How Zero-Day Impacts CISOs and What They Can Do About It
Updated: Jun 1
I had the really good fortune to be quoted with 17 Forbes Technology Council cybersecurity experts on the consequences and complications of zero-day vulnerabilities and what can organizations do to better protect themselves.
You can find the full article here: https://www.forbes.com/sites/forbestechcouncil/2023/05/26/zero-day-vulnerabilities-17-consequences-and-complications
For Chief Information Security Officers (CISO), it's been a busy few years. Across all industries the total cost of cybercrime will exceed $8 trillion by the end of 2023. This poses a clear and present danger to pharmaceutical organizations that has already lost $14b through intellectual property cyber theft. A recent survey found that 84% of all companies worldwide believe software supply chain attacks represent the biggest cyber threat within the next 24 months.
When working with these leaders we've started to notice some patterns. Below are the top five challenges we've observed from my regular interactions with customers and partners.
Zero-Day has been top pf mind. It is crucial to address the long-term consequences of zero-day vulnerabilities on the cybersecurity landscape. Zero-day vulnerabilities refer to unknown flaws in software or systems, leaving organizations defenseless and vulnerable to cyber attacks. In this blog post, we will explore the potential impacts of zero-day vulnerabilities and discuss effective strategies for businesses and individuals to protect themselves against this persistent threat.
What are Zero-Day Vulnerabilities
Zero-day vulnerabilities are flaws or weaknesses in software or an operating system that the creator or vendor isn’t aware of. Sometimes hackers discover these vulnerabilities first, giving developers and vendors “zero days” to create and release a patch. Unsurprisingly, zero-day vulnerabilities can cause not only immediate headaches for devs and vendors, but also long-term impacts on the health of a business, consumer trust and even national security.
My Quote in the Article
They Necessitate A Layered Defense Strategy
Zero-day attacks come from both state-sponsored actors and individual hackers, making it challenging to protect businesses because of the limited ability to detect and prevent them. Companies must adopt a layered defense strategy that includes an awareness campaign, obsolescence strategy, zero-day assessments, segmentation, detection and prevention, and proactive vulnerability research and reverse engineering
Another way of putting it could be how Edward Snowden describes zero-day threats, "A zero-day exploit is a method of hacking a system. It’s sort of a vulnerability that has an exploit written for it, sort of a key and a lock that go together to a given software package. It could be an internet web server. It could be Microsoft Office. It could be Adobe Reader or it could be Facebook.”
Where Do They Come From?
Zero-day attacks come from various sources like, criminal organizations, state-sponsored actors, and individual hackers. In some cases, these vulnerabilities are sold in underground markets to the highest bidder, making it even more challenging to protect businesses. Because the vulnerability is unknown, there is typically no defense or patch available, making zero-day attacks difficult to detect and prevent. To protect against these sophisticated methods, companies should adopt a layered defense strategy that includes regular vulnerability assessments, network segmentation, intrusion detection and prevention systems, and user awareness training.
Steps to Mitigate
Here are some specific actions you can take to protect against zero-day attacks:
Zero Trust Strategy is Required. I'm not talking about adding a line item to the security strategy but implementing Zero Trust as a core approach to your security posture. Because Zero Trust architecture is essentially designed to prevent an attacker’s ability to move laterally, a Zero Trust strategy is extremely helpful in prioritizing and addressing prevention-focused investments.
Regular Patch Management. Keep tech obsolescence to a minimum by ensuring software and hardware are up-to-date with the latest patches and security updates to minimize vulnerabilities.
Network Segmentation. Implement segmentation to limit the impact of successful attacks, isolating critical systems and data from potential breaches.
Robust Endpoint Protection. Utilize advanced endpoint protection solutions that employ behavior-based detection and threat intelligence to identify and prevent zero-day exploits.
Security Awareness Training. Make protecting the company everyones responsibility. But the only way to do that is to educate employees on safe computing practices, recognizing phishing attempts, and avoiding suspicious links or downloads.
Vulnerability Assessments. Conduct regular assessments to identify and remediate vulnerabilities, including zero-day risks, through techniques such as fuzz testing and dynamic analysis.
