Cybersecurity and IT Security are NOT the same thing

Cybersecurity isn’t about one threat or one firewall issue on one computer. It’s about getting a bigger perspective on what’s going on in an IT environment.

To keep your company safe from attackers you must look at more than the technical issues of having the right defensive technologies in place. This is practicing IT security, which is still needed but doesn’t address what happens after the attackers infiltrate your organization, and trust me they will, despite your best efforts to keep them out.

Security teams, businesses executives and corporate boards need to realize that IT security will not help them once attackers are inside your network. Once this happens, cybersecurity is required.

In cybersecurity, the defenders know that motivated and creative adversaries are launching sophisticated attacks. There’s also the knowledge that when software is used as a weapon, building stronger defenses may not necessarily keep the bad guys out. To them, more defensive measures provide them with additional opportunities to find weak spots and gain access to a network. In some cases, the more sophisticated things are, the more prone they are to primitive attacks.

This goes against the fundamental principle in IT security of erecting multiple defensive layers around what you’re trying to protect. By separating what you’re trying to protect from the outside world, you are in theory keeping it safe. While this works in physical security it doesn’t work when you’re facing enemies who need to be successful just once to carry out their mission. Defenders need to catch every attack, every time. This statement is not a knock against antivirus software, firewalls and other defensive technologies; they’re still needed in conjunction with cybersecurity.

IT security and cybersecurity also differ on what action to take after an attacker breaks through your defenses. In IT security, when a problem is detected on one computer, it’s considered an isolated incident and the impact is limited to that machine.

Here’s how that scenario typically plays out: Malware is discovered on the controller’s computer, for example. An IT administrator or maybe a junior security analyst removes the machine from the network and perhaps re-images it. Maybe there’s an investigation into how the computer was infected and a misconfigured firewall is identified as the culprit. So, the firewall configuration is changed, the threat is neutralized, the problem is solved, and a ticket is closed. In IT security, where the quick resolution of an incident is required, this equals success.

Now, here’s how that same incident would be handled from a cybersecurity perspective. The team looking into the incident wouldn’t assume the malware infection is limited to one computer. And they wouldn’t be so quick to wipe the machine clean. They may let the malware run for a bit to see where it phones home and how it acts.

Most important, the incident wouldn’t be seen as a random, one-off event. When you apply a cybersecurity lens to incidents, the belief is that every incident is part of a larger, complex attack that has a much more ambitious goal besides infecting machines with malware. If you close a ticket without asking how an incident or incidents are linked (remember, attacks have many components and adversaries commonly carry out lateral movement) or where else attackers could have gained a foothold, you’re not doing your job.

Practicing cybersecurity begins with security teams changing their mindset around how they handle threats. They need to be encouraged to spend time looking for a full-blown attack in their environment. They also need to understand that cybersecurity isn’t about one threat or one firewall issue on one computer.

This approach is a departure from how most organizations handle security. It also can’t be learned in classrooms or professional development courses. In this situation experience is the best teacher when it comes to figuring out cybersecurity. You must start by asking questions about the incident like why was this attack vector used, are there any strange activities occurring elsewhere in the IT environment, and why would attackers target our organization.

It’s this big picture thinking that separates cybersecurity from IT security. And it is big picture thinking that will help companies detect and stop adversaries after they make their way into an organization.

If you would like to discuss this topic further, or see how DNV can help with cybersecurity issues with your organization, please contact Craig Reeds at craig.reeds@dnvgl.com or 480-524-4840

3/7/2017 9:00:00 AM