Since publishing the ESG Research Report, U.S. Advanced Persistent Threat Analysis, I’ve been asked one question over and over: How can large organizations protect themselves against APTs?
Good question but I find that most people who ask me this are expecting a simple answer. This attitude may have historical roots: Want to get rid of pesky SPAM emails? Buy a SPAM filter. Unfortunately, there is no magic bullet here so don’t believe any vendor who tells you otherwise.
The difficult thing about APTs is that they exploit employee knowledge gaps, process weaknesses, and technology vulnerabilities in random combinations. Patient, well-resourced, and highly-skilled adversaries take their time to figure out where we are most vulnerable and then use this knowledge as a weapon against us. You could do 99 things right, the bad guys will find and leverage the 1 thing you do wrong.
So this leads me back to the original question: How can large organizations protect themselves against APTs? One way to answer this if by looking at the segmentation model that ESG developed as part of its APT research. ESG developed a scoring system that segmented the APT survey respondents into three types of organizations: Most prepared for APTs (21% of the total survey population), somewhat prepared for APTs (43% of the total survey population), and poorly prepared for APTs (36% of the total survey population). Using this segmentation model, ESG then looked at some of the characteristics of the 21% classified as most prepared for APTs.
Think of these attributes as best practices. In order to protect themselves, organizations most prepared for APTs have:
1. A strong culture of security awareness as part of IT and business processes. In other words, security is “baked-in” rather than “layered-on.” They also do a lot of proactive security training.
2. Deep knowledge about the threat landscape. These organizations keep on top of current attack methods and vectors.
3. A commitment to risk management. These firms understand risks as they relate to specific high-value IT assets and the business processes supported by these IT assets. As a result, they harden IT assets as standard procedure.
4. Knowledge about their sensitive data. They generally know where it is, who has access to it, and what they do with it. Admittedly, this is very difficult to maintain.
5. Strong security controls. From the network to the application layer, but these firms are also very good at limiting user access to what they need and monitoring user behavior.
6. Continuous improvement for incident response. Organizations most prepared for APTs know that even the best controls won’t prevent an accidental or malicious security breach. They therefore invest in people, process, and technology for incident response and regularly measure their performance here.
7. Strong security oversight. CISOs want to know the organization’s security posture at all times so they are big on central analysis and reporting. They tend to use a lot of metrics as well.
One other thing to note: organizations most prepared for APTs are also the most paranoid. They actively look for things they missed or hire 3rd parties to do so. Under these conditions, it is probably not surprising that these firms are also increasing their cybersecurity budgets on a regular basis.
I realize this is a high-level summary – I could write volumes on each one of these 7 areas myself. Nevertheless, these best practices provide a model so that less prepared organizations have some type of guidance on which areas of their own security they should assess. I hope it is useful and I am happy to shed more light on any or all areas.