1 Introduction
Over the course of the past few years, the threat of cyberattacks has been on a constant rise. There are no signs that this will change in the foreseeable future. The digital transformation that businesses and public institutions alike are facing, requires a new type of IT environment. This requires more agile approaches and the ability to efficiently and securely translate departmental and business requirements into new software models and offerings. As businesses become more interconnected, the traditional notion of a security perimeter gradually ceases to exist.
Organizations must defend themselves against such attacks, which is a challenge for several reasons. Among these reasons are a dynamic, ever-increasing attack surface, but also the fact that attacks remain unknown for a certain period, until someone detects them. On the other hand, the need for exchanging information constantly increases in the hyperconnected business world we face in the age of Digital Transformation. Protecting sensitive resources of an increasingly distributed company with a large mobile workforce is becoming a challenge that traditional security tools are no longer able to address entirely.
Changing team structures, changing collaboration schemes and the use of cloud services have rendered traditional security and risk management inadequate or at least incomplete. Agile project teams, even in larger organizations, mimicking the attitude and the independence of startups deploy cloud services for collaboration, file exchange, for software development, for big data analytics and even for the creation of new enterprise content, like code, business processes, customer and employee data or sensitive documents. Whether you call this shadow IT or not, this is happening almost everywhere: Intellectual property is stored within systems outside the reach of corporate security, Identity and Access Management (IAM), governance and policy enforcement.
A weak password, a reused password (which is well-known from one of the recent mega breaches), the reluctance to activate strong authentication, insufficient access controls or simply misconfiguration of the deployed services can put data stored there at stake. Most organizations have therefore already implemented many layers of defenses against cyber-attacks. These will include network firewalls, intrusion prevention systems, access controls as well as encryption of sensitive data. Very few attacks can overcome these defenses directly; therefore, cyber criminals look for ways to bypass them. As a result of this, today’s cybersecurity is undergoing substantial changes. Traditional cybersecurity typically focuses on protecting networks, systems, applications, servers and endpoints in general.
But Digital Risk for today’s organizations has changed entirely. New and better solutions for cyber-defense are a must nowadays. That does not mean that traditional security strategies like malware detection, firewalls or IAM are getting obsolete. They rather need to be augmented by methodologies and technologies for hybrid (on-premises and multi-cloud) infrastructure architectures combined with tools and services protecting organizations from digital risks online. These approaches are not contradictory but compatible elements of an IT security infrastructure that is better suited to protect against the unknown. Organizations need to look at these new techniques and enhance their traditional IT infrastructure for mitigating the risk imposed by cyber-attackers.
So, what is considered as Digital Risk in the context of Digital Risk Protection? Here we are looking at three main groups of risk:
-
Data Loss
Obviously “data” as an umbrella term actually covers any type of information processed in any type of IT system. This includes data of employees or customers, including sensitive information like credit card information or credentials (login data and associated authorization). It also covers any kind of intellectual property (e.g. construction blueprints, software code or product design) or sensitive information (contracts, the yet unpublished annual report or plans for the next merger).
This data can be located in many undesirable places. This includes dark web forums, unprotected cloud storage like S3 buckets, publicly accessible SharePoint or SMB servers, uncontrolled and forgotten parts of one of the organization’s webservers, or on popular websites and services for storing and sharing text or code, like e.g. pastebin.com or github.com. -
Online Brand Misuse
A company is represented externally by its brand names. Only a trustworthy brand name enables a lasting and successful online business. This is exactly where attackers come in who want to use this trust for fraudulent or other criminal activities.
Cybercriminals abuse existing brands by registering fake domains, that look authentic at first sight by e.g. exploiting typical typos. They create social media accounts on Twitter, Facebook or Instagram, to use brand popularity for malicious purposes. They might be creating and distributing modified or counterfeit mobile applications. If customers, consumers or even employees fall for one of those threats to existing online brands, e.g. successful phishing attempts against them can have a negative impact on the original business, its sales, customer loyalty and customer confidence. -
Insufficient Protection of a Growing Attack Surface
With a large and often diverse portfolio of deployed services, infrastructures and applications many organizations are challenged with the necessity for protecting and even understanding their total attack surface. This ranges from the protection of servers and devices by identifying (and mitigating) existing issues to mapping existing issues and vulnerabilities in internet-facing applications.
Attackers are well aware of existing and currently exploited software and system deficiencies, so an analysis of all relevant enterprise assets needs to be executed. Threats like open TCP or UDP ports, public FTP-servers, services with default, no or weak passwords, unpatched or unknowingly active services across the entire IT infrastructure from legacy systems to serverless cloud platforms and containerized scalable hybrid services demand for continuous and automated surveillance.
A key point for Digital Risk Protection is to understand that such risks go beyond the scope of traditional enterprise risks. By including exposure points like the open internet, but also the deep and dark web into the equation, the types and quantity of assets to consider is substantially increasing, covering aspects of an organization’s assets that have not been fully covered before. As most of the tools deployed for Digital Risk Protection are also widely available to threat actors, adequate defense in these areas has to be considered as mandatory.
The analysis and monitoring of all company-wide systems and all parts of the internet is a wide-ranging undertaking for an enterprise IT security company that is already concerned with a multitude of tasks. Building up both a team and operating the necessary infrastructure is only the first step: The necessary information and analysis tools, and last but not least the identification of the necessary measures must always be kept up to date. The race to always be at eye level with the attackers is too much for many companies if they have accepted this task as such. The consideration and handling of the risks described in this section has by far not yet arrived in every company as an absolutely necessary task.
This has led to the emergence of a new market segment. Specialized service providers compile this expertise on a customer-specific basis, apply targeted, highly up-to-date threat intelligence, present customized dashboards for the analysis and mitigation of the respective threat situation and enable integration into corporate security infrastructures. Examples for vendors in this market segment include companies such as Recorded Future, RiskIQ and Digital Shadows, which have been able to gain considerable market presence in this area.