In March 2021, the cargo ship Ever Given blocked the Suez Canal for nearly a week, causing a huge impact on the container infrastructure. This resulted in a worldwide disruption of cargo deliveries as 10% of the world economy passes this canal. In the entire delivery infrastructure chain, being unable to pass through the Suez Canal might seem like a small interruption but in fact, this one bottleneck held up to $10 billion dollars of cargo per day1.
You may be wondering how this relates to cybersecurity and critical infrastructure. Just like in a delivery chain, cybersecurity for critical infrastructure is only as strong as its weakest link. We hear this cliché all the time, but have you ever considered that you could be the weakest link in a critical infrastructure chain?
It may not be natural to think of your organization as part of critical infrastructure. However, chances are that you are a supplier and part of a large chain connected to critical infrastructure. It may be even harder to see yourself as the weakest link in the supply chain, but you can be sure that attackers are making that analysis. Targets with high visibility are generally more difficult to attack because their cyber maturity tends to be very high. Therefore, attackers will look for other routes to reach the high-visibility targets, and your organization may be in between.
What steps can you take to ensure that your organization is not the weakest link in the chain of critical infrastructure?
In practice, we have observed that many organizations are heavily reliant on their IT and OT systems, but are uncertain whether they are monitoring the correct indicators of an attack. Consequently, they are unaware if they can detect an actual attack and – even worse – they may not realize that they have already been compromised. As a result, the initial response within security teams is to seek 'MORE': more tools, more monitoring, more information and more personnel. However, this approach often leads to greater confusion, more noise and staff burnout. Clearly, there is a need for more cost-effective decision-making on tooling combined with existing capabilities.
At KPMG, we understand these challenges organizations face with existing capabilities and future cyber objectives. That is why we developed our Effective Security Observability (ESO) approach to help you identify vulnerabilities, augment defenses and enhance your security posture – by solving your security operations puzzle through optimization of your security landscape. To learn more about how ESO can benefit your organization and gain deeper insight into your cybersecurity, download our whitepaper and speak with one of our specialists.
Some of these specialists also presented Vectra AI and KPMG co-hosted a webinar on March 8th to raise awareness about the ongoing cyberattacks threatening critical infrastructure. The discussion explored the risks that cyber threats pose to organizations and critical infrastructure, and presented how our ESO approach, powered by Vectra AI, can benefit these organizations. The webinar also provided an opportunity to learn about how the audience perceives the threat landscape and their security posture, and to identify their common pain points. In this article, we share the outcomes of the webinar and discuss the implications of the findings.
The rise of cyber threats targeting critical infrastructure – what are the biggest concerns?
Our first objective was to determine which type of attack is of most concern to the audience. The least concerning threats are phishing attacks and insider threats, which is interesting because these attacks are often interconnected and not easily detected by security tools on their own. For example, phishing can be used as an initial access method, potentially leading to an Advanced Persistent Threat (APT) that installs ransomware. It is important to note that APTs and insider threats represent categories of threat actors, while phishing and ransomware are more attack-related techniques. Nevertheless, ransomware and APTs are the attacks of most concern: half of the attendees mentioned these.
Another fascinating point is that these attacks are related to each other but perceived differently. For instance, APTs may use phishing attacks or even insider threats to gain initial access and may continue with the installation of ransomware as an end-goal. However, APTs and ransomware may be perceived as more threatening to organizations due to their greater impact. Moreover, they are constantly evolving and can easily go unnoticed without the right visibility and tools. This is why ESO is leveraging Vectra AI's Attack Signal IntelligenceTM, which focuses on attack behavior: detecting unknown attacks propagating through the environment, and hence being able to detect such threats and ease concerns. At the same time, the AI-driven triage and prioritization enables less information overload and consolidation options for tools to be more efficiently used.
Continuing the theme of cyberattacks, we sought to understand whether our audience had observed an increase in the frequency of attacks over the past year. The conclusion was apparent: many individuals working in critical infrastructure have noticed a surge in cyber threats targeting their environment. While being aware of the evolving threat landscape is essential, it is not enough. Organizations also need to be prepared to actually face these challenges, a topic we will cover in more detail later in this blog.
Digitalization, people and security posture – where do organizations stand?
Looking at both the purpose and motive of cyberattacks, one of the most prevalent objectives, often fueled by economic incentives, is to disrupt the continuity of an organization. The organizations most vulnerable to these attacks tend to rely heavily on digitalized processes. As such, we wanted to gauge our audience's dependence on digitalization.
We discovered that most of our audience relies on digitalized production processes. Digitization is crucial for both critical and non-critical infrastructure, particularly in light of the ongoing surge in digital transformation. Recognizing the motives behind cyberattacks can help organizations better understand and prepare for potential threats.
At KPMG and Vectra AI, we have observed the importance of digitization within our customer installation base. This led us to investigate the extent to which the entire organization, not just the board, is involved in defining the security strategy. In today's landscape, IT and cybersecurity should be relevant to all members of an organization, from the board to individual employees, and ensure that the voices of CISOs and other security professionals are heard and considered across the organization.
