What the Past Can Teach CISOs About the Future
As savvy business and tech leaders try to get ahead of threats in 2022, the need for risk assessment is urgent.
With cyber threats and return-to-work chaos set to intensify in 2022, the prize will go to organizations that are supremely prepared.
A prime example is Sallie Mae, the lender best known for student loans. Return-to-office plans got scrambled back in October when the organization’s target return date was deferred because of the COVID-19 spike, says Steve Lodin, senior director of cybersecurity operations. Fortunately, the company had moved to a distributed architecture several years ago after spinning off its former loan services business (Navient) in 2014. After transitioning its data center to managed services, Sallie Mae moved its server infrastructure to Amazon Web Services in 2018.
To facilitate a smooth transition, Sallie Mae had to assure regulators that it was addressing the potential security risks of the cloud, Lodin says. “We did things early on that would now be called zero trust,” he says, including both creating a software-defined perimeter (SDP) for user access and moving network management protocol systems to the cloud.
Control all network IT assets in minutes with automated client management.
As a result, Sallie Mae had a relatively easy transition to remote work in 2020.
“We had a little bit of a challenge on the call center side, where we used physical presence to enforce restrictions on what our call center employees could do around sensitive data,” Lodin says.
For example, the security team used endpoint security software to limit information that could be printed from a call center employee’s computer. It was a relatively simple but effective defense strategy.
Thanks to a focus on identity management and microsegmentation of its network, Sallie Mae has a strong record of fending off threats, Lodin says. Occasionally, a malicious link or email attachment evades the company’s filters, and in response that user’s computer has to be reimaged. “We have a couple of those happen a year, but it’s not a significant amount,” he says. Last year, they had only one documented account compromise.
Most companies had to hurriedly shift to the cloud just to operate—and they’re still paying the price with a lot of vulnerabilities.
Unfortunately, Sallie Mae is the exception to the rule when it comes to the regular fire drills that many organizations have experienced during the pandemic.
“Most companies had to hurriedly shift to the cloud just to operate—and because of their lack of experience, or maybe lack of time, or lack of thought on how they set up their cloud, they’re still paying the price with a lot of vulnerabilities,” says Shafayet Imam, founder and CEO at BrillianSe Group, a consulting firm that focuses on systems architecture and cybersecurity.
In 2021, organizations had time to assess the need for a more systematic approach—something they will need to execute in 2022, he says.
Fending off ransomware attacks
Ask cybersecurity leaders about 2021, and the ongoing hangover from the work-at-home explosion is inevitably part of the conversation. That shows no signs of stopping in 2022. Repeated delays in return-to-office plans have left many leaders believing that the pre-pandemic workplace is long gone.
I’ve had grown men crying on the phone because they were at risk of losing Grandpa’s company to a ransomware attack.
Last year was also a banner year for hacking exploits. The ransomware threat grew too large to be ignored, with gasoline suppliers, manufacturers, hospitals, schools, and hundreds of other organizations profoundly affected.
This year, many cybersecurity professionals are looking ahead, turning “temporary” arrangements into long-term plans for hardening their perimeterless environments against the inevitable ransomware attacks that accompany a remote and hybrid workforce.
“I think the bad guys made a mistake,” says Jeffrey Wheat, CISO at Blue Team Alpha, a consulting firm that provides ransomware response and remediation services. “When they attacked the infrastructure, that’s like an act of war. I’ve had grown men crying on the phone because they were at risk of losing Grandpa’s company to a ransomware attack.”
Often, these are hands-on leaders who are comfortable spending a couple of million dollars on a new machine press but often have trouble understanding the need to spend a few thousand dollars on “something they can’t see and touch,” he says.
Public-sector organizations face a similar challenge in securing money for cybersecurity from taxpayers. When the Broward County Public Schools in Florida refused a $40 million ransomware demand after being hacked in March 2021, the attackers published nearly 26,000 stolen files, many of them sensitive financial and accounting records. Fortunately, the school district could use uncorrupted backups to restore systems to working order, says Vincent Vinueza, the acting CIO for the school district who was in charge of infrastructure at the time of the attack. “If not for those backup and recovery strategies, the attack could have been a lot worse and caused greater outages affecting the delivery of education.”
The breach convinced the school district to invest in upgrading endpoint security and hiring more digital security professionals, Vinueza says. However, even with new jobs posted, it will be difficult for Broward to compete for workers who have cybersecurity training in the currently tight market for talent.
[Read also: Bridging the gender gap in cybersecurity will keep us safer]
Meanwhile, training technicians who work in individual schools remains important, Vinueza says. “We want them to tell us if something doesn’t look right.” Ultimately, he hopes artificial intelligence will be able to do a much better job of spotting anomalies that could indicate a hack. As he acknowledges, “Humans are much slower to respond.”
Plans for 2022 and beyond
No one expects a single tool to save them, but if there is one category of technology that leaders hope to see prove out, it would be AI.
We want them to tell us if something doesn’t look right.
“We don’t have a data problem, we have a data overload problem,” says Wheat of Blue Team Alpha. “Everyone’s going to have to lean more into artificial intelligence, because there’s just too much information for humans to understand.”
AI technologies already provide security teams with an assist, but there’s always more data to analyze. Sallie Mae now generates
2.5 billion log entries a day from Amazon Web Services and endpoint monitoring systems, which feed into a data lake for further analysis. “Then the question is: What do you do with that?” Lodin asks. AI technologies help identify entries of potential concern, but those that get flagged still require manual review with the help of an outsourced team, he says.
Sallie Mae has had success using security validation software to prove that systems are performing correctly and gathering the data they are supposed to be collecting, Lodin says. As a next step, he wants to focus on improving the prioritization of security responses. For example, he says the team responsible for implementing patches is drowning in alerts about new vulnerabilities and needs better analytical tools to determine which ones to address first. That’s easier said than done, because the problem is connected to having a good inventory of systems and their connection to important business processes.
[Read also: Biden administration orders agencies to patch hundreds of cyber flaws]
“It costs money, and you still have to have people to understand and deliver the right data,” Lodin says. “Do the systems contain sensitive data? Are they on the internet? That type of criticality rating is hard to get out of the teams.” Only then can you know what to patch right away and what can wait, he says.
As we’ve seen, the need for that kind of visibility and risk assessment is urgent. Cybersecurity challenges aren’t going away in 2022. In fact, they will grow bigger and more complex. But organizations that make the right moves will be positioned for substantially better outcomes than those that bury their heads in the sand.