Businesses have to foster an aggressive security culture that begins in the C-suite and permeates throughout the organization to anyone that draws a breath and is issued a login ID and password.

Senior management and corporate boards have a lot of homework to do when it comes to cybersecurity. It is not just a technology issue and something to simply leave on the desk of the CIO or CTO; this is an issue that strikes right at the heart of a company’s DNA and poses a significant risk. Losses in the cyber realm can undermine the entire enterprise in no time, shaking investor confidence, rattling customers, and staining reputations for a lifetime.

Too many companies still don’t have a full appreciation of the cybersecurity risk. I’ve had CEO’s say to me, “We’re just a manufacturing company, we don’t have anything of value.” I always answer their question with a question: “Have you told your shareholders you don’t have anything of value?”

Businesses have to gain an appreciation for what adversaries are really interested in and get sensitized to what the real threats are. Assessing cyber risk should be no different than assessing any other kind of business risk, like putting a new factory in Latin America for the first time.

But all this should not have to happen in a vacuum: the government needs to take a critical look at its own processes and find a way to get more involved in partnering with the private sector in the fight against cybercrime.

It’s time corporations stop hiding behind defensive cybersecurity strategies and get proactive.

Time to Go Hunting

It is time corporations stop hiding behind defensive cybersecurity strategies and get proactive about hunting for adversaries roaming their networks. Don’t believe you have a problem there? Think again, because the perimeter is gone.

For two decades the prevailing cybersecurity philosophy has been to defend the perimeter. Install a firewall, intruder detection system, implement dual factor authentication, etc. All are critical components of a defense; however, a proactive stance that takes security one step beyond has not been fully appreciated yet, and that has to be done in today’s environment.

Depending solely on defending the perimeter is a false strategy.  While you must defend the perimeter, you have to go much further, to what I call “hunting in the environment,” inside the network.

Organizations should assume the most sophisticated adversaries are going to breach the perimeter because it is so large. Although maintaining a secure border has to be the goal, there needs to be an acceptance that it is never going to be completely secure and that means regularly looking inside the network for the indicators that an adversary is there or is preparing for an attack. This requires granular visibility, using technology to monitor all the processes occurring on each computer on the network.

Adversaries must accomplish specific goals to breach a network and successfully exfiltrate data. They have to execute malicious code to gain a foothold; they must maintain persistence on the computers they breach; they often must move laterally through the network; and they must establish external connections to command and control servers.

Legacy security practices do not allow network defenders to “see” this activity with the fidelity required to identify malicious behavior, and most organizations aren’t even looking for it. By knowing what the indicators are and actively “hunting” for them, organizations can identify the breach quickly and take steps to mitigate it. Allowing an adversary on the network, undetected for weeks or months, will almost always result in significant damage to the enterprise.

Using Intelligence to Gain the Advantage

Gathering intelligence on adversaries begins with knowing who they are, understanding why an organization is being targeted, and understanding the tactics those adversaries are using. Once those things are understood, that intelligence can be translated into action on the network, allowing security personnel to proactively look for threats.

You cannot defend against something if you do not know who the adversaries are. People have said to me, “I don’t care who it is, I just want to block everybody,” but that is not feasible. Priorities have to be set, with limited resources focused on the highest threats. This allows for a smarter, more strategic and proactive response to any incident.

For example, knowing that the Chinese government is targeting your company because of a certain technology you have developed enables your network defenders to look for specific tactics these government sponsored groups use. I recently worked with a company’s security officials and shared intelligence about a group in China that coveted the company’s intellectual property. They used that intelligence to scour their network, actively looking across their enterprise for indicators that an adversary group was present. Within a few days they detected that group inside their network and determined they had been active there for months. A successful remediation followed.

Let’s look at a physical world example. We live in an open and free country and all the attendant risk that comes with that. At this very moment there are terrorists aiming to harm the U.S. living and working inside our borders. And yet, since 9/11 we haven’t had a single significant terrorist incident on that scale because we’ve been able to leverage the use of intelligence.

There have been dozens and dozens of attacks that have been thwarted because they have been identified, detected and disrupted in advance of something bad happening. I was in charge of the FBI field office in Washington DC in 2010, and we had two plots that we were able to disrupt. It wasn’t because we were secure and we kept all those looking to do us harm out of the country; rather, we knew how terrorists operate, we knew the indicators that would alert us to their schemes, we had good intelligence that allowed us to identify the adversaries before they could execute their plan, and our personnel were able to disrupt those attacks before they could wreak havoc.

These tactics, applied in the network environment, will have similar success. Organizations that use intelligence to know what indicators to look for will identify when attackers are in their enterprise, and can initiate protocols to remove them.

Government Can Lend More of Helping Hand

The government could be a tremendous partner in this fight against cybercrime but there are many challenges. And it is not for lack of effort or interest. I have worked with some amazing men and women in government over the years that have sacrificed much in this fight. The disconnect comes from the policies and processes within the government, which need to be changed to adapt to the current threat.

The government has the kind of valuable intelligence I have noted here that the private sector needs. The government is not able to share it expeditiously because of outdated policies implemented decades ago to protect sources and methods. I think the government has the ability to share much of this intelligence, because most of it does not have to be classified. I understand and agree that some of it must remain classified and cannot be shared broadly, but I also believe that the government can declassify or—more appropriately—collect data in unclassified ways so it can be shared immediately with the private sector. That is not happening right now on a wide scale and it is not happening in a timely fashion.

This is a long-term problem with no short-term solution. Companies must be innovative and creative, and must insist the government become a full partner. Anything less is likely to fail miserably, and the results will be disastrous.