Leo Taddeo, a former FBI Special Agent in Charge of the Special Operations/Cyber Division at the New York Office and current Chief Information Security Officer for Cyxtera, argues that the approach to cybersecurity needs to change:
“Organizations must deal with the fact that adversaries are always one step ahead. Attackers only need to be successful once; defenders must stop them every time. The scales are overwhelming tipped in favor of the bad guys. To change the dynamics, we must take a fresh look at our defensive and offensive security posture.
Enterprises have spent a lot of time and money building protective walls around their networks but with ever-diminishing results. Today’s IT infrastructure is everywhere: on-premise, private clouds, and public clouds. Instead of defending the network perimeter, we must shift focus to securing user access to resources.
This can be accomplished using a modern security approach like that offered by a Software-Defined Perimeter (SDP) solution. SDP dynamically creates a one-to-one connection between the user and the network resources they are entitled to see. Policies are applied in real-time based on the security context presented when the user is requesting access. By limiting access, the attack surface is significantly reduced.
Along with a robust defense like that offered by SDP, security teams must gain offensive insights into how far an attacker can run with a vulnerability. Most organizations don’t have the internal resources to go the extra mile here. An alternative is to engage with an offensive-oriented cybersecurity firm that offers specialized attack and assessment services, including penetration testing, application assessments, vulnerability analysis, reverse engineering, and a review of architecture and source code. Remember, an attacker only needs to be successful once; defenders must stop them every time.
Adopting the mindset of the adversary is essential. Only then can you gain a realistic picture of your organization’s exposure, which enables you to effectively mitigate risk. The last piece of advice is this: Don’t be afraid of what you find. Uncovering vulnerabilities is not an indictment on the security program, rather, it’s an opportunity to change the trajectory of the attackers’ first advantage.”