Over the past decade, cyberattacks on businesses have gone from being an often unusual, standalone incident to a sadly inevitable part of daily life. Developments in the tactics, techniques and procedures of the bad guys combined with an ever broadening attack surface now means that the question of a cyberattack is no longer if, but when.
This is something that many decision makers are struggling to understand, as often the complexity of the threats facing businesses requires equally complex language to communicate and understand the risks.
This is where it is vital for the discussion around data security to focus not on preventing the unpreventable, but to focus on reframing, resilience, and recovery.
“This is the future of cybersecurity”
The traditional approach to data security when Bipul Sinha was an engineer building database kernel in the early 2000s was to primarily protect against human error and natural disasters. However, as cyber criminal motivations shifted from disruption to financial gain, businesses were often left without the capability or architecture to protect themselves. This void in cybersecurity was also where Bipul saw a gap in the market, and founded Rubrik.
“If you look at the cybersecurity industry the last thirty years, this industry is focused on stopping attacks and it sells you 60-80 different tools to stop attacks," he tells TechRadar Pro. "But if you look at all the news that is around us, they have not been able to stop attacks. You can’t prevent the unpreventable.”
Sinha believes that businesses are focusing too heavily on protection, rather than what he calls cyber resilience, wherein businesses should also focus on recovering from attacks. Businesses should have a recovery strategy that lays out the next steps following a breach so that the business can continue to operate alongside their data recovery operations.
“That's the vision we are driving in the marketplace. We have been drumming this beat for almost five or six years now - that cyber security needs a new vision and a new direction - and this is where we are taking the market. Ultimately resilience comes from data because that's the most critical asset. This is the future of cybersecurity.”
Protecting data in the age of ransomware
Businesses of all sizes have faced more ransomware threats in the past 3 years than ever before. Large cyber gangs are selling access to businesses they have successfully penetrated in a relatively new phenomenon known as ransomware-as-a-service (RaaS). As a result many victims are seeing multiple breaches within 48 hours, increasing the cost of data recovery while also increasing the possibility of double extortion.
The International Counter Ransomware Initiative recently agreed to unify its members in a new policy surrounding the non-payment of cyber ransoms by member states. By paying ransoms, cyber criminals are incentivised to continue their attacks and are able to snowball the breadth and depth of their attacks. By removing the financial incentive it is hoped that ransomware attacks will deter.
“At Rubrik’s Zero Lab research, we still see that a lot of people are paying ransoms," Sinha notes. "The issue is that once you are in a situation where the business is down and your data is not available, you have no option in many cases. Some people have insurance, so insurance is paying for it. Otherwise they are paying for it- but the fundamental question is why are we here?
“Why is it that an industry that earns $200 billion a year is not able to protect itself? The issue is that the framing of the discussion is wrong, and ransomware and cyber attacks are the biggest threat to our economy, the biggest threat to our digital life, the biggest threat to our digital products and services.”
Sinha draws particular focus to how businesses should respond in the immediate aftermath of a ransomware breach. Humans are often the weakest link in the cyber defense of a business, and more often than not a successful intrusion is as a result of compromised access authentication. Sinha highlights that critical data should only be accessed when absolutely necessary and only by those whose work involves said data. Therefore, in the event of a breach, Rubrik can intercept any attempted exfiltration of data by monitoring the traffic going in and out of the businesses network.
“The ideal recovery strategy for a business is, first of all, they need to have cyber resilient data protection. This is where Rubrik has introduced zero-trust data security, which means that you assume all else has already been compromised and only work with or interact with fully authenticated entities. Which means that if someone can get into the data infrastructure they still don't have access. So that is number one.
“Number two is they need to have technology that can observe actual business data. If you look at the cybersecurity industry, when they talk about data, they are analyzing logs - access logs, machine logs - to infer what could be happening to the data. That's not good enough. You need to understand in the data itself when the attack happened; how far it went; what was the sensitivity of the data that got compromised; how to do threat hunting and monitoring of malware in the data so that when you recover it, you don't get reinfected.