Our findings reveal that the board is always involved in defining the security strategy of our attendees' organizations, but with the degree to which they are involved varies. However, in one out of three cases, the board's involvement in these decisions is limited. The involvement of the board in cybersecurity decisions becomes even more critical bearing in mind upcoming regulations and directives such as NIS2, DORA. Cybersecurity should be a top priority for both the board and security teams to ensure a robust and comprehensive approach to the organization's security posture.
Upcoming regulations and directives highlight the need for comprehensive cybersecurity strategies and policies. This can only be achieved through the active participation of the entire organization, including the board. Ensuring that the board is fully engaged in cybersecurity decisions will help create a more robust security posture and demonstrate compliance with evolving regulatory requirements.
As such, when we consider the potential consequences of a successful cyberattack, such as ransomware, it is crucial for the organization's leadership to address key questions, including: What are the next steps following an attack? Is the organization willing to pay the ransom? If so, how much, and who is authorized to negotiate? How much risk is the organization willing to accept, and where do you draw the line?
To remain on the topic of people, we also wondered how the workload of security and IT professionals has changed over the past year and whether this has affected the security posture of the organizations. The majority of respondents indicated that the workload of security and IT professionals had increased. This is troublesome, as increased workloads typically lead to security gaps and/or fatigue among staff. Only a few organizations saw that the level of workload remained roughly the same, with no impact on security posture, and none of them reported a decrease.
The focus of organizations should be on making the work of the security team more efficient and therefore decreasing the workload, which is not happening in any of these cases. Our goal with Vectra AI and ESO is to make detection processes more effective and focus on saving time and costs. It is important for organizations to know what to focus on and what changes they need to make in their processes to facilitate a better security posture – and that is exactly what we are facilitating with our ESO approach.
Facing a cyber threat – are organizations prepared?
To deliver our approach to organizations, we first need to understand their current capabilities. To assess the overall security posture of the audience, we asked about the effectiveness of the organization in responding to cyber threats with the question: Do you know how effective your organization is in responding to cyber threats?
Keeping this question in mind, we noticed that the organizations attending the webinar recognized that there may be gaps in their ability to respond to certain attacks. This is to be expected, as it is difficult to be prepared for unknown attacks due to the lack of visibility and gaps in an organization's environment. More than that, none of the respondents answered that they are not prepared, which shows that all of them are aware of cyber threats and the need to have measures in place.
However, thinking is not the same as proving it – leading to us wondering how organizations quantify the effectiveness of their security professionals in managing cyber threats.
Our survey shows that one in four organizations do not measure the effectiveness of their processes in managing cyber threats, meaning that they cannot accurately assess their security posture. This is a wearisome result as it supports our idea that thinking you are effective does not mean you can back it up with proof.
Lastly, we wanted to identify how the audience perceives the change in the threat landscape for critical infrastructure organizations over the past year. The audience shares our concerns about attacks on critical infrastructure and acknowledges that they represent a real target for cyberattacks. Implicitly, they are aware that they need to be prepared in the event of these attacks, but as previously shown, this does not mean they are.
Improve your security posture with ESO and Vectra AI
Looking at all the responses, we observe a general trend among these organizations which is in line with our expectations: while organizations are aware of the threats they may be facing, most of them recognize that there are gaps in their ability to respond to them. Also, increasing the workload of security and IT professionals seems to be a common approach, but as mentioned above, this is largely ineffective and in most cases does not lead to an improvement in the security posture. Hence, the question is: What is the best way to close these gaps?
Our approach to tackling these problems is Effective Security Observability (ESO). As a result of ESO, organizations gain the right visibility into their IT environment and make their processes more effective by knowing what to focus on. As such, the Vectra AI platform fits perfectly into the ESO objectives with its industry-leading Attack Signal IntelligenceTM (ASI), designed to detect threats that slip past traditional security solutions.
With Vectra AI's ASI, ESO enables:
1. Attack surface coverage – erasing unknown threats across four of the five attack surfaces – Cloud, SaaS, Identity, and Networks – without the need for agents.
2. Clarity with Attack Signal Intelligence – using AI-driven detection to think like an attacker, AI-driven triage to find what is malicious and AI-driven prioritization to know what is urgent.
3. Intelligent Control with AI-driven operations – optimizing your organization's investments in tools, processes and playbooks to boost SOC efficiency and effectiveness.
Delivering ESO to your organization requires five key steps:
gain insight into business requirements and define the SOC strategy.
define the ESO Target Operating Model and technology requirements.
define use cases, workflows, solution architecture and integrations.
implement the technology setup and ways of working in your organization.
realize the value of ESO, establishing a steady state and continuous improvement.
In just a matter of days, you will gain clarity on the security threats in your environment – thus making you better prepared for the attacks that threaten your environment, reducing staff workload and closing your gaps.
Interested in learning more about ESO and Vectra AI? Read the whitepaper here. If you want to know (even) more or schedule an appointment, please contact us.