heads of business leaders and cybersecurity teams. For financial services organizations, the stakes are even higher because they deal directly with people’s livelihoods and are amongst the most targeted industries– and breaches can have far-reaching financial, reputational, and regulatory implications.
When it comes to zero-days, there is no “silver bullet” technology that will address the issue in one swoop and prevent all future attacks, such as installing a firewall. Instead, businesses should be taking an approach more akin to building and training a muscle. This involves more than just technology – people and processes should be accounted for as well.
Take Log4j, for example: when the vulnerability was discovered, CISOs and security teams around the world worked tirelessly over the course of several days to ensure their systems were patched and adequately protected. While necessary, this all-hands on deck response is not sustainable or scalable for several reasons.
For one, not everyone has the resources to quickly address vulnerabilities. Smaller banks and credit unions often face the same threats as larger financial institutions with much larger security teams, but may only have teams of one or two people on their security teams.
Patching often comes up as another “quick fix” approach, but that too requires balance. Patching too quickly comes with its own operational risks, including sometimes unforeseen vulnerabilities within the patches themselves that may lead to more problems down the line.
Finally, trying to manually patch every vulnerability like this regularly is a recipe for burnout for stretched-thin teams. In an already strained and competitive cybersecurity hiring landscape, people should be priority number one.
So, how can organizations “work out” the muscle of their cybersecurity practice to prepare for the next zero-day? These are just a few steps organizations can start planning and implementing today, tailoring them for their specific needs and stakeholders.
1. Practice Cyber Hygiene: I’m sure you’ve heard this phrase before, but it’s for a good reason – hygiene and operational rigor are key for priming organizational response mechanisms to act quickly and efficiently. For example, something as seemingly simple as keeping regular inventories and making information available in a readily accessible, automated manner with assigned owners can make a world of difference. It’s not the flashiest or most exciting activity, but it can be one of the most important.
2. Introduce Appropriate Baselining: Baselining, through proper instrumentation and detection, alerts your teams on a variety of different activities. At a very simple level, this starts with identifying what is considered “normal” within your environment. Then, leveraging the tools appropriate for your organization’s size and needs (such as machine learning), you can better analyze your environment and identify potentially anomalous behavior. For example, this may look like two servers that don’t typically communicate suddenly communicating with each other, or a user interfacing with a system in an irregular way. However it manifests within your organization, the baselining takes time to implement, but the end result is incredibly worth it.
3. Set Up Blocks to Contain the Blast Radius: When an attacker does successfully breach one of your systems, one of the best things you can have in place is a series of blocking mechanisms to stop them from gaining an inch. Having central control points, internal or external, to rapidly enforce controls is critical. An example of this is microsegmentation, which allows you to stop lateral movement at an incredibly granular level, so the effects of a potential attack are significantly mitigated.
4. Don’t Rely on Non-Scalable “Heroics”: As previously mentioned, relying on security and operational teams to quickly spin-up their efforts for every zero-day vulnerability is not only unsustainable and will burn your team out, but it’s simply not scalable. Implement tooling and capabilities over an extended period of time so you don’t have to be caught in the whirlwind of the next zero-day.
On a practical level, these steps will look different based on the size and scale of your organization. Some of these processes may need to be internally managed rather than automated or managed by a third party. Some organizations have a complex external footprint while others are simpler.
But, for all these steps and for all organizations, two components are key: time and process. Like going to the gym, you likely won’t see results in a day. But, with in-depth instrumentation set to a consistent process over the long-term, the resulting security posture will leave your organization more ready than ever to face the next zero-day.
Zero-day vulnerabilities are, unfortunately, inevitable. Instead of expecting cybersecurity teams to leap to the rescue if one impacts your systems, an incremental approach that includes robust cyber hygiene, baselining what “normal” looks like, and setting up a series of blocks to contain the damage can help your team be prepared and build the muscle to respond the next time one occurs.
© 2022 FS-ISAC, Inc. All rights reserved.
Boaz Gelbord is Senior Vice President and Chief Security Officer of Akamai Technologies. He leads the company’s Information Security organization and is responsible for overseeing cybersecurity, information security compliance, and the protection...Read More
of Akamai’s systems, data, employees, and the world’s leading intelligent edge platform across more than 4,000 locations in 135 countries around the world. Dr. Gelbord joined Akamai in 2021 as an accomplished CISO with 15 years of experience in building and leading information security teams in the U.S. and Europe. Prior to Akamai, he was Chief Information Security Officer at Dun & Bradstreet, where he led its global cybersecurity program and was responsible for securing the world’s largest business credit rating agency and protecting data associated with 330 million global businesses. Before that, he was CISO at Bloomberg, LP, after serving as CISO at Amplify (formerly the Education Division of News Corporation). Previously, he held information security positions at the New School University, in New York, and at the European Network and Information Security Agency (ENISA) and KPN Royal Dutch Telecom/TNO. He is active in Internet policy and governance circles and served on the President's National Security Telecommunications Advisory Committee (NSTAC) as part of the cybersecurity "moonshot" subcommittee, advising the U.S. government on threat risk and prevention. Dr. Gelbord graduated from the University of Calgary (Canada) with a Bachelor of Science degree in Mathematics and earned a Master of Science degree in Mathematics from the University of Toronto (Canada) and a PhD in Mathematics from Technion, Israel Institute of Technology (Israel). In addition to his native English, he is fluent in Dutch and Hebrew and proficient in French and Spanish.