Applying an offensive approach to cybersecurity

Stay a step ahead of digital ne’er-do-wells with an aggressive attitude toward cyber risks.

“These days, bad guys can get paid just because they have an ID. Another expert could just work on data exfiltration, another can figure out the extortion angle,” says Sam Rehman, CISO at EPAM. “Now we are working against an ecosystem, not just one or two hobbyists.” (Credit: Brocreative/Stock.adobe.com)

Old school cybersecurity primarily relied on fencing in data, a tactic akin to building a wall around sensitive information and systems and making sure it has a strong gate. While this works well to some degree, as more and more processes go digital and systems become further networked, it is becoming increasingly insufficient.

On top of this, as more integration occurs, the ability for cybercriminals to more robustly monetize a single attack becomes greater, according to Sam Rehman, chief information security officer at EPAM.

Noting digital compromises are on a completely different scale today, Rehman tells PropertyCasualty360.com: “In the old days, you would only have three or four gateways into a system. With everything dynamic today, the attack surface is not only huge but constantly changing.”

Further, hackers used to have to be an expert on every step of a cyberattack, from stealing an identity or login to exfiltrating the data and then negotiating and processing ransoms.

“These days, bad guys can get paid just because they have an ID. Another expert could just work on data exfiltration; another can figure out the extortion,” he says. “Now we are working against an ecosystem, not just one or two hobbyists.”

When taken as a whole, the situation begs for an offensive approach, according to Rehman, who explains offensive thinking is required to validate and constantly strengthen security measures. However, he says a balanced approach with a strong defensive stance is also critical. A third piece of the puzzle is understanding what impact a potential breach could have on an organization. The final part is important for determining what security protocols a company should invest in.

Red team, blue team

First, and perhaps most vital, is to set up a red team, or strike team, that will attempt to breach the system, Rehman says, noting this offensive attack will give a better view of the company’s security posture.

The next step is to counter the red team with a blue team, or defensive security experts, to monitor the systems, thwart any breaches and uncover gaps in protection.

Finally, both should be aligned with a risk assessment, which should pinpoint the assets that are most important to protect.

“I always start with the digital assets the company cares about the most. That is where you want to put your defense,” he says. “List them all so you can map out what the business impact would be and then build a program around that.”

Both teams should be connected so that any issues uncovered can be corrected. However, Rehman stresses they should not be focused on simply “solving tickets” but rather having discussions to further unearth synergies to increase security protocols.

Related: