But as the recent server attacks have shown, even getting the basics right won't always mean we can protect critical systems. Because simply putting your faith in fundamentals such as patch management, endpoint protection, network access controls and so on might not be enough to defend against these newer threats.
Taking a layered approach
These recent attacks on third party systems demonstrate the increasing sophistication of threat actors. They also highlight the pressing need for a new security mindset.
At Trustwave we've found the best way to defend against these new threats – and the ones we think might be coming next – is with a layered strategy.
This works from the assumption that any given layer is likely to fail, but ensures that when it does, there is another defensive layer behind it, and another behind that.
This approach assumes that attackers are dedicated to achieving their goal and won't give up simply because the first line of attack falls short. However, they may be more likely to give up the chase if their second line of attack falters, and much more so again when their third effort fails.
This approach eliminates the chances of attackers finding a single point of failure they can exploit and creates a much more robust target which is less appealing for attackers to pursue.
The benefit of this approach can be clearly seen in light of recent attacks. While for years we have believed that aggressive patch management is critical to cyber security strategy, in this instance it was specifically those organisations that had implemented the latest patches that had made themselves vulnerable.
And while some organisations may have gotten lucky due to their own negligence, this should in no way been seen as advocating for lax patch management. But it clearly shows that simply doing one right thing is not enough.
Cyber as a business unit
These attacks again highlight the need to run cybersecurity as a business unit that is deserving of investment, rather than being an add-on to a business or a necessary evil. Cybersecurity is just as fundamental to an organisation's ability to operate as its finance function or operations team, for the very simple reason that no organisation will be able to function for long without it. Having weak and inadequate security can be more detrimental to an organisation's bottom line or reputation than a poor go-to-market or marketing strategy.
The sad truth is that all organisations should consider themselves to be under attack at all times and equip their cyber functions appropriately. It is no longer good enough to simply wait for attacks to happen, as by then the damage has already been done.
This is also a highly prudent perspective to take when you consider that the volume of attacks that organisations face is only ever going to increase, with much greater chance of organisations becoming collateral damage in supply chain attacks such as that which hit SolarWinds.
Raising the status of cybersecurity to business unit level also means organisations need to be backing their CISOs with the tools, talent, and resources they need to do security right for their organisation. That means giving CISOs the authority needed to ensure that new projects are secure by design, such as by ensuring that devops processes are really devsecops processes.
The end goal here should be a cyber security business unit that is constantly monitoring and proactive in its processes, and when a response is needed, able to implement that response in real time.
That means being able to detect and respond to aberrations in network behaviours even before they have been classified as threats.
We often talk about living in the era of zero trust, but what we really need in response is to respond with zero tolerance.
This approach is embodied in programs such as Trustwave's Managed Detection and Response (MDR), which combines technology and human expertise and intuition to focus on advanced threat detection and mitigation on an ongoing basis. By constantly applying new information to historical data, it is possible to improve correlations and build a deeper understanding of an environment as a whole.
Because when it comes to modern business, the freedom to operate really does come at the price of eternal vigilance, and that means assuming that everything that could be a threat is actually treated as a threat.
Because while there are often few rewards for swatting away the disasters that could have been, that is still much better than picking up the pieces when those lines of defence fail.
For more information on Optus and Cisco Security solutions, click here.