As cybersecurity experts begin to adapt to remote working, it is worth noting that there are strong parallels between a pandemic response and handling cybersecurity threats. Here, Raymond Pompon, Director of F5 Labs, explains why
In light of the current pandemic, non-essential workers all over the world have been sent home and cybercriminals know this, which is why it is vital that organisations ensure they have the right processes and procedures in place to protect their workforce.
Containment is never perfect
One of the first moves in pandemic response is to issue a quarantine to contain the spread of the virus. The concept is simple: nothing leaves, and therefore the threat is bottled up. But the reality, as we are now seeing, is that quarantines leak, and viruses often begin to spread anyway.
It’s worth examining what pandemic containment involves. First, there is the isolation of infected individuals, which is similar to how we use anti-malware and bot-detection tools to lock down specific machines. There are quarantines applied to geographic areas, which are analogous to how we use network segmentation with firewalls. There is tracking of the person-to-person contact of infected individuals, which is similar to how we log and monitor. And lastly, there are imposed travel restrictions with checkpoints, which are comparable to how we use decryption and traffic inspection to filter out threats. However, given all these controls, no one who’s worked in the cybersecurity world for any length of time would expect them to work perfectly.
Does this mean we should throw away our firewalls? The answer is no. Quarantine, especially on a large scale, isn’t expected to stop a pandemic in its tracks. Like firewalls, these containment controls are about managing and reducing the threat. Most importantly, containment can buy enough time so that we can get our other defences ready.
The value of time
Time is the most precious resource in a situation where threats are directly impacting key services and assets. Every second counts. Tools like containment give us more time, but we also need to look at other options. For example, we need intelligence on what threats are coming, what they look like, and what assets they might be coming after. We need data and thoughtful analysis to optimise our time. We need to plan, prepare, and practice in advance so that we are ready to go when the time comes.
Part of that preparation should include making sure executives are well-briefed on the potential threats and likely consequences. In a pandemic scenario, media stories can sometimes polarise individuals into either fear or denial. Neither is helpful, and the truth lies somewhere in between. The goal should always be to help those in charge make informed decisions.
In the words of the World Health Organisation this “is a time for facts, not fear”. We want people to have the appropriate level of caution regarding the threat, but it must match the level of risk.
Sometimes people aren’t worried enough, and we need to give them the right reasons to properly prepare. This is the most common issue that cybersecurity professionals must grapple with. It is vital to paint a realistic picture by quantifying damages and their likelihood as clearly as you can. It also helps to speak in terms of the business, not technology. In the end, executives may still not respond unless the risk to their objectives is high.
When the threat does inevitably land, businesses need to know how to respond effectively. Medicine has a concept called triage. In its most basic form, it is about making crucial decisions while being pressed for time and resources. In healthcare, this means a process of categorisation to determine who can wait for treatment, who is unlikely to respond to intervention, and who requires immediate care.
All of these are trade-offs, but the goal is to make as big an impact as possible with existing resources. A similar approach may be required with some cybersecurity incidents. For example, a good updated inventory enables us to prioritize the most important and vulnerable applications.
Ultimately, it is better to be a city planner than a firefighter. Containment should be used to put the brakes on a spread, but don’t assume it will be airtight. This is exactly why it is essential to have strategies in place to maximise the use of your most precious resource: time. Finally, be prepared to proactively make tough decisions about what can be saved and what can be sacrificed to minimise total damage. Remember, you won’t have much time to react if a crisis occurs.