Unlocking Security Success: The Power of an Adversary-Focused Approach for Organizations

CXOToday has engaged in an exclusive interview with Geoff Swaine, Vice President, APJ, CrowdStrike

1. Why is adopting an adversary-focused approach to security important, and what are the benefits it offers to organizations?

In today’s rapidly evolving threat landscape, security teams are grappling with a number of challenges impacting their ability to protect the business:

• Teams are overworked and under-resourced while in the midst of a skills shortage.
• Many have gone through an acceleration of digital transformation resulting in an expansion of the attack surface adversaries are targeting–this is a particular challenge in cloud environments.
• They’re trying to protect the business through a complex, multi-layered and disconnected security stack impacting visibility of threats across the network; while also trying to navigate siloes typically between the IT, DevOps and Security teams.

As a result, security teams are actively looking for approaches to overcome these challenges in order to enhance their effectiveness in combating cybercrime.

One way they can help alleviate some of the pressure on security teams is by shifting from a reactive to a proactive approach to security through the use of intelligence to understand the threat landscape so they can identify how to protect the business from potential threats.

This adversary-focused approach to security offers value in the following five key use cases.

• Understanding the adversaries that are most likely to target a business allows security teams to fill forensics gaps and improve remediation. By identifying indicators of compromise (IoCs) associated with specific threat actors, analysts and incident response teams can better eradicate threat activity during an attack, even in cases where the forensics evidence may be incomplete
• An adversary-focused approach enhances detection and hunting capabilities. Standard security analytic tools can be bypassed by sophisticated threat actors. By knowing individual actor behaviors and attack techniques, security engineering teams can set up more targeted detection rules and effectively conduct threat hunting practices[MB1]
• Prioritizing vulnerability remediation also becomes more effective when considering the actors relevant to an organization. By shortlisting threat actors and understanding which vulnerabilities they leverage, risk teams can better prioritize their efforts and focus on the most critical areas, saving time and preemptively reducing threat risks
• An adversary-focused approach helps organizations plan their security strategy. Understanding the motives and tactics of adversaries allows security teams to define their true risk posture and make informed decisions on implementing new controls, training needs, and conducting targeted red and blue team exercises
• Breaking down silos within security organizations is facilitated by an adversary-focused approach. Instead of focusing on specific tools or small-team objectives, the entire security organization can align their actions and communication around specific adversaries. This common language and orientation enhances the effectiveness of security efforts, enabling proactive and reactive defenders to work together more efficiently

2. With the growing complexity of security approaches in organizations, how can consolidation of security tools simplify their overall security posture?

Cybersecurity is a huge challenge for organizations today. As cyberattacks become increasingly sophisticated, they have begun to bypass traditional malware detection measures, rendering signature-based technologies obsolete in the face of new threats. The attack surface for cyber-criminals to target has expanded as cloud-integration continues to increase across business environments.

Compounding this challenge are new attack vectors exploiting the interconnectedness of digital systems. Cyber-attacks driven by the ALPHV/Blackcat Ransomware-as-a-Service model and the MOVEit transfer exploit as well as recent supply chain attacks have underscored the urgent need for consolidation to mitigate adversaries’ exploitation of organizational vulnerabilities. Adversaries are getting quicker at moving laterally within a system; in 2022, the average breakout time was just 84 minutes, down from 98 minutes in 2021.

The need for simplifying cybersecurity and key considerations for a successful consolidation

One of the biggest challenges that organizations face when it comes to cybersecurity is complexity. Having multiple layers of security within organizations and isolated security data and systems can often lead to blind spots. We’re seeing many different layers of security being deployed by enterprises today meaning that organizations rely on multiple sources of data for their security operations. This can lead to several challenges, including blind spots in the environment, difficulty managing security operations, and slower detection and response times. Clearly, more solutions do not translate into better protection.

