We sat down with Michael Orozco, Managing Director and Advisory Services Leader at MorganFranklin Consulting, to discuss cybersecurity best practices for defending against nation-state threats, reducing cyber risk, implementing effective incident response, and more.

How can organizations better protect themselves from evolving threats, such as nation-state attacks? What should they do first or keep in mind?

Nation-state attacks consist of a combination of unlimited resources, technology, ambition, and craftsmanship combined with committed determination to succeed. Plainly stated, if a nation-state is attacking your firm, they will get in and will be successful. Your best strategy is to eliminate the most common attack surface vectors, correct the most common security mistakes, and employ well known tactics to harden your cyber defense. The success of a nation-state attack, like any other attack, often depends upon the notion that common sense is not common practice.

Attackers have a target-rich environment to choose their victims from and can count on common sense not always being a common practice when it comes to cyber defense and hygiene practices. The human element is sure to provide the best and easiest attack surface vector for an exploit. Organizations are most often breached through spear phishing, social engineering, or seeking out common cyber hygiene faults.

Despite the prevalence of potential attackers, expanded vulnerabilities and the continuous need for a secure enterprise, several key factors continue to play a role in determining if an enterprise will be secure and how resilient it will be to an attack.

These best practices include, but are not limited to:

  • The implementation of a Zero Trust approach to provisioning identity and access management, roles and responsibilities, segregation of duties, and privileged access cannot be understated.

    • In contrast to the perimeter-centric threat model, Zero Trust Architecture focuses on data and its inherent qualities. When your data can be anywhere at any time, zonal trust becomes an outdated concept. As such, the focus of your security needs to shift from the perimeter.

    • Micro-segmentation, a key tenet of Zero Trust, implements a more granular level of control within each segment by restricting which resources and services can travel across each segment dynamically. This means that Zero Trust implementations must enhance factors such as user identity, patch status, time of day, application bandwidth, or external event triggers that impact what you are allowed to do and when.

  • The proper use of artificial intelligence (AI) and Machine Learning (ML) based tools and SOAR (Security Orchestration, Automation and Response) run books has a strong impact on improved cybersecurity posture through better threat detection and decreased human error.

    • SOAR enables organizations to employ predefined automated responses and analysis from diverse sources of data and aggregated in vast amounts. This helps to build automated processes to respond to low-level security events and standardize threat detection and remediation procedures resulting in a force multiplier effect in your cyber defense.

  • Security awareness training courses, programs, and campaigns help educate users and empower them to consistently detect and avoid common cyber threats. Bolstering the human-centric impacts to cybersecurity helps to diminish the most prevalent attack risk, human behavior.

    • Training should be completed periodically and continually by all employees. Each member should understand the various real-life examples of behavior that could lead to significant security exposures and vulnerabilities.

    • For example, tabletop exercises can test policies and procedures to ensure that the workflows are up to date, all participants understand their roles and what is expected of them. By emulating these attacks, employees are better equipped in the event of an incident.

  • Improving digital literacy enterprise-wide. All users must understand the possible cyber impacts of their actions. This goes a long way toward constructing security awareness training programs that proactively work to change specific user behaviors. By understanding its needs through baseline testing and planning, organizations can dimmish many of the human risks in cybersecurity.

  • Continuous factor analysis to quantify the risks and resilience of an organization. By implementing factor analysis, organizations will have a practical understanding and measuring of risks to ultimately enable well-informed decision making.

Recent attacks, like the Uber breach, show how employees remain the most accessible path into a company to steal personal data. What are your recommendations to bolster cyber risk posture and reduce employee risk?

I recommend a shift from the strategy of “trust but verify” to “never trust, always verify.”

Zero Trust is a network security model based on a philosophy that no person or device inside or outside of an organization’s network should be granted access to connect to IT systems or services until authenticated and continuously verified.

In the Zero Trust model, users and devices are not trusted to access a resource until their login credentials and access are validated. This process applies to those devices and users that are normally inside a private network, like an employee on a company computer working remotely from home or on a mobile device. It also applies to every person or device outside of that network including those that have third- or fourth-party access to applications or data services.

This model also combines analytics, filtering, and logging to verify behavior and to continually watch for signals of compromise. If a user or device shows signs of acting differently than before, it is taken note of and monitored as a possible threat.

This basic shift in approach defeats many common security threats. Attackers can no longer spend time taking advantage of weaknesses in the perimeter, and then exploiting sensitive data and applications because they made it inside the moat. Now there is no moat. There are just applications and users, each of which must mutually authenticate, and verify authorization before access can occur.

What do organizations need to know to create effective incident response plans?

To be effective, incident response plans depend heavily upon planning and preparation. The question of if an organization will experience an attack but rather when, should be central to preparation of an effective incident response plan.

The following are key policies and procedures for organizations:

  • Employ a program for continuous monitoring and due diligence against attacks that includes actively hunting for indicators of attacks and compromises.

  • Have trained skills, tools, and craftsmanship to be able to stop a breach and then perform forensic analysis to identify weaknesses and exposures.

  • Implement policies and procedures to execute crisis management. These should be rehearsed and tested periodically via tabletop exercises.

  • Identify ongoing and past attacker activity in the environment, while improving the ability to respond effectively to future threats.

  • Retain a qualified objective third-party to assess the ability to effectively detect and respond to evolving cyber-attacks and business-impacting malware, such as ransomware.

What are three best practices for a comprehensive incident response plan? Why is having one so critical?

A well-rehearsed and effective incident response plan can minimize the impact of a breach, reduce regulatory fines, decrease the impact on your clients, and help to restore and get back to business quickly.

Absent an incident response plan, employees must scramble determine next steps, what they are authorized to do, and that’s when big and regrettable mistakes happen.

Three best practices for a comprehensive and effective incident response plan include:

  • Create a playbook for common security incidents and keep it clear and simple to understand.

  • Analyze and learn from security incidents while keeping situational awareness of threat intelligence of what is happening globally.

  • Establish a communication procedure and plan that is known to all participants in the incident response plan, crisis team, leadership, customer service, and legal.

Bonus tip: rehearse, drill, and use third-party professionals to help you test your effectiveness.