by Richard Werner, Business Consultant
Once again, headlines about a spectacular attack have caught the world’s attention: A hacker had targeted the water supply system in a small town in Florida. The incident was fortunately discovered in time, but the question arises as to how such a thing is possible. The answer is as banal as it is frighteningly ordinary. The company responsible sloppily implemented the necessary IT security measures, such as the use of passwords and the operating system. Now the waterworks is being virtually pilloried for, among other things, using the discontinued Windows 7.
Well, the accusations about the security deficiencies at the waterworks are justified, but nevertheless, from a security point of view, there is no such thing as a perfectly secured company! This is simply the nature of things, because security is not a state that can be achieved, but a process that must always be driven forward. That is why there will always be areas in IT that are at least temporarily obsolete. The larger or more branched out a company is, the higher the probability of such a vulnerability and, by the way, the higher the risk that some things will simply be overlooked. Therefore, it is actually rather normal today for the IT of companies and public authorities to contain vulnerabilities that cybercriminals can exploit for their machinations.
Root cause analysis
Of course, security protocols were breached in the current case, and that should not have happened. What are the causes of systems not being updated, risks being miscalculated or ignored? It’s mainly a lack of time and, of course, bottlenecks in the budget. But that’s not all, because IT security is often divided into small task areas – the much-cited “silos” are created. This creates situations in which several departments feel responsible – or none at all.
As a result, sensible security measures are called into question and processes such as monitoring and management effort are discussed across departments. If an agreement is reached, the next step is the battle over budget issues. Who is responsible and/or benefits? Especially at the interfaces, this creates dangerous gaps. Currently, the most controversially discussed gap arises in the area of DevOps. It’s about the responsibility to develop software safely. But who is responsible for ensuring, monitoring and managing security here – the developer(s) or the company’s IT security department?
What we can learn from the automotive industry
As cars became more powerful and widespread in the middle of the last century, serious traffic accidents occurred time and again. That’s why legal regulations such as mandatory seat belts were eventually introduced. In cars, there are the active protection functions, for example the brake, as well as passive ones, such as an airbag.
In principle, the same situation prevails in IT security. IT has also become a mass phenomenon, and serious “incidents” are becoming more frequent. There are even the first legal regulations (e.g. IT Security Act). There are also active components to prevent damage (e.g. anti-malware, IPS) and passive ones to minimize it (e.g. detection & response). The big difference: In the case of automobiles, the security functions are coordinated and the passive systems are automated. Because in an emergency, you don’t have time to push an “airbag” button.
The value of passive safety systems
For IT security, introducing passive mechanisms (detection and response) means investing in a “worst case” scenario. For the importance of this technology to come to light, something has to happen first. This can be compared to the airbag. When it was invented, it was an optional component in a car. Faced with the choice of whether to have a passive safety feature, many people prefer to assume they won’t have an accident; after all, they are “in control” of their car. Even if it is mentally acknowledged that one could be hit, one rarely assumes the “worst case”. The airbag was therefore initially a commercial flop. Today, airbags are installed as standard in automobiles because manufacturers and insurance companies have a different view of the situation. And in IT security?
The bottom line – let the others do it
Users also want such an airbag from the manufacturers of IT solutions. They should simply make their systems secure, because consumers don’t want to deal with this. I fully agree with this. But who is the manufacturer that puts all the parts together, just like in a car? It’s the company’s own IT department. This is where the decision is made as to which software components are assembled into a virtual car. It is their job to build a security concept and adapt it to the times. Traffic on the information superhighway is increasing rapidly, and everyone wants to drive fast. Therefore, companies must expect to have an “accident” sooner or later.
Invest in passive safety systems to minimize the damage. Learn from the accidents of others. Because you will notice one thing again and again: Anyone who has ever had a serious security incident knows the value of passive security measures and recognizes the importance of automation. To achieve this, all components must be coordinated with each other, active as well as passive protective measures.
In IT, the concept is called XDR. It describes automated components that are tailored to each other. With Trend Micro Vision One, we go one step further and offer a central overview of all areas as well as the flexibility to expand into new areas such as cloud and DevOps at any time. In this way, we not only factor in the technology, but also integrate the driver’s behavior – pardon the company’s development – into our solution. If required, together with our partners we also provide the chauffeur service, or as it is called in IT security language… the managed service.