Above Zero: Melting the Cyber-Threat Iceberg by Moving beyond Zero Trust

By Bill Mew

The threat landscape is like an iceberg. Only the most obvious threats or attacks are visible. Most are not. Organisations are unlikely ever to be able to eliminate cyber risk, but there are measures that they can take to mitigate it.

A good start is adopting a Zero Trust approach where no one is assumed to be trustworthy: no user, no application and no device. In an era of multi cloud and hybrid cloud complexity anything less than a Zero Trust approach would be reckless, but simply adopting Zero Trust alone is not enough. 

At temperatures far below zero an iceberg will continually increase in size, but while salt water doesn’t freeze at zero degrees iceberg’s don’t melt either. You need to raise the temperature as far above zero as you can to actually shrink the iceberg.

Cyber risk mitigation works in much the same way. Zero Trust is an essential foundation, but real risk mitigation requires much more than this. Deciding how much further you want to go will require an understanding of your risk appetite. This will then define how much budget you want to allocate to cybersecurity and how sophisticated your security strategy needs to be.

Common mistakes are:

1. Assuming that Zero Trust and cyber essentials are enough
Focusing on the basics offers limited protection. You need to adopt the AAA Security Framework (Authentication, Authorization, and Accounting) as well as the full National Institute of Standards and Technology (NIST) Cybersecurity Framework (Identify, Protect, Detect, Respond And Recover)

2. Falling for gimmicks and point solutions
It can be tempting to go for point solutions that offer an array of impressive functions, but you need to consider how many of these you are actually going to need and how difficult it will be to integrate and manage a significant number of such point solutions. There are also cyber insurance brokers that offer to provide a quote within an hour. You need to question how robust their risk pricing is if they can do this, and avoid policies with so many exclusions that they are almost worthless. Similarly you also need to be sckeptical of vendors offering supposedly free ransomware recovery warranties that aren’t exactly free at all (a purchase is required) and that are also dependent on conditions, checks and a range of other sometimes costly strings that they attach to such policies.

3. Failing to be incident ready
Even if you do have cyber insurance, this is only ever supplementary to cybersecurity and incident response, and never a substitute for either of them. Indeed under GDPR it is mandatory to have a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational security measures. This means not only having both effective backups and a cyber incident response plan, but also regularly testing each of them. Preferably these should be air-gapped backups, as ransomware attacks now frequently target your backups, and fully immersive scenario simulations that properly prepare your team and ensure that they are really crisis prepared.

Staying vigilant on Cyberthreat Iceberg Watch

Like any lookout, vigilance is essential. In addition to having effective backups and a cyber incident response plan (and testing both regularly) a security health assessment can give you a picture of your cyber risk position. This can be done in real time using the latest dashboards to provide insights and recommendations for improvements. 

Going ‘Above Zero’ with a multi-layer strategy

The full NIST Cybersecurity Framework outlines a multi-layer approach for data security in which recovery readiness is seen as critical. You need to protect mission-critical data from targeted attacks that are designed to destroy primary as well as backup copies of your data.

Point solutions often lack the breadth and depth that you need to reach valuable data wherever it resides. Your backup policy should extend beyond central servers and organization-wide applications to cover laptops as well as files in a wide range of media formats, and also function-specific applications.

The extent to which you invest in measures to go ‘Above Zero’ will depend on your risk appetite and budget, but common considerations would be:

  • Protecting backup data volumes from ransomware by making them immutable to any administrator account. 
  • Securing passwords, policies, and data with encryption and multi-factor authentication, with granular role-based access lock-down to capabilities and systems.
  • Countering the rogue administrator threat by limiting access with granular role-based lock-down, to ensure that every access and change is logged, with any critical changes triggering alerts.
  • Automated anomaly detection for early and accurate identification of unusual behavior as well as rapid response to contain and remediate attacks
  • Eliminating mistakes or accidental deletion by applying the same controls that keep out a threat actor to rogue or careless administrators as well.
  • Protecting critical data by employing write once, read many (WORM) copies in multiple locations (typically both on-premises or in the cloud), and implement air gap isolation strategies.
  • Ensure compliance with security policies and regulations by applying controls and preserving logs for extended periods. Log files from servers, endpoints, and network devices can be preserved independently from the regular backup retention policy.

CISOs can sometimes feel that they have a particularly cold and lonely role. While most other lines of business are focused on ROI factors like revenue and profit, the CISO is almost alone in focusing on ROR (Return on Risk). Something that I call ‘CISOlation’. And while there may well be no way of eliminating the cyber threat iceberg, or even being able to see threats that are hidden below the waterline, an ‘Above Zero’ approach can at least shrink the iceberg as much as possible.

To find out more about Zero Trust check out this on demand Tech Talk here https://www.commvault.com/webinars/zero-trust-isnt-about-a-bad-relationship