Flip the Script: Let the Attackers "Win"
INDUSTRY

No offense, but we think virtually everyone is doing it wrong… information security that is, and specifically data security.

Or, we think how most organizations go about prioritizing their limited financial and human resources — and more importantly, their limited time and attention — backwards.

Permit me to explain.

Many organizations are stuck in a futile “threat-vulnerability-attack-risk-countermeasure” cycle. As an industry, we’ve literally transposed the phrase “cyber security” over “information security” — and assumed (at best) that the two were equally important, and at worst, that Internet-borne bad actors and attacks deserved the lion’s share of our attention.

They are not equally important.

After almost 17 years helping organizations mature their data risk management initiatives, we remain more convinced than ever that there are only two asset classes worth your strategic focus: 1) data and 2) people. And, that all other assets fall somewhere on a continuum of “not worth protecting” to “reasonable best effort protection” (after prioritizing data and people, that is).

Everything else is an operational detail, a piece of blurry background scenery in a movie scene where data and people are in sharp focus.

Resilience is the New Black

What does sustainable data- and people-centric focus look like 2022? Resilience.

In this more enlightened worldview, we have a clear, prescriptive, and mature posture, where attack prevention isn’t as important (or urgent) because the objects of those attacks are known, understood, classified, backed up, secured/protected, recoverable, and restorable. And, in the case of people, trained.

And those other assets, like applications, networks, devices, endpoints, cloud workloads, structured data facilities, perimeters, etc.? We can down-prioritize them, as operationally critical assets — but not STRATEGICALLY critical assets — and alter their protection schemes accordingly.

I said to a customer once: “In the castle, we don’t protect the crown jewels or the Queen’s life like we protect the pots-and-pans in the kitchen. Not to say cooking dinner isn’t important, but it’s not an existential dilemma if we skip it.”

Why are we trying to protect every operational system, device, and application as though it were life-and-death? Some assets are worth leaning into, getting to know in a meaningful and sustainable way.

The others stuff? They may show up on an asset report, but if you’ve prioritized data and implemented controls correctly, their individual (or collective) compromise shouldn’t impact your organization.

In other words, let the attackers have them — you don’t need them.

The Scourge of Ransomware

An example I give to healthcare clients concerns the ramsomware attacks that brought multiple hospitals and providers to their knees in 2020 and 2021. These attacks typically started with attackers securing a network foothold (often via phishing), then reaching laterally across the network to cripple clinical, registration, or others systems’ availability through encryption of primary application data stores (as opposed to the application stack or infrastructure layer itself).

Once “locked up”, these hospitals had a choice that wasn’t really a choice at all: pay to have their data back, or go through the laborious, costly, and slow process of rolling back to a previously known good state. If they could figure out what that was.

All roads lead back to this “good version” of data for healthcare organizations, and a simple question:

Is our data healthy, and can our people access it?

Flip the Script

The issue is many if not all of these healthcare organizations hadn’t done the upfront data risk assessment and preparation work needed to be able to make rapid response decisions in the moment. They spent precious hours and days figuring out what happened, to which systems, and who had been affected… and once all that information was collected, finally discussing the important questions:

  • How should we react to this?
  • How difficult will it be to roll back?
  • What do we do in the meantime?
  • Should we pay the ransom?

Meanwhile, their operations either ground to a complete halt, or reverted to some pre-Computing Age version of itself. Costs piled up, reputations suffered, but most importantly: patients were not able to receive the level and quality of care they needed and deserved.

Instead, they could have been executing a series of pre-defined actions.

Frame the Work

You need to frame out this work to have a reasonable chance of success. However, most existing frameworks are cyber-, infrastructure-, or network security focused.

Our DataRAMP (neé Data Risk Management Framework) sets up an organization to make deeply informed, thoroughly considered, comprehensive, prescriptive, ongoing, program-centric governance and risk management decisions about data risk. What data they MUST have, along with the why, when, how, for whom, and during-what-sorts-of-situations considerations.

DataRAMP evaluations are used to build out decisioning into roles and responsibilities, a tech stack, data protection controls, correct configurations, operational playbooks, and disaster recovery “break-the-glass” procedures, among other support scaffolding.

And then we practice it, as though it were an order to “battle stations” on a ship at sea. Because that is what it is: wartime preparedness training guided by a clear strategic vision and consensus approval from executive stakeholders.

After adopting this model, this mindset, and employing DataRAMP correctly, when organizations are next caught up in a ransomware attack – which we all know they will be, perhaps many times in the future – the process of restoring data, and access, will be orders of magnitude faster and less painful than it was before.

They can get back to that “last known good state” in record time.

Ultimately, it makes avoiding attacks less important (which is good, because we can’t win that battle no matter how hard we try) and focuses efforts where they can have the greatest effect.

Sean Steele is a co-founder and managing partner at Infolock.

< PREVCybersecurity is Dead — What Now?