Need to look beyond security controls to avoid large costly breaches

Security controls alone, even when well managed, are not enough to protect a company from cyber criminals.  Seeing the threat from the cyber attacker’s point of view is key to bolstering risk prevention efforts before the large breach. It’s no different than how we approach sports matches.

Multi-factor authentication not enough

Multi-factor authentication (MFA) is one of the security controls that help keep a company safe from cyber attackers, but the recent Cisco Talos Incident Response Report  found that MFA circumvention was an issue in around 50% of all security incidents Cisco Talos dealt with in Q1 of 2024.

The report comes on the heels of the breach of cloud-based data warehouse vendor, Snowflake, earlier this year, which has reportedly led to additional breaches of around 100 of their customers’ corporate information through credential theft and MFA circumvention.

More and more, attackers are circumventing controls, including MFA, with cyber security consultants Mandiant reporting  “an increase in compromises against cloud-based identities configured with multi-factor authentication”.

As the use of MFA becomes more common, attackers are learning how to get round the system, including by using web proxy or adversary-in-the-middle (AiTM) phishing pages to steal sensitive login session tokens.

The cyber insurance market has rightly pointed to improving security controls as a necessary step towards better cyber protection and strengthened resilience in the face of attacks. Underwriters say requiring insureds to adopt MFA is one reason loss ratios have improved in the past couple of years.  It’s no doubt essential, as the Change Healthcare breach proved when ransomware criminals used compromised credentials to access a Change Healthcare portal, setting off a chain of events that disrupted the entire US healthcare system.

The need for security control validation

Global cyber experts are calling for an additional layer of nuance in the discussion of controls, including MFA. This is especially pertinent to the mid-to-large cap companies that often face tens of thousands of attacks a day.

The cybersecurity industry, especially security teams at larger organizations and the cyber companies they work with, such as Mandiant, Cisco, Palo Alto, and CrowdStrike, know that from a defender’s (the company’s) perspective, security effectiveness is not measured by controls alone, but by the correct configuration and implementation of controls.

As defenders adopt new tools and approaches to better protect their networks, attackers adapt, which is why security controls validation has grown in importance in recent years. However, controls are only as effective as the configuration and implementation carried out on an ongoing basis. For example, MFA can be circumvented for many reasons, including single point of failure, insecure delivery methods, outdated systems, poor patching, and weak configuration policies.

Seeing the whole risk

Chief information security officers (CISOs) ask: “What tools will help us avoid a large breach, and are we doing all we can to avoid one?” But the chief risk officer is asking: “Do we have an accurate picture of our likelihood of a large breach, and do we know how much risk to retain?”

As we can see in these recent loss events and the Cisco and Mandiant findings, controls alone, even when validated and well managed, are not enough to protect a company from cyber criminals.

It’s why Intangic is focused on helping Chief Risk Officers, Heads of Risk, CISOs, and security teams to not only approach security from a defender’s perspective (including the focus on controls), but also to look at cyber risk from the attacker’s point of view. This will help them have a more comprehensive view of threats, not just what the defender can see from inside their fortress. It also provides an accurate answer to the CRO’s question, “how much risk should we retain?”

Turn the cyber program from loss recovery to loss prevention

By turning the cyber program from a loss recovery tool to a loss prevention tool, we help the Head of Risk work with the CISO and security team to position the organisation one step ahead of attackers by:

– Looking at their defences from the external attacker’s perspective.

– Understanding if and how their network is being targeted relative to their peers.

– Taking preventative action before the breach occurs.

Our approach is no different from tactics used in a sports match. The value of seeing the whole risk, including from your opponent’s (the attacker’s) perspective, as well as the defender’s, is the difference between having a large, exploitable blind spot and turning a potential weakness into a strength. This can be the difference between winning and losing the match.