To address these challenges, it is important to simplify security in an organization’s environment and take more of a platform approach. This means focusing on the smaller details that help to make security more manageable. When undergoing a consolidation, the key objective businesses should strive for is complete visibility; ensuring data can flow easily between security domains is critical to tracking adversary paths.

For example, having a comprehensive XDR platform that can ingest data, sustain it, and maintain it is one way to lower the burden on security teams, reduce operational costs, and provide greater visibility across the network. This allows security teams to respond faster and more effectively to attacks.

By taking a holistic approach, adopting a single platform and considering the broader implications and costs associated with security solutions, organizations can make more informed and cost-effective decisions to align with their overall goals and resources. Modern cybercrime requires a modern defense, and a less is more approach is the key to mitigating an attack before it is too late.

3. What proactive measures can organizations take to defend against adversaries and stay ahead of evolving threats?

Adversaries, such as cybercriminals, hackers, and nation-state actors, are becoming more sophisticated, persistent, and organized in their efforts to breach the security defenses of companies and government entities. CrowdStrike Intelligence observed a significant increase in access broker activity throughout 2022, with over 2,500 identified advertisements – a 112% jump from 2021. According to CrowdStrike’s 2023 Global Threat Report, 71% of all attacks are malware free, up from 62% in 2021.

This escalating threat environment necessitates robust cloud-native security solutions that enable comprehensive visibility and protection across different environments, including on-premises and cloud infrastructure, effectively detecting, mitigating, and responding to these adversaries quickly. With timely intervention and clear visibility across the threat landscape, organizations can effectively defend against adversaries. To do this, businesses in India should adopt an integrated, comprehensive approach to protect endpoints, identities and cloud environments by investing in advanced cybersecurity solutions.

Understanding the motivations, techniques, and tactics of threat actors is also essential for building effective defense strategies. Therefore, investing in threat intelligence programs as well as human threat hunting can provide insights into the evolving threat landscape, enabling informed decision-making, prioritization of security investments, and overall improvement in cybersecurity posture. In addition, employee training and awareness programs should be put in place to ensure that employees understand the importance of cybersecurity. With social engineering, phishing techniques and credentials harvesting key parts of the adversary armory, having an employee-wide focus on how to protect identities is critical. In fact, CrowdStrike reported 80% of cyberattacks now leverage stolen or compromised credentials.

4. How does CrowdStrike’s adversary-focused platform provide organizations with full visibility into attack paths, enabling effective defense strategies?

With 25% of attacks originating from unmanaged hosts like contractor laptops, rogue systems, legacy applications/protocols or parts of the supply chain where organizations have no visibility or control, Adversaries are able to find easy wins against traditional security solutions.

The inability to detect the adversary combined with rapid breakout time leads to higher success rates for ransomware, data exfiltration and cyber-attacks. All of this points to a significant issue for businesses, the likelihood of a business getting attacked is much higher than it ever has been. As organizations become more complex and their attack surface grows, the risks to the business increases. Unified endpoint, cloud and identity protection is therefore a key security strategy to adopt.

To be proactive against modern attacks, you need an adversary-focused security solution that unifies world-class endpoint and real-time identity protection to cover all aspects of an adversaries toolkit – from exploitation, malware delivery and fileless attacks, all the way through to stolen credentials or compromised identities.

The CrowdStrike Falcon® platform delivers complete protection and comprehensive visibility across the most critical areas of enterprise risk: endpoints, workloads, data, and identity. By unifying industry-leading endpoint security with native identity protection, delivered through a single lightweight agent, CrowdStrike’s Falcon platform helps stop the full attack lifecycle – whether an adversary is attempting to use exploits, malware, fileless attacks or stolen credentials.

For the third consecutive time, IDC has recently ranked CrowdStrike #1 in worldwide modern endpoint security market shares. Customers leverage the CrowdStrike Falcon platform to consolidate their security stack and save on operational costs. They want to easily and cost-effectively protect the broader attack surface, benefitting from a solution that adapts and continuously evolves to its environment with AI and ML processing beginning on the sensor and dynamic communication with the CrowdStrike Security Cloud.