“So a robust strategy around data resilience, a robust strategy around actual business data observability and remediation, and the ability to pinpoint the point of infection and the scope of infection, data threat hunting and monitoring, quarantining of malware and the ability to orchestrate recovery at any level of granularity.”
“This is the asymmetric nature of this game”
A significant hurdle in the fight against cyber threats as a whole is in legislation and prosecution. The most capable cyber criminal enterprises are often state-sponsored groups harbored within nations that share their sympathies. While it is possible to seize their cyber assets and disrupt their operations, it is near impossible to prosecute a criminal who is working on behalf of a hostile government.
Sinha states that not enough is being done at both the business and governmental levels to create frameworks for information sharing. This means that when one business faces a successful attack, it can be studied to understand the methods of intrusion, how the data was encrypted or extracted, and what could have been done at each stage of the attack to minimize the damage. Not only does this allow businesses to improve their data security and recovery strategies, but also provides attack playbooks that can be used to identify the groups responsible and their cyber infrastructure.
However, there is an air of hesitation among many businesses as many would prefer to pay a ransom rather than reveal that their organization was successfully breached, which could cause potential reputational and economic losses. But Sinha believes that in these cases, businesses should have a secure method of communicating the details of their breach without the potential risks associated with disclosure.
“If we reframe the discussion for consumers, for businesses, for everybody in the ecosystem so that you are measured on your response, so that you have the right technology, process, and procedure to recover. If you frame it that way, then there is less pressure to share information.”
Ultimately, this communication works to the defenders advantage and greatly increases their resilience. As Sinha points out, “This is the asymmetric nature of this game, you have to be right as a defender 100% of the time. And as an attacker, you have to be right only one time and that one time does tremendous damage.”
Cooperation also needs to be established between the public and private sectors, Sinha notes. A significant issue for public organizations, such as the UK’s NHS, is that they don’t have the ability to offer the competitive compensation necessary to draw in the greatest talent and as a result their cyber infrastructure is in many cases outdated.
Innovations in combining cybersecurity products with AI show some promise in bridging the cybersecurity skills gap as their capability to automatically recognize unusual network traffic or potential intrusions increase. As the attack surfaces of organizations widens, so do the volume, velocity, availability and scope of potential intrusions. This in turn requires more brain power to defend, so having cybersecurity products with AI capabilities reduces the workload of security departments.
“Things like that would help attain that goal, but it's not an easy problem to solve. I’ve been talking about this, ‘protect the unprotected,’ because a lot of our industry focuses on the most sophisticated and advanced users, but the attacks are happening to the areas that are behind the curve.”
The human impact of cyber attacks
Cybersecurity professionals are currently under a tremendous amount of pressure. Studies have shown that the importance of their work significantly impacts mental wellbeing, and part of the problem is the attribution of fault if a cyber attack happens. CIOs are hesitant to accept promotions due to the increased responsibility and their own personal liability in the event of a breach. In fact, a recent Rubrik Zero Labs study into the impacts of cyber attacks found that 36% of organizations surveyed reported that their leadership was forced to change as a result of an attack.
Sinha remarks that the current understanding of executives is that cybersecurity is only successful if an organization never suffers an attack, and that if even one attack is successful then those responsible have failed. But the evidence shows that no matter the size, budget, or capability of an organization, attacks still happen.
“The discussion has to be reframed. It has to be said that successful defense is the right strategy, not prevention. So, ‘can we continue to operate, and do we have a strategy to continue operating the business even when the attack has happened?’ And if you reframe that discussion, and cyber teams express their strategy in a way that is about resilience, not just about stopping, then the executive team can understand the framing.
“Because if you are asking for yet another tool to prevent yet another vector of attack, then they see this as a never ending game.”
More from TechRadar Pro