Intrusion Detection and Prevention Systems. Deploy robust network security solutions that monitor and identify suspicious activities, helping detect and block zero-day attacks.
Incident Response Planning. Develop a comprehensive incident response plan to minimize the impact of a zero-day attack and ensure swift recovery.Keep all software up-to-date with the latest patches and security updates.
A Path Forward for CISOs
While I could provide a high-level outline of an action plan for CISOs, it often requires a workshop to help accelerate security program modernization with reference strategies built using Zero Trust principles.
One of these workshops is directly for the CISO that would cover the rationalization of the business needs, risk tolerance levels, along with covering all aspects of a comprehensive security program including strategic initiatives, roles and responsibilities, success metrics, and maturity models.
As mentioned, the workshop is comprehensive in nature that will provide guidance on how to align security to continuously changing business priorities, technology platforms, threat landscape, and security tools.
The workshop includes reference strategies and plans, lessons learned, and antipatterns/gotchas based on real world projects.
The workshop videos (about 4 hours total) and slides are organized into these discussions:
Introduction and Overview of the CISO Workshop
Trends impacting security from the threat environment, technology, and business transformations
Evolution of security roles and responsibilities, including key best practices and trends to monitor
Recommended strategy and strategic initiatives to improve your program: the role of Zero Trust in strategy, the (low) cost for attackers to buy tools and passwords, learnings on getting reliable information, and a business analysis of ransomware attacks.
Engaging business leaders on security – guidance to have a conversation in the language of leaders to explain security, key metrics to measure success of a program, and how to get support for security goals.
Risk Insights – discusses the dual mission of security to reduce risk to the organization and enable business goals, shares tips on aligning security business goals and business risk, and shares insights on the types of attacker motivations organization’s face.
Security Integration - guidance for successfully integrating security teams together and integrating security into IT and Business processes. Including an in-depth discussion of how to build a posture management program – an operational team focused on preventive controls (which complements the security operations (SecOps/SOC) team focused on detection, response, and recovery)
Business Resilience – discusses how business resilience is the north star of the security program across all the security disciplines that requires balancing security investments (before, during, and after an incident) and creating a strong feedback loop. This section also includes discussion of the impact of unbalanced strategies (which is a common antipattern).
Maturity models describing real world journeys for Risk Insights, Security Integration, and Business Resilience – including specific concrete actions to help you move up to the next level
Access Control - discusses how the Zero Trust approach is transforming access control, including identity and network access converging into a single coherent approach, and the emergence of the Known-Trusted-Allowed model (which updates the classic authenticated/authorized approach).
Security Operations – discusses key leadership aspects of a security operations capability, often called SecOps or a Security Operations Center (SOC) including critical success metrics, key touchpoints with business leaders and functions, and the most important cultural elements.
Asset Protection – discusses two key imperatives for teams that manage and secure assets (often IT Operations or Workload operations in DevOps). These teams must prioritize security work based on business criticality and must strive to efficiently scale security across the large, growing, and continuously evolving set of assets in the technical estate.
Security Governance – discusses the role of Security Governance as a bridge between the world of business goals and technology and how this role is changing with the advent of cloud, digital and zero trust transformations. This section also covers key components of security governance including risk, compliance, security architecture, posture management, (strategic) threat intelligence, and more.
Innovation Security - discussion of how application security evolves into a modern approach (including DevSecOps) and key focus areas to drive success of this capability.
Security Governance Maturity models describing real world journeys for Security Architecture, Posture Management, and IT Security Maintenance – including specific concrete actions to help you move up to the next level
Next Steps/Closing – wraps up the workshop with key quick wins and next steps
Hopefully I've been able to articulate how the existence of zero-day vulnerabilities poses significant long-term consequences for the cybersecurity landscape, leading to increased attacks and potential harm to businesses and individuals. However, by adopting a multi-layered defense strategy, which includes proactive security measures, regular assessments, employee education, and advanced threat detection technologies, organizations can significantly reduce their exposure to these risks. It is essential to stay vigilant, adapt to evolving threats, and prioritize cybersecurity to safeguard valuable assets and maintain trust in an increasingly digital world.