On almost a monthly basis, the US Cybersecurity & Infrastructure Security Agency (CISA) publishes advisories about the latest cybersecurity risks, attacks and vulnerabilities to help organizations defend and protect themselves against sophisticated cyber actors. Despite this, on a nearly equal cadence, there’s news of another major cyber breach.
Earlier this year, Change Healthcare, a subsidiary of United Health Group, suffered a ransomware attack that shut down operations, causing nearly $874 million in financial losses and significant disruptions in patient care. As healthcare is a key part of the nation’s critical national infrastructure (CNI), the US federal government, led by HHS, launched an investigation to ensure continuity of operations, protect consumer data, and assist the FBI in identifying the culprits behind the attack.
In the case of Change Healthcare, it transpired that multifactor authentication (MFA) was not required to access a server that contained medical information on up to a third of the American population. This highlights the importance of ensuring that critical systems that contain sensitive data are correctly secured and are prioritized for risk assessments.
Whilst this incident was another blow to a commercial CNI company, the US Department of Defense (DoD) has taken a step towards mitigating such a breach by focusing their cyber security efforts on those systems that are mission critical and also most at risk of attack. This reflects a mindset shift from tick-box compliance to operational resilience assessments, represented by the launch of the Cyber Operational Readiness Assessment (CORA) program.
CORA provides a critical approach for the DoD towards achieving operational readiness by prioritizing reducing the attack surface of their cyber terrain and enhancing security measures where it matters most, ensuring continuity of operations. It’s not just about reacting to threats but anticipating and neutralizing risk before operations are disrupted.
Whether in the DoD or commercially run CNI, one of the most effective ways to enhance the resilience of network infrastructure is viewing software vulnerabilities and misconfigurations using MITRE ATT&CK’s Techniques, Tactics, and Procedures (TTPs) to prioritize remediation workflows. This approach systematically targets and addresses the most exploitable vulnerabilities first, which are often the first points of entry for attackers. But ad hoc risk-focused assessments in and of themselves are not sufficient.
The Importance of Proactive Security
A recent report, Emerging Best Practice in the Use of Proactive Security Solutions, highlights a significant shift in how organizations approach cybersecurity. Over 70% of businesses have increased their investment in proactive cyber defense, outpacing spending on both preventative and reactive strategies. In particular, security-mature organizations are deploying these solutions to improve attack surface management and optimize security controls.
The CORA program aligns with these best practices and is crucial for validating current, future, and emerging technologies that will help organizations continuously monitor and assess terrain to assess and mitigate their risk. By integrating proactive security solutions that leverage frameworks like MITRE ATT&CK, into their tech stacks, organizations can gain real-time visibility into their security posture and stay ahead of potential threats.
Best Practices for Implementing Proactive Security
To effectively implement proactive security, organizations should focus on:
- Prioritizing vulnerability and configuration management. Proactive vulnerability and configuration management (VM/CM) solutions are essential for minimizing attack surfaces. Every device on the network should be assessed regularly, particularly if it’s in a critical segment of the network or protecting Important Business Systems (IBS). However, the research shows many organizations fall short, often only assessing devices monthly or only evaluating a sample of devices. Best practices call for more frequent, automated assessments to identify and mitigate risks in near real-time. Addressing visibility gaps for certain device types, like those exposed by the China-backed Volt Typhoon incident, is also crucial for strengthening critical infrastructure.
- Enhancing continuous monitoring. Continuously monitoring for configuration drift is central to any proactive security strategy. In practice, if not automated effectively, continuous monitoring can result in an overwhelm of repeat data. Enhancing continuous monitoring with proactive assessment capabilities means changes – that could be an indicator of compromise – are assessed in near-real-time, between scheduled audits, to determine whether they have resulted in unintended network risk.
- Integrating exposure monitoring. Automation is key to scaling proactive security efforts and ensuring the organization is working with up-to-the-minute exposure intelligence. High-maturity organizations increasingly use proactive security solutions that overlay misconfiguration data onto attack frameworks like MITRE ATT&CK. This allows for more comprehensive incident discovery and incident response, essential for maintaining an effective security posture.
- Prioritizing remediation with risk-based metrics. CORA emphasizes using risk-based metrics to guide assessments and remediation. Organizations should automate similar practices, using metrics that dynamically analyze exposure to TTPs and prioritize remediation accordingly. This approach ensures the vulnerabilities at greatest risk of exploit are addressed first, reducing overall exposure.
Moving Towards a Proactive Security Culture
The shift to proactive security isn’t just about technology—it’s a strategic overhaul requiring continuous improvement. As organizations adopt these best practices, they must also foster a culture of security awareness and accountability. Employees should understand the importance of proactive measures and be equipped to anticipate and mitigate threats. Research shows that reducing the opportunity for threats (47%) and shortening the time to remediate known vulnerabilities (41%) are top priorities for organizations. These priorities must be brought to action.
Coupling risk-prioritized assessments, as outlined through CORA, with proactive security measures represents a significant evolution in cybersecurity. By investing in security solutions and adhering to best practices, organizations can enhance the operational resilience and readiness of their critical infrastructure. As threats evolve, staying several steps ahead will be crucial to safeguarding operations and ensuring long-term success.
The future of cybersecurity lies in risk-focused, proactive measures that go far beyond prevention and reaction. By continuously improving exposure visibility, leveraging proactive assessment automation, and prioritizing a risk-based approach to remediation, organizations can build and maintain a security posture that addresses current threats and anticipates future risks. A journey towards operational resilience is relentless and ever-changing, but those committed to this security path will be best positioned to thrive in an increasingly challenging cyber landscape.
About the Author
Matt Malarkey is VP, Strategic Alliances at Titania. Matt identifies strategic opportunities and manages relationships with key partners, particularly within regulated industries and the U.S. government.
Prior to joining Titania, he spent six years at the British embassy in Washington, D.C., where he acted as a liaison between the UK government and key stakeholders in the U.S. defense community. Malarkey has also advised U.S. policymakers on national security issues in Russia and the former Soviet Union.
Matt can be reached online at our company website titania.com
Source link
