How do you prove that your business is truly secure?
Date: 30 August 2022
Is it possible to be sure and show proof of the fact that your business is really secure?
Are you relying mostly on hope and wishing that you’re not the next victim of a ravaging cyber-attack or a really expensive ransomware attack? Or do you have a mechanism in place that lets you see your cybersecurity vulnerabilities, prioritise patching up of these vulnerabilities and be confident to a great degree that your business is indeed quite secure?
These were some of the questions that Greg Baylis of Cymulate addressed in his keynote address at the recent Wisdom of Crowds event.
Wisdom of Crowds is a flagship event by Cyber Management Alliance. It brings together the who’s who of the cybersecurity industry and offers practitioners and vendors alike the unique opportunity to rub shoulders, exchange ideas and discuss solutions to the latest cybersecurity challenges.
The Wisdom of Crowds events are unlike any other cybersecurity event as they are facilitated by a practising CISO and global Cybersecurity expert, Amar Singh (the CEO & Co-Founder of Cyber Management Alliance).
The theme for the first post-pandemic Wisdom of Crowds event held in London recently was “Cybersecurity Strategies for 2022”. The event sponsors were CyCognito, Cymulate, Juniper Networks, E2E Assure and Link11.
True to the theme, Cymulate’s address focussed on bolstering cyber defences by achieving true assurance of security. Greg Baylis aptly titled his address: “How to prove you’re secure, instead of just relying on hope.”
He began his keynote address by quickly summing up the toughest challenges for Cymulate’s existing and new customers. These include:
- Financial Penalties from Regulatory Compliance
- Rationalising cybersecurity spend
- Communicating cybersecurity effectiveness to the management
- Efficacy of Incident Response plans and policies
- Lack of sufficient resources
The harder technical challenges, though, as per Greg, are the following:
- Prioritising vulnerability patching. This requires an understanding of the fact that just because your vulnerability manager tells you that something is a high severity vulnerability, it doesn't mean it necessarily is high severity for your organisation.
- Ensuring protection against ransomware attacks and new threats. How do you know that you’ll be able to protect yourself against these emerging threats?
- It’s also difficult to feel assured when retiring a product. How do you know that you can safely replace a tool without leaving any gaps in security?
- Mapping everything to the MITRE framework.
Greg then moved on to talk about quantifying cybersecurity risks. Manual Security Assessments, Incident Response Planning, Increased Penetration Testing and Regular Patching and Updates were some of the quantified risks he discussed.
But then the question that arises is that if you’ve quantified the cyber risks, how do you track them? Interestingly, Greg shared some of the challenges with each of the options.
Governance Risks and Compliance Tools and Scorecards, for example, are clearly only as good as the data that you’re putting into them. The challenges with spreadsheets really need no introduction. Everyone knows how time consuming manual entry can be. Security Consoles can be disparate and prevent you from having holistic visibility. It also requires a lot of manual management to put all that information together.
So then what is the answer or a viable solution to all of the challenges discussed above. Greg shared how Cymulate put all these concerns together and created a solution with its 5-Pillar Security Posture Management Programme. The salient features or 5 pillars of the Programme essentially address the challenges of visibility and assurance that we discussed above.
Cymulate’s solutions can plug the nagging cybersecurity challenges by helping you:
- Know how you will respond before you are attacked.
- Use empirical evidence to better quantify risk.
- Prioritise vulnerability patching based on attack paths.
- Know that your Incident Response Plans and Policies are effective.
- Protect your organisation from attacks before they happen.
- Understand the impact of change in your environment.
- Monitor for security regression and prevent security posture drift.
- Know that your security controls are effective.
The defining value that Cymulate brings to the table is that it allows the organisation to KNOW it’s secure instead of just hoping for security. It lets IT and Incident Response teams and the executive board feel assured that the business is protected against the latest ransomware, that their customer data is safe and that they have full knowledge of the gaps and how to remediate those gaps.
How does Cymulate achieve this? Through Simulation, Evaluation and Remediation. Greg gave a quick snapshot of how exactly they conduct each of these steps.
The really interesting bit that caught the attention of the audience was how Cymulate actually achieves this level of assurance. He explained this with a pretty simple example.
Let’s say you have an employee named Bob in your Accounts Department. How does Cymulate ensure that malicious emails can’t go through to Bob’s email account? Cymulate uses a similar device like the one Bob is using and creates a similar mailbox and uses that as the target. The programme would then send 17,000 malicious emails to the new mailbox and monitor what gets delivered.
In one case, it was discovered that out of the 17,000 emails, 9000 get delivered to the new mailbox. That’s not great but there is some good news. The Cymulate agent is already blocking about 8,000 of them.
The next step is to evaluate which files are being allowed through (ARJ, BAT, CAB, CMD, COM etc.) and there is absolutely no justification/business reason to allow them to go through. So those file types can now be blocked at the email gateway by simply altering the policy. The platform then re-runs this assessment and in the rerun none of those malicious files were able to go through.
This exercise gives the business the assurance that now Bob can click on any of the emails he receives as there will most likely be nothing malicious there. And this change in policy and enhanced protection is obviously not limited to just one user (in this case, Bob). It applies to every user who sits behind the same email gateway.
Greg concluded his keynote address with some of the most common use cases of the Cymulate platform:
- The Bake-Off: Cymulate helps businesses evaluate and assess what’s the best platform for their security environment.
- Lateral Movement: It helps you identify what the damage would be if one device gets compromised. Is it limited to that employee’s department, subnet etc. or will it have a larger impact? This will also show you the exact Spreading Methods you’re susceptible to and the Attack methods you’re susceptible to.
- Continuous Security Validation: The platform allows you to assess your control efficacy and protect against immediate threats.
- SOC and SIEM Validation: It enables you to make sure your SOC, Incident Response Teams and Processes are effective.
- Understanding your Attack Surface: It shows you if your digital assets are exposed and what you need to do about it.
- Vulnerability Prioritisation: It helps you make a more efficient vulnerability management process.
- Network Segmentation: It helps you understand if an adversary can move between devices and network segments.
- Identity and Access: It helps you see if your security practices are robust enough.
- Cloud Security: It can enable you to answer questions around the safety of your cloud environment and if it can be breached.
- Mergers and Acquisitions: It is capable of showing you what risks you’ll be exposing yourself to when you acquire a new organisation.
- Cybersecurity Insurance: Significantly, the platform can give evidence to your cyber insurance provider that you are secure and your insurance premium should be reduced.
Greg’s address wasn’t just an opportunity to share what Cymulate’s products do. It was also an eye-opener for many attendees as they gathered an understanding of how their business may not be fully secure yet and what they can do about it. The address was followed by insightful Q&A sessions and discussions around the challenges Greg spoke of and how they can be resolved with greater security assurance.
That, in essence, is the USP of Wisdom of Crowds - the collaborative learning, knowledge sharing and of course the chance to understand the headway that is being made by the industry to thwart the advanced attacker.
Know more about our Wisdom of Crowds events.