Assume Compromise: It's time to change your security mentality

January 20, 2022
Tim Wade
Deputy Chief Technology Officer
Assume Compromise: It's time to change your security mentality

With ransomware attacks continuing to dominate media headlines, it’s clear that a security approach centered on prevention no longer suffices. A shift towards an ‘assume compromise’ security approach prepares your business to deal with the intensity and frequency of today’s ransomware attacks. To that end, advanced detection and response capabilities play a crucial role. In this blog, you will also learn why a large British multinational insurance company chose Vectra, Wipro’s Venture Partner, to meet its security needs.

Why preventative controls can be challenging for your business

The proliferation of high-profile cyberattacks in 2021 demonstrates the inherent vulnerabilities of a preventative mindset to security. In The Colonial Pipeline attack, all it took was a stolen set of credentials for a VPN account to compromise the network. No matter how many preventative controls you have in place, all it takes is one point of failure to render those controls ineffective.

Good security hygiene remains vitally important, and preventative controls aren’t obsolete. The point is that it's elementary to miss something within the context of a complex IT environment. When an organization lacks any alternative to prevention-focused security, network infiltrations typically result in data breaches or ransomware installations. It’s prudent to strive for a good balance of prevention with detection and response capabilities.

Not only do preventative security controls regularly fail, relying heavily on them affects business operations. As organizations deploy more point solutions to prevent different security threats, striking a balance between security and business enablement becomes more challenging. The more disparate, poorly integrated security tools you have in your environment, the harder it is to facilitate regular business operations and user productivity.

Decoding the Assume Compromise approach - the shift from reactive to proactive

‘Assume compromise’ is a security mindset shift that recognizes the limitations of existing security measures in light of modern cyber threats. The approach starts with the assumption that an adversary will manage to find a way into your network environment.

Traditionally, organizations opted for a preventative-based approach to keep intruders out of their networks. Unfortunately, given sufficient motivation, time, and resources, malicious threat actors can circumvent these preventative controls, and they often do so silently.

The change in mindset to assume compromise alters how organizations think about their security challenges. Instead of focusing on preventative controls to keep threat actors out, the focus is on establishing sufficient visibility inside the environment and incorporating advanced detection and response capabilities to mitigate threats that already bypass existing controls.

A more modern approach means preparing for when things go wrong and ensuring your organization can do something about it.

Upping your security game with Zero Trust

Zero Trust plays a vital role in an ‘assume compromise’ approach. There are countless examples of ransomware attacks in which bypassing a company’s initial perimeter controls resulted in adversaries getting unrestricted access to corporate resources. As a result, being inside the corporate network is no longer a reason to trust a user or device.

By never trusting any user or device by default, the zero trust model continuously verifies user and device identities on the network regardless of their physical locations. Requiring authentication each time a user or device requests access to different resources mitigates the problem of placing implicit trust in users or devices. The result is that when an attacker inevitably finds a weakness in any preventative control, the lack of default trust limits the scope of what that person can do on your network.

An ‘assume compromise’ mentality poses some challenges in educating security practitioners about the actualities of a compromise. If security teams start assuming they will get hacked, then a solid grounding in at least the fundamentals of offensive security can go a long way to help internalize this new mindset shift.

Securing digital transformation and cloud adoption

Digital transformation and cloud adoption further accelerated due to the Covid-19 pandemic. Small businesses began selling more products and services from websites, and enterprises started to shift more workloads to the cloud to facilitate remote workers and innovate. Ultimately, digital transformation and cloud strategies provide businesses with productivity, cost-efficiency, innovation, and growth. Security practitioners need to enable these transformations more securely.

While seizing these opportunities is undoubtedly a net positive for businesses of all sizes, digital transformation projects are conducive to misconfigurations and carry new (cloud) security monitoring challenges. An ‘assume compromise’ mentality readies security teams for the inevitable changes and risks arising from transforming business processes.

From a security operations perspective, digital transformation strategies call for answering some critical questions, such as:

  • Do you need to move your existing security tools to the cloud?
  • Are your existing security tools sufficient to protect cloud, AI, IoT, and other digital transformation technologies?
  • Can security practices evolve in line with the business to automate and digitize, leading to greater agility and visibility in IT environments from on-premise to the cloud?

Towards a more secure future with advanced detection and response

Today, ransomware operations focus on data exfiltration before encrypting sensitive files and essential systems. Initial compromise followed by lateral movement and privilege escalation through the network defines these threat actors' operations. When it comes to technologies and processes, it’s clear that preventative controls are in place for most businesses, but they’re not enough.

Greater visibility from advanced detection and response capabilities help achieve proper alignment with an ‘assume compromise’ mentality and stop today’s most dangerous ransomware attacks in their tracks. Cloud infrastructure presents opportunities to scale and automate security processes.

Royal Sun Alliance (RSA) Insurance Group did just that. The general insurance company, headquartered in London, looked at a portfolio of vendors to mature its detection and response capabilities and equip security practitioners to fight back against modern ransomware attacks.

RSA chose Vectra for some of the following reasons:

  • Ease of deployment — it took just a couple of weeks to deploy Vectra within RSA’s complex multi-location IT environment.
  • Immediate increase in visibility — overnight, RSA’s visibility into what was happening on the network exponentially increased.
  • Intuitive interface — Vectra presents information to security analysts in an intuitive, easy-to-digest way that doesn’t overwhelm security teams in the way that many other monitoring tools do.
  • Security efficiency — Vectra is an intuitive-to-understand and intelligent AI-driven platform. The ease of use enables less experienced analysts to effectively handle many less technical security tasks, while more experienced analysts can dedicate resources to investigating and responding to higher risk or more complex security incidents.

If you are interested in watching the discussion between Nuno Andrade, CISO RSA, John Hermans, Head of Europe Cybersecurity & Risk Services Wipro, Tim Wade, Office of CTO, Technical Director Vectra, and Sacha Rehmat, Director of Global Service Providers & Systems Integrators Vectra AI, you can listen here.