5. What are the business benefits of selecting the right cybersecurity solutions and what factors should organizations consider when choosing such solutions?

Selecting the right cybersecurity solutions can provide several key business benefits and help organizations effectively protect their assets in the face of evolving threats. Below are some business benefits and factors that organizations should consider when choosing cybersecurity solutions.

• Security efficacy: The primary benefit of selecting the right cybersecurity solutions is improved security efficacy. A robust and comprehensive cybersecurity solution is designed to effectively detect, prevent, and respond to a wide range of cyber threats. By implementing a solution that “just works,” organizations can significantly enhance their ability to identify and mitigate risks, minimizing the likelihood of successful attacks
• Operational efficiency: Choosing the right cybersecurity solutions can streamline security operations and optimize resource allocation. By consolidating multiple security tools into a unified platform or selecting integrated solutions, organizations can simplify management and reduce complexity. This shift allows security teams to focus on higher-value tasks, such as proactive threat hunting and incident response, rather than spending time managing disparate tools and processes
• Cost benefits: Investing in the right cybersecurity solutions can lead to cost savings in several ways. By effectively mitigating security risks, organizations can avoid the financial fallout of potential data breaches, regulatory penalties, and business disruptions. Additionally, optimized security operations and reduced tool sprawl can result in operational cost savings and increased staff efficiency. By protecting their reputation and maintaining customer trust, organizations can avoid the long-term financial damage associated with the fallout of a successful cyberattack[MB6]

When selecting cybersecurity solutions, organizations should consider several factors such as threat coverage, scalability and flexibility of the solution, usability, ease of deployment, user interface, vendor experience, reputation and compliance requirements to ensure comprehensive protection against modern threats and long-term resilience in the face of evolving cyber risks.

6. Why is continuous monitoring and threat intelligence crucial for organizations to proactively mitigate evolving security risks? What are some of the best practices of threat intel?

The effect of cyberattacks, including ransomware incidents, can be severe and can have a devastating impact on organizations, their customers, and critical infrastructure or supply chains. Organizations face financial losses, reputational damage, disruption of operations, compromised customer data, and even potential risks to public safety. To effectively mitigate these risks, they must leverage threat intelligence to proactively identify and assess emerging threats. Threat intelligence plays a crucial role in mapping current and potential cyber threats, identifying bad actors, and understanding their tactics. Armed with this knowledge, organizations can enhance their defensive measures and respond effectively to cyberattacks.

Understanding threat intelligence

Threat intelligence focuses on the collection and analysis of information about current and potential cyberattacks that threaten the safety of an organization or its assets. It is designed to help people better understand what a threat is, what kind of attacks are taking place and what the threat landscape looks like.

Threat intelligence is a proactive security measure that prevents data breaches thus protecting the organization from financial, productivity or reputational damage. Its purpose is to give companies an in-depth understanding of the threats that pose the greatest risk to their infrastructure and tell them what they can do to protect their business.

Threat Intelligence is a key component of CrowdStrike’s effective approach. Organizations must have consumable intelligence so that they can understand the adversary, learn from attacks and take action on indicators to improve their overall defenses.

Some of the best practices of threat intelligence are:

• Continuous monitoring of threat activities: organizations need to collect threat intelligence continuously so that the IT and security teams stay up to date on potential threats and can adopt a more proactive approach
• Gradual implementation: The best practice is taking the threat intelligence program slow and making sure that you are only consuming intelligence at the speed at which your organization is capable of consuming it. Don’t go too fast, otherwise, it is going to potentially cause unnecessary disruptions
• Create an incident response plan: After successful identification of a threat and based on intelligence, organizations need to build an incident response plan and it should be included in the threat intelligence program to clearly defining the next steps to be taken to mitigate threats
• Automation of threat intelligence implementation: Automating threat intelligence allows efficient scrutiny of data accurately, which helps the IT and security teams focus on higher priority tasks and determine the most appropriate response to the intelligence information that is gathered