Changes aren’t permanent, but change is’: Adaptability is crucial to keep up with the evolving world of information security

By Erik Johnson, Director of Reliability Analysis, ReliabilityFirst

In the world of information security, we have talked about the increasing pace of change for the last 25 years. And rightfully so – even the landscape of threat actors has seen a significant transformation over time. Initially, cyber-attacks were primarily the domain of nation-states, used as a digital weapon to further their geopolitical interests. Then, a new breed of cyber attackers emerged – “hacktivists.” These individuals or groups leveraged cyber-attacks as a form of protest or to advocate for a cause. Recently, we’ve seen a convergence of these two distinct domains. State-sponsored hacktivists have begun to appear, blurring the lines between government-led and citizen-led attacks. This evolution has added another layer of complexity to the cybersecurity landscape, making it more challenging to attribute attacks and defend against them. We have adapted quickly in some areas and not at all in others.

This ever-changing threat landscape brings to mind the lyric “changes aren’t permanent, but change is,” from the Rush song “Tom Sawyer.” In the rapidly evolving world of information security, keeping pace with change is not just an option, but a necessity. Traditional security programs, often characterized by set patterns and predictable responses, are increasingly proving inadequate in the face of sophisticated and ever-changing cyber threats. To meet this challenge, we must think differently about approaches we have become comfortable with to catch up with the pace of change. Removing unintended patterns and adopting a more dynamic, adaptive approach can enhance the effectiveness of your information security program.  

The dynamic nature of today’s cyber threats necessitates a shift from traditional, pattern-based security programs to a more adaptive, risk-based approach.

Patching is one area where our approach may be out of date. Just like bell bottom jeans or mainframes, some things go out of style. Typically, we wait for a patch to be published before considering action and even judge our key performance indicators by how successfully we have met the required patch date. The problem is that we are at the mercy of the patch source, and the vulnerability often existed long before patch publication. So, what can be done? Most security standards, regardless of origin (NERC, NIST, PCI-DSS, COBIT, ISO, etc.), allow the end user to define a comprehensive approach. A comprehensive policy should define items, such as mitigating controls, depending on the variable risk level to which a company is exposed. Think DefCon 5, 4, 3, 2, 1. Consider assigning variably more robust security controls, such as a predetermined firewall rule set based on the DefCon example above, more rigorous security information and event management (SIEM) rules, and/or redefining trust boundaries and multi-layer validation for external data, based on the current risk level.

Let’s move the discussion higher up to change control in general. If I asked you what your standard change control window was, you’d probably know it because it has not changed in years. This is another area where we are comfortable in the pattern we have set up, but those trying to get into your systems know it, too, because of that pattern. Adjusting your change control window to throw off attackers looking for the pattern could be done at whatever interval your organization deems appropriate. This adjustment could also be done differently for different systems based on criticality or a predetermined risk level. Obviously, the latter approach would require significantly more communication to implement. Instituting variable controls such as these creates the adaptive environment that is required today.    

Let’s be clear – I am not suggesting that if you implement these ideas in your environment, you will be set. They are just examples to point out that we often get comfortable in our patterns and don’t see that while they address some risks now, they also bring in other risks as the environment around them evolves. Our adversaries can be aware of our patterns and leverage them against us, putting us in react mode.

By reviewing your existing environment for unintended patterns, you can enhance the benefits of the layered security you have already implemented. This can include improved security by introducing unpredictability into the system, making it harder for malicious actors to anticipate the system’s responses. This unpredictability can deter potential attacks, as it increases the complexity and risk for attackers. Additionally, it encourages a more proactive and dynamic approach to security instead of a static one based on predictable patterns. This can lead to the early detection and mitigation of threats, improving the system’s overall resilience. Finally, removing patterns can promote continuous learning and adaptation within the security program, ensuring it stays effective despite evolving threats.

The dynamic nature of today’s cyber threats necessitates a shift from traditional, pattern-based security programs to a more adaptive, risk-based approach. By identifying and changing predictable patterns in your security program, you can introduce an element of unpredictability that can deter potential attacks and enhance your system’s resilience. Remember, in the ever-evolving landscape of cyber threats, adaptability is key. So, take the first step today – identify those patterns and embrace change. Your security program will be all the better for it.