Tag: cyber attacks

Believe In Zero Trust – How a Familiar Yet Uncelebrated Model Can Protect Your Organization from Cyber Attacks | Blog

Given the meteoritic rise in ransomware attacks during the pandemic and persistent cybersecurity challenges, the need for effective measures to protect sensitive data and IT environments from rising assaults is greater than ever. While zero-trust security architecture offers many potential benefits, adoption of this long-talked-about framework has been slow for various reasons. But with even the White House hitting the gas on zero trust, the timing could be right for more widespread implementation. Read on to learn about how your enterprise can overcome the hurdles and move to zero trust.    

Zero trust, a framework for the design and implementation of IT security systems, has been in the market for quite some time now. First coined by Forrester, it gained popularity when Google announced the implementation of the zero-trust network through BeyondCorp after a series of cyber-attacks in 2009. Ever since the National Institute of Standards and Technology (NIST) formalized the approach in late 2020, the computer security approach has become mainstream.

But despite the entire industry being widely familiar with the terminology and underlying principles and architecture, why has enterprise-level adoption lagged when the benefits outweigh the investment? Before we dive deep into the reasons behind this reluctance in the market, let’s explore the core tenets of a zero-trust security approach.

The guiding principle for zero trust is “never trust but always verify” and is built upon the following assertions:

  • Every part of the network is potentially hostile
  • Both external and internal threats always exist on the network
  • Every device, user, and network flow must be authenticated and authorized and should not be trusted by default
  • Limiting excessive user privileges should be the fundamental motto
  • Micro perimeters/micro segmentation should be created around critical data, applications, and services

The key tenets of zero-trust security can be summarized as follows:

Picture1 1

Why hasn’t zero trust been fully embraced?

Even though security leaders across product vendors as well as analyst firms have been preaching the benefits of a zero-trust security approach across enterprise cybersecurity, adoption hasn’t picked up. Among the key enterprise challenges and the apprehensions by security leaders surrounding its wide-scale adoption are:

  • Misconception of zero trust as another technology solution: The most common problem that we have seen in enterprise cybersecurity teams is their belief that any new challenge can be best solved by implementing a new technology or solution. The love for a new solution is so strong that enterprise leaders often forget that zero trust is a concept that does not have a single solution. Enterprises are often lured by the marketing gimmicks of product vendors that provide some aspect of zero-trust security through the solution. This results in either lower or no effect of the promises made by the zero-trust security approach
  • Challenges of network micro segmentation: One of the key aspects of zero-trust security is focused on protecting the networks and the associated recommendations in the network architecture by breaking down the erstwhile monolithic perimeters into micro perimeters to concentrate on granular security controls and access. Given a large number of applications, their dependencies, services, and the users involved, it becomes challenging to implement and maintain micro perimeters. Enterprises with disparate security controls and network products are subsequently unable to provide end-to-end visibility
  • Complexity in brownfield implementations: There is no doubt that zero trust can be best adopted in greenfield security projects, given the existing IT landscapes are so vast and complex. But a single change can cause great havoc and a ripple effect across the enterprise systems if not implemented correctly. While enterprises are expected to take a step-by-step approach rather than a rip-and-replace approach, many organizations that started this journey were left devastated in their approach to rebuild the network by undertaking a massive one-shot effort. The challenge also comes in integrating existing capabilities with new solutions to implement new capabilities to extend zero trust across the enterprise IT
  • Myth that zero trust is for on-premises: Enterprises have been grappling with a long-running myth that the entire concept of zero-trust security is centered around the building blocks of enterprise IT if they are located within enterprise distributed control systems (DCS) as most of the existing research talks about not trusting everything within their corporate networks. Also, some enterprises still do not think of cloud security as a shared responsibility model with the hyperscalers and hence do not plan to extend the zero-trust security approach to the cloud, thus leaving their assets on cloud and multi-cloud architectures at risk

Six Key Considerations for Enterprises Moving Ahead in the Zero Trust Journey

Zero trust can offer many benefits beyond improved data protection and greater compliance, including greater visibility across the enterprise, security for the growing remote workforce post-pandemic, and an improved end-user experience.

