The call to action to strengthen the security architecture and accelerate transformation across organizations in all sectors has never been more pressing.
From the remote work culture spurred by COVID-19 to the specter of broad cyber warfare that could potentially arise from the current conflict in Ukraine, global events are radically changing how both security professionals and corporate leadership view security risk. Add to this the daily challenges security professionals face, including repeated ransomware attacks and easy-to-exploit vulnerabilities in the Apache Log4j open source library used by tens of thousands of software applications. It’s now vital for security professionals to forge stronger partnerships with C-level executives and board members to ensure they are fully informed about how cyber risk impacts the business.
On Wednesday, February 24, 2022, we hosted The Zscaler Virtual CXO Summit Zero-Day Vulnerabilities and Board Communications. It brought together industry thought leaders to discuss the risks of zero-day exploits and the importance of increased engagement with the C-suite and board of directors in response to accelerating risks threatening enterprises today. Panelists included Zscaler CISO Deepen Desai, Zscaler CISO Americas Sean Cordero, Board Member Andy Brown, and NOV CIO Alex Philips.
Companies are the new front lines
Philips underscored a key point guiding the discussion: cyberspace is the “fifth-domain,” joining land, sea, air, and space as the newest theater of warfare. In cyberwarfare, nation-states, criminal organizations, and terrorist groups attack military targets, business assets, and infrastructure. In response, corporate boards must understand and plan accordingly. “In this war,” said Philips, “all our companies are on the front lines—whether we like it or not—because it’s a digital world and there are no boundaries. It is the new reality we have to live with.”
Cordero pointed out that, on February 22, the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) released a “Shields Up” post warning all companies, regardless of size, to adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets. Cordero paraphrased the post, saying, “Senior management should empower CISOs by including them in the process for managing risk to the company and ensuring that the entire organization understands that security investments are a top priority in the immediate term. Right now, what we’re seeing is an escalation in cyberattacks that place many organizations directly in the sights of attackers. It’s important that we increase our diligence and buttress our organizations for what is very likely to come.”
This is a call to action
“The best thing you can do for your organization is to expose the reality that the way we have done it for the last 25 years is a failure, and it never worked. If it had, we wouldn’t be having this conversation,” Cordero said about the need to shift away from specific technical controls like traditional and even next-generation firewalls that have been in place for years but have proven ineffective. With zero-day vulnerabilities such as Log4j, where bad actors hide their malicious activity in the Java process and nothing is written to the disc, the importance of adopting a secure zero trust architecture is now paramount.
Brown notes that 46% of corporate networks incurred intrusion attempts related to Log4j once the vulnerability was made public, and three million attempts to exploit the vulnerability occurred before Christmas of 2021. “It’s time to find solutions to provide us the time and space needed to effectively address and ultimately break free of this very vicious cycle,” affirmed Cordero. “We are seeing that Log4j and similar vulnerabilities have been a catalyst for transforming to zero trust architecture and initiating conversations with the board on the importance of cyber risk and broader investment in cyber security.”
Zero trust is the new cyber insurance
“Cyber insurance used to be the answer,” said Philips. “And insurance is one thing that non-technical people in the boardroom understand.” But, as Brown added, it’s crucial now that the board focuses on ways to not use the insurance. “Mitigation is smarter,” he said—especially now that cyber security insurance policy costs are skyrocketing and insurers are excluding state-sponsored attacks in their coverage.
According to a report that came out last year from HP, state-sponsored attacks doubled in just three years between 2017 and 2020, with businesses being the most common targets.
The financial risks have skyrocketed, which means business leaders, including board members, can no longer rely on insurance to mitigate them. Insurance companies and claimant organizations are in the courts, as more claims are made on policies in the face of increasing attacks. Exclusion clauses for state-sponsored attacks are the norm. Lloyds of London issued four model clauses for exclusions from cyber insurance policies.
What’s the answer? Organizations must build their own “insurance” and, therefore, resilience by shifting to a zero trust approach. As Brown suggested, “When I think about what could I do to build insurance with technology so that I don’t have to pull the trigger on cyber insurance or defend against state-sponsored attacks, I would actually use zero trust. Because by reducing the risk surface area, my probability of being attacked is reduced—and that is insurance.”
Four tenets of zero trust
Desai laid out four key objectives for defending against zero-day attacks using a zero trust approach.
