This article originally appeared in Forbes and is reprinted by permission.
DXC manages mission-critical systems for thousands of large organizations worldwide, giving the company a large lens for understanding cyberattacks and how they occur. Quite often, the biggest enemy is the enemy within: highly complex, poorly implemented or poorly maintained IT environments. In this article, DXC’s Security President Mark Hughes notes that IT environments become less secure as services and connectivity ramp up.
1. Understand your IT environment
Cybercriminals are opportunistic. They typically use known malware and look for known vulnerabilities within your environment. However, in defending against ransomware and other critical threats, many organizations are not aware of the external exposure they face.
Most organizations assume they have good security control frameworks in place, but they trip up by failing to patch known vulnerabilities or to make required changes to configurations. First and foremost, you’ve got to get the security basics right.
2. Focus on who can access your systems
An attack always begins with an initial ingress point, and quite often it starts with one of your own employees or even a contractor clicking on a phishing email. Spear-phishing — the targeting of users with an email from a known or trusted sender — is more common these days and can be very effective in skirting access controls. Attackers may begin with low-level access, but once they gain a foothold, they can harvest more credentials and use those to move laterally within your environment.
In large enterprises, security teams are often far removed from provisioning decisions about which employees, contractors and subcontractors need access to systems. This can lead to unforeseen access control issues. Unfortunately, many organizations don’t necessarily understand who has access to what — or what has access to what. The good news is that you alone can provision access to your environment, and tools such as multifactor authentication can help prevent unauthorized access.
3. Assess the risk posed by third-party software
Just as outside contractors pose threats, third-party software also can introduce vulnerabilities. From a threat actor’s point of view, if you can exploit a vulnerability inside a piece of software that is ubiquitously used across many organizations, then that one-to-many approach becomes an efficient way to gain numerous footholds. This type of threat is surfacing with increasing frequency in all types of software — from core ERP systems to ancillary open-source products.
Given the pervasive nature of third-party software and SaaS in enterprises, this is an area that will continue to add complexity and put an ever-greater onus on organizations to understand what they are running and the risks associated with it. Be very deliberate about knowing the risks that third-party software may be introducing to your environment and how well the software is maintained. This is why reliable threat intelligence is so crucial to the success of security programs.
4. Embed security into business transformation
Most organizations today are going through massive transformational change, whether by moving on-premises assets to cloud, supporting virtual-first workplaces or adopting new business models around digital services. In many cases, these changes are creating more complex hybrid IT environments that are harder to defend. There’s nothing wrong with well-designed cloud and hybrid IT environments, but the problem I see is that many organizations are trying to operate the same way as before, with the security team far removed from key decisions.
Security obviously offers an important check and balance on IT, but security professionals are in separate organizations and often lack the context of who really needs access to new systems or how outsourcing partners are operating within the environment. By embedding security into transformation initiatives, security teams can apply controls in a more seamless and collaborative way and, importantly, better understand the context of the signals their security tools are sending back.
5. Simplify your tool set for a more secure future
Over the years, enterprises have become inundated with security tools: endpoint protection, monitoring, network firewalls, data-loss prevention, cloud security, vulnerability management and anti-malware — to name a few. Not only do large organizations have more complex IT environments, they also have security tool sets that are growing in complexity. While the best-of-breed approach may make sense, the big questions are: Do your tools operate with each other? Do they help you focus on what’s important, or are they just creating more noise? Can you act on what they are telling you?
Looking ahead, the best answer for many organizations may be to simplify security tools. Cloud providers such as Microsoft, AWS and others have made great strides in platform-native security controls. Microsoft is investing $20 billion in its integrated security tools over the next five years. In fact, a single Microsoft license can replace up to 26 siloed security tools. This trend toward simplification will help organizations avoid the friction of deploying tools, optimize investments and overcome the enemy within.