Here are some recommendations for moving ahead:

  1. Take a step-by-step approach for a long journey: While zero trust adoption can lead to a significant business transformation, framework adoption does not necessarily translate into a radical overhaul of existing cyber capabilities. Enterprises must understand that zero trust needs to be thought of as a journey to implement the strategic changes
  2. Establish the current baseline: Just like other security implementations, understanding what and why is of the utmost importance to see the benefits of following this path. Start by identifying the crown jewels – data and workloads – and create a security policy and control framework. The idea is not to give hackers an opportunity to start an attack
  3. Leverage the existing cybersecurity stack: Reuse the existing investments made for threat detection, identity and access management, network, endpoint, and data security to integrate with the zero-trust security approach. Focus on preventing any cloud misconfigurations and put an end to visibility of data, policy, and communication between apps, infrastructure, network, and other components in the environment
  4. Understand that trust is never guaranteed: Enterprises must understand that trust is not guaranteed by any solution but needs to be verified at policy enforcement points before access is provided
  5. Combine zero trust with the broader digital transformation umbrella: Enterprises can combine zero trust transformation along with their IT digital transformation initiatives (including cloud and data center migration) to extract significant synergies and remove the hurdles of adopting zero trust in brownfield implementations
  6. Embrace the change: The entire journey will only be successful if all the stakeholders in the organization are ready to embrace the new ways of working in a dynamic and adaptive cyber organization with close collaboration between business and technology stakeholders

If the right cybersecurity measures are not implemented, attacks will only become more frequent and successful. Enterprises should put faith in zero trust as a security model that can provide greater protection in today’s high-risk environment.

Follow this space for our continued coverage of cybersecurity. To share your experiences and ask questions, please reach out to [email protected] or [email protected] or [email protected].

IT Supply Chain Attacks Are Rising – What Steps Can You Take To Protect Your Interconnected Enterprise Systems | Blog

As enterprises have worked harder to protect their IT systems throughout COVID-19, saboteurs have gotten more aggressive in their attacks, going after a trusted piece of hardware or software and hijacking an entire supply chain. What steps can you take to prevent these full enterprise cyber assaults? Read on to learn more about why IT supply chain attacks are on the rise and how to take action.

The COVID-19 pandemic opened enterprises’ eyes to the need to secure their IT systems from malicious threat actors, cyberattacks, and ransomware. With a renewed vision on hardening security controls and perimeters, applying least privilege access controls, and transitioning to improved threat detection tools and technologies, the usual entry points for bad actors have become non-existent.

But threat actors haven’t gone away. With the easier routes shut down, they are now targeting entry points like third-party software and hardware that are beyond most enterprise’s scope and control.

If enterprises only needed to think about thwarting attacks by looking at the firewalls, endpoint security solutions, and Identity Access Management (IAM), the task would be much easier. But since enterprise systems are interconnected, the extended enterprise needs to be considered – and defended.

Understanding the supply chain attack ecosystem

A supply chain attack is defined as an attack that occurs when an attacker/malicious threat vector infiltrates the system through an outside partner or provider that has access to critical data and systems.

The key supply chain attacks can be classified across these six broad categories based on the nature of their origination in the software/hardware supply chain shown below:

Picture1 4

Why are supply chain attacks becoming lucrative?

While supply chain attacks have been prevalent for some time, they have been gaining tremendous traction, especially post-pandemic when vendors lost control and a view of key critical vulnerabilities in their existing products.

Among the key reasons for the prevalence of attacks are:

  • Economies of scale: It is important to understand that a supply chain attack is not directly targeted towards a particular organization. The goal is to infect source codes and legitimate apps/firmware and gain entry within an enterprise to potentially access all enterprises using it. With one placed intrusion, cybercriminals create a springboard to the network of suppliers’ customers. It is rewarding for attackers to have continuous access to new targets without investing in a new tool until the threat is revealed
  • Enterprise trust: Improvements in the enterprise security mechanisms have contributed to the increase in supply chain attacks. Enterprises have put strong defense mechanisms in place that cut off the easy routes to infections, thus pushing attackers to find different ways to infiltrate soft targets. Limited security awareness and non-implementation of security best practices have resulted in enterprises blindly trusting their vendors, third-party applications, and open-source codes. Attackers leverage this blind trust to make their way inside enterprises as this offers a path of least resistance
  • Hard to detect: Most of the supply chain attacks that we have heard of involve adding a backdoor to a legitimate certified software or firmware update that is nearly impossible to detect by existing tools and methodologies. Also, detection at the vendor’s end is difficult as they do not anticipate that the code could be targeted during the development stage. By the time the vendor detects an attack at the end of the cycle and quietly fixes it with their next update, the damage is already done

 Best practices to mitigate supply chain attacks

As with other cybersecurity attacks, the old saying, “The broader question now is not about if the organization will get hacked but when it will get hacked,” still holds. As supply chain attacks do not directly infiltrate the enterprise environment, detecting them brings many challenges for enterprises, especially smaller ones with limited awareness and investments.

Here are best practices enterprises can adopt that can potentially mitigate some of these attacks:

  • Understand the enterprise IT supply chain – The first step for any successful attack mitigation strategy should start with a comprehensive and holistic understanding of the supply chain. It should provide a view of the vendors, open-source projects, IT and cloud services, inventory of all third-party tools and services, and software dependencies hiding inside an organization and their security and licensing issues
  • Trust no one – Similar to the zero trust principles that urge enterprises not to trust but verify; enterprises should stop blindly trusting their third-party vendors. Enterprises need to understand that the severity and diversity of threats challenging them to apply equally to vendors as well. Any small error on the vendor’s part can be devastating for the enterprise not only in financial drains but also on the reputation and trust of stakeholders
  • Limit access to sensitive data – Enterprises must have a properly detailed mapping of data being shared with third-party systems, the privileged users, uses of the data, and key security controls. Limiting access to privileged resources, including access to core data, reduces the chances of the impact from attacks originating at the vendor’s end
  • Ensure vendor assessment and controls – When choosing vendors, enterprises need to conduct a detailed evaluation and due diligence of the existing cybersecurity framework and adjust accordingly what data needs to be shared, with whom, and the communication mechanism. Apart from rigorous assessments, enterprises should implement strong perimeter controls for vendor access such as multi-factor identification and network segmentation, and ensure that the access of data and systems is there until it is required
  • Focus on development pipeline risks – Developer workstations with rights to create, modify, and commit code have been key targets for attackers. Enterprises need to think about shifting the security left, securing their continuous integration and continuous delivery pipelines, and using Endpoint Detection and Response (EDR) to detect endpoint anomalies. By bringing security into the development lifecycle earlier, developers can detect and fix vulnerabilities, thereby ensuring that security is baked into the product rather than being a bolt-on
  • Protect from insider threats – Shadow IT has been a key cause of concern for most enterprises. Not only do enterprises lack a view of the unauthorized software and tools used by enterprises, but they also don’t have proper control mechanisms to check the usage. Employees also represent a significant insider threat to security and, as a result, targeted phishing or social engineering campaigns have become widespread. Thus, enterprises need to put in appropriate controls to mitigate the risk from insider threats
  • Plan your incident response – Taking initiatives to prevent supply chain attacks does not negate the possibility of them occurring. Threat actors can permeate enterprise systems through paths and backdoors that often get unnoticed and undetected, making it necessary for enterprises to also focus on response and remediation. By planning for the worst, enterprises can understand what is happening during a breach, how to engage with suppliers, and work together to mitigate the damage faster

Follow this space for more blogs on cybersecurity. Meanwhile, please feel free to reach out to [email protected] or [email protected] to share your experiences and ask any questions.

Cyber Insurance Market Dynamics | Blog

In our previous publication, Cybersecurity Risk Management in a Post-Pandemic Era, we discussed the implications of increasing cyber-attacks on insurers and enterprises in a post-pandemic world. While insurers are actively taking measures to improve cyber risk underwriting to contain overall claims losses, enterprises are strengthening their cybersecurity capabilities by investing in the right set of technologies and talent levers.

The increasing severity of cyber-attacks, accelerated adoption of digital technologies, rise in digital touchpoints, consumerization of IT, and convergence of Information Technology and Operational Technology environments have made the traditional security services models obsolete, according to Everest Group PEAK Matrix reports.

Enterprises are seeking security strategies based on their specific business context, business maturity, geography, and other parameters. One way they are doing so is by partnering with third-party providers to align enterprise security initiatives with broader goals. They are also conducting risk assessments of critical functions and laying out cybersecurity improvement and investment plans for their organizations.