- Minimize your external attack surface by reducing the number of assets that connect to the internet. Focus on protecting your business-critical applications, your “crown jewels.” Make it a priority to phase out VPN and other legacy technologies and put all critical assets behind a zero-day infrastructure.
- Prevent compromise by having security controls in place. Adopt a cloud-native, proxy-based architecture with full SSL-encrypted traffic inspection. With a cloud-native proxy, you can extract payloads from the connection and scan them with technology to block attacks—even if they are delivered over an encrypted channel.
- Prevent lateral threat movement. This can make the difference between a single incident confined to one asset and a company-wide breach. If one asset is compromised, security should limit the compromise to that initially targeted asset. Zero trust must rely on a user-to-app and app-to-app network micro-segmentation structure to prevent the spread of lateral attacks.
- Prevent data exfiltration by consistently inspecting everything that leaves all your endpoints, as most attacks are after your data. By using full inline proxy-based architecture, nothing valuable should be able to leak out from your environment.
This may sound overwhelming, but it’s a journey that every enterprise must embark upon. If you have a strong architecture in place, you’ll be able to respond effectively and swiftly.
What the board expects from you
Log4j has been a significant catalyst for getting organizations to transform to zero trust. Cyber security professionals can initiate this journey by leveraging and communicating what is occurring on the world stage as justification to obtain the resources and support they need to build out this resilient architecture. Convincing proof points continue to stack up to make the case to corporate leadership: Log4j and similar vulnerabilities; the “Shields Up” post from CISA; Biden’s executive order that directly recommends zero trust; the skyrocketing costs of cyber insurance in the last six months; and, the statistics on the increasing number of cyberattacks worldwide.
It’s time to forge partnerships. Philips advised, “If you don’t have access today, start. The end goal is that you’re updating on risk. Start with your boss, and see how far up the chain you can go. Enable and empower your executive management team by helping them understand the risk. As the board of directors asks executives the tough questions, they will understand that you’re the expert to present this information to the board.”
Cordero recommended taking a cue from professional marketers: “You want to be front and center as much as possible. Put forth the positives and accomplishments being achieved by a security program while balancing this with the realities of what you are dealing with on a day-to-day basis.”
He also stressed the importance of establishing consistent and frequent communication so that stakeholders know that you and your security team are on top of things. It should be a continuous engagement, not just when there is a crisis. Desai noted that, “having a risk committee is extremely important” in that effort and helps establish a vital link between the board and security professionals.
Another tip from Cordero is to adapt your communication to the audience's technical level. “If they don’t understand what we’re saying, it is not their problem, it is our problem,” he asserted. “We must own that and learn better ways to dialogue with them in language that makes sense.”
Brown added that many board members might need an analogy to understand the advantages of zero trust and how legacy architecture is lacking in many areas. Desai laid out a useful one for explaining zero trust in simple terms to non-technical members of the board: “When you have a visitor coming to your office who is trying to attend a meeting in a specific room, you usually authenticate him in the lobby by checking his badge or ID, and he is free to wander around anywhere. With zero trust authentication, the user in the lobby can only be taken to a very specific room where they have business. In the digital world, the user should only be able to use the authorized applications that they have access to and nothing else.”
Desai also highlighted the importance of a detailed crisis management plan for the first 24 hours after an attack. “You need to start somewhere,” he explained. “Having a proper, detailed crisis management plan, touching on operational resiliency, disaster recovery, security incident, and response. At Zscaler, when we see something that has potentially adverse effects on us internally or externally—that could impact our reputation, for example—we trigger the crisis plan and notify everyone, including the board.”
Cordero capped off the event by pointing out that boards can no longer afford to ignore the damage cyber security incidents can potentially inflict on the organizations over which they have fiduciary oversight. He pointed out that, “Cybersecurity incidents have eroded valuations on companies, impacted on P&L, and resulted in the even more damaging loss of customer trust. All these are getting boards to pay more attention to security.”
Ultimately, it is the responsibility of cyber security professionals to ensure that their boards are fully aware of the risks the organization faces so they can be properly supported with the resources needed to operate effectively in these times of cyber warfare. And a zero trust architecture is an indispensable part of any organization’s defense strategy.
NACD Boardtalk: Challenge Everything, Trust Nothing: What Boards Should Know About Zero Trust
The CISO's Gambit podcast: Stopping Log4j with guest Deepen Desai, Zscaler CISO