A cyberattack puts everything at risk — brand, reputation, intellectual property. As a leader of security within your organization, it's your job to combat attacks and mitigate the damage. How prepared is your team to defend your college or university? Ask yourself these four questions to determine the strength of your institution's security across every stage of a cyberattack life cycle:
- Before an attack: Does our cyber threat intelligence program help us make faster, more definitive decisions?
- During an attack: Does our security operations diagnose critical threats in real time?
- After an attack: How quickly and effectively do our teams respond when faced with an incident?
- Preparing for future attacks: Are we developing our people to protect our institution from an attack?
Before an Attack
The ideal situation is to know about a threat before it strikes with enough time and detail to deflect and disrupt the attacker. Would you know if your institution was being targeted? Being able to identify known and unknown threats early can be the difference between reacting to a breach or being able to proactively implement controls that would reduce your exposure and risk to the threat. Technical and strategic adversary threat intelligence is necessary to understand the scope, impact, and severity level of an attack. Understanding the actors and groups behind an attack, their motivations, exploited vulnerabilities, and malware utilized empowers your team to make faster, more definitive decisions.
During an Attack
Organizations often miss critical attack indicators due to a lack of skilled staff, experience, and general inability to analyze most of their security device alerts. It's the "needle in a haystack" problem where security teams have to sift through an incredible amount of security alerts, 24/7, and prioritize which alerts to investigate and ultimately determine if the institution is actually under attack. Correlating your local activity with global threat intelligence and