Increasing enterprise investments in cybersecurity

Enterprises are actively investing in endpoint protection, network security, cloud application security, secure web gateways, internet security, Identity and Access management tools, and other avenues to adequately shield businesses from cyberattacks. The endpoint threat detection and response market alone has been growing by more than 20% each year, primarily driven by the increasing number of devices attached to networks owing to the current remote working landscape. Additionally, the rise in the demand for mobile security solutions has further propelled the growth of endpoint threat detection systems. Cloud application security is another area that has recently observed traction from enterprises, as many move to cloud solutions to ensure business continuity in remote/work-from-home environments. In 2020, the cloud security market was estimated to have reached US$35 billion owing to this rising adoption of cloud computing services.

The response from insurers

Insurers are investing in two key areas:

  • Strengthening underwriting capabilities to accurately assess cyber risk and, in turn, to control claims losses
  • Partnering with cybersecurity providers to offer value-added services to customers while also effectively managing risk

Insurers are heavily investing in Artificial Intelligence/Machine Learning (AI/ML) and scanning tools to automate their cyber risk underwriting, resulting in dynamic policy rate scenarios. Many insurers have invested in cyber scanning tools that can be tweaked based on potential cyber vulnerabilities of the client. This has resulted in a market where there is limited consistency in pricing. Additionally, insurers are moving towards API integration to facilitate updates in pricing, coverage limits, and policy terms, instantly based on the insurer’s underwriting and claims experience. This has resulted in sub-limits imposition for certain coverage options such as social engineering or ransomware attacks.

Insurers are partnering with cyber risk analytics firms to improve underwriting capabilities and better understand portfolio risk exposure. For instance, leading insurers such as Chubb, Munich Re, and Hiscox have partnered with risk analytics firms to better understand the systemic risks in their cyber portfolios. Insurers also are using these cyber risk analytics platforms to analyze client cyber exposure, thus providing for detailed underwriting of cyber risks.

The cyber insurance industry also is garnering attention from regulatory authorities. Regulatory authorities are calling on insurers to strengthen underwriting processes, as cyber-attacks pose significant levels of aggregate risk for the industry. Most recently, the New York Department of Financial Services has asked insurers to take stringent measures in underwriting cyber risks.

Insurance innovation

Apart from implementing underwriting discipline, the broader insurance market is headed towards product innovation. Insurers are bundling standalone insurance offerings with risk management services as they reposition from an insurer to a risk guardian, Everest Group analysis has found. They are increasingly offering tailored risk solutions and value-added services that enable customers to reduce risk exposure. Insurers are partnering with cybersecurity providers to offer business protection services to customers to bolster their cybersecurity. For example, Swiss-based Zurich Insurance Group has partnered with Israeli cyber firm CYE to offer Zurich cybersecurity services along with its standalone cyber policy. The new product addresses cyber risks by helping businesses define and implement effective cyber risk management programs.

Effective management of cyber insurance claims losses is critical for both insurers and enterprises. Without it, it is expected the market will witness decreasing margins and a decline in risk capacity. Going forward:

  • Enterprises must implement firmwide cybersecurity policies that are engrained in governance to ensure a robust defensive strategy
  • Insurers must work with third-party data providers and develop a solid ecosystem that includes internal and external experts to bring forward the best solutions

In our upcoming third and final edition of this article series, “The Future of Cybersecurity and Cyber Insurance,” we will explore what the future holds for cyber insurance for enterprises and insurers; emerging ways of underwriting cyber risk; and the role insurers and enterprises will play in battling the cybersecurity challenges over the coming few years.

If you’d like to share your observations or questions on the evolving cybersecurity and cyber insurance landscape, please reach out to Barbara Beller ([email protected]), Supratim Nandi ([email protected]), or Mehul Khera ([email protected]).

Request a briefing with our experts to discuss the 2022 key issues presented in our 12 days of insights.

Request a briefing with our experts to discuss our 2022 key issues

How can we engage?

Please let us know how we can help you on your journey.

Contact Us

  • Please review our Privacy Notice and check the box below to consent to the use of Personal Data that you provide.