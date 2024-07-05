BY Elisha Riedlinger4 minute read

I’ve never met anyone who enjoys standing in the rain. Using an umbrella is useful to help keep you dry, and being indoors during a storm is even better. But if I sold umbrellas as a way to keep people dry, would there be an expectation that using one can prevent you from getting wet at all? What does an umbrella promise exactly?

You’ve probably never asked yourself that. Why would you? It’s an umbrella, after all. This raises a question: Why do most companies treat cybersecurity the same way as umbrellas? THE UMBRELLA OF CYBERSECURITY If we translate the umbrella analogy to cybersecurity, “recovery” is treated like an umbrella. During a Proof of Concept (POC), you might stand under it, say “Yep, it’s keeping me dry,” close the umbrella, and you’re done. It works without any tried and true method for success in all scenarios (gusts of wind, torrential downpour, duration of the storm, etc.).

Consider the Change Healthcare breach that occurred in early February. This breach was a catastrophic event. Not only did it rain, but it poured! Change Healthcare, which is owned by UnitedHealth Group, is still not up and running, and they paid $22 million in Bitcoin. Talk about “no easy way out.” They got breached, paid, and they’re still not operational. Someone didn’t put the umbrella through all the scenarios—and this keeps happening repeatedly to different organizations. Why does this happen over and over again? Einstein is often attributed with saying, “Insanity is doing the same thing over and over again and expecting different results.” Meanwhile, we hear the same thing: “We have EDR, we have an endpoint, we have a firewall,” If those solutions were all well and good, then the same breaches wouldn’t keep happening.

I think this is where companies fail, or perhaps where they are misled by vendors providing solutions. Let’s explore this a bit more. A BETTER WAY If you’ve ever gone to an RSA show, it’s mind-boggling. Every company (and there are hundreds, if not thousands) appears to say the same thing: “With our solution, you are protected.” But are you really? Apparently not, given the ongoing success of ransomware gangs and their breach campaigns.

Imagine if there were a regulatory body that required companies to disclose what their solutions don’t cover. There are groups like MITRE and NIST that try to assist with this, but how many actually follow the blueprint? Probably not too many, as ransomware breaches and payments continue to occur. Once upon a time, there was no Apple or Google. These behemoth companies started in a garage. At what point did people start trusting these small companies? Was it a sales metric? Perhaps it was the lemming effect—one person jumping off a cliff and everyone else simply following. In cybersecurity, if everyone has EDR, they all think they’re protected. But at what point does one person say, “I’m not going to jump; I’d rather take a smarter approach to get to my final destination.” The purpose of this article is to suggest that there has to be a better way—a better recovery, a better way to prevent failure, and a better way to protect yourself from cyber threats, breaches, and payments.

Here are three things you can do to prevent a catastrophic breach scenario: 1. ENSURE YOUR RECOVERY WORKS Ask the following questions:

Does your recovery really work?

How fast is it?

Does it factor in recovering all nodes at the same time?

Does it account for the recovery of user environmental variables?

Does it cover operational databases post-recovery?

Does it factor in bandwidth and people costs? If the answers to these questions are unsatisfactory, there are companies that specialize in rapid recovery. Poor answers can lead to downtime and financial loss. 2. LOCK DOWN YOUR ENVIRONMENT How is your detection accomplished? If it’s based on detecting a threat, you might as well give up now. Threats are now more difficult than ever to detect. Instead, find a detection solution that monitors your data as a common denominator.

Instead of trying to profile the threat actor, focus on your crown jewels. If you see unauthorized access attempts, you know you have a problem, and there are solutions that can lock down your environment. 3. INVESTIGATE “EXFILTRATION” CAPABILITIES Imagine a car accident. Now imagine being hit by three cars simultaneously. What are the odds? In cyber, we accept this scenario, and it’s time to stop. If you pay the ransom (which we are certainly not recommending), why are you still down? Why is your customer data still at risk?

We suggest investigating “exfiltration” capabilities. Some solutions can hide your data from threat actors. If you don’t have this, roll up your sleeves, take it back to the drawing board, and get going. There is so much more that can be done to protect your organization, your data, and your customers’ data. FINAL THOUGHTS To end on a motivational note, I’ll leave you with this famous quote from JFK: “Ask not what your country can do for you—ask what you can do for your country.” Each of us in cybersecurity has a responsibility, no different than locking your doors at night or chaining up your bicycle to prevent theft. The only difference here is that we are talking about millions or even billions of dollars worth of damage.