Ransomware attacks are on the rise and as adversaries mount more sophisticated attacks, government and private institutions need to advance their cyber strategies as well in order to not become easy targets.
That was one of the main takeaways from private and public sector cybersecurity experts at MeriTalk’s Curbing the Flow of Ransomware: Real or Pipe Dream event on August 12. Experts agreed institutions need to have new and more sophisticated approaches to cybersecurity amid rising ransomware attacks – whether that be through exploring new security solutions, increasing private and public sector collaboration, or shifting the culture within organizations to embrace cybersecurity more tightly.
“A new era of ransomware is upon us, and the problem isn’t that the institutions have changed. The problem is the institutions haven’t changed,” Mark Bowling, vice president of security response services at ExtraHop said during the event. “They have not evolved in the same way that the threat actors have evolved, so the threat actors have evolved in scope and sophistication.”
“Targets are only as easy as they allow themselves to be,” he added. “Being an easy target is what I call the negligent choice, being an attractive target is the consequence of being successful, and all of the businesses out there want to be successful.”
But how does an organization become more successful in mitigating ransomware attacks? The answer is complicated, as there are many ways to get to that goal. Bob Tafoya, global practice lead for critical infrastructure and industrial IoT at Juniper Networks, said institutions need a sophisticated approach that “goes beyond fortifying perimeters and patching systems like we used to do.”
“I think there’s value to be gained in exploration, at a minimum, of automation-forward solutions,” Tafoya suggested. “Things like software-defined controllers that maintain real-time inventories of network resources, standards-based service models to define and create communication templates, and powerful workflow engines that automate and instantiate communications, without deploying human resources into the field for assessment and implementation.”
Tafoya said institutions need to “lock-in long term troubleshooting” in order to reduce “human error and inconsistency.” However, Tafoya also acknowledged that agencies need to be ever-changing in their approach, and that these solutions will need to adapt as cyberattacks grow in sophistication.
“You can’t be static, those days are long gone, you have to be ever-changing ever-adapting, and certainly, the adversaries are,” Bryan Rosensteel, Federal solutions architect at Ping Identity, said, agreeing with Tafoya. “You have to make sure you’re ever-adapting, ever-changing, ever having a strategy – that you’re not complacent.”
Jennifer Pedersen, senior technical advisor for the Cybersecurity and Infrastructure Security Agency’s (CISA) National Risk Management Center, leads strategic risk reduction activities in the critical infrastructure space and said the United States has entered “a new inning” of ransomware attacks, one that “needs a new approach.”
According to Pedersen, CISA is currently working in collaboration with the National Institute of Standards and Technology (NIST) to develop cross-sector performance goals for control systems as part of the White House’s National Security Memorandum released on July 28.
Pedersen said this is “such an exciting project to work on” because it will allow for more consistency in cybersecurity requirements across both the private and public sectors. What’s more, these goals will be available by the end of September, Pedersen said.
“We’re going to have these cross-cutting control systems performance goals by the end of September, which is a really quick turn, but then for each sector, we’re going to have sector-specific cybersecurity goals,” she said. “It’s going to force us to get together with the sector partners, or the private sector partners, and talk about what good really looks like in each of these environments – in a way that’s actionable and can really drive change.”
In addition to increased collaboration, Pedersen also stressed that organizations need to undergo a culture shift to get every employee informed of the threat environment, and to feel an urgency to “contribute to the cybersecurity” of their organization.
“Every single person in each organization is going to feel that it’s their duty to their job, to the organization, and to their nation, to be a part in stamping out this and doing whatever they can,” she said. “When we get that culture shift, I think is where we can see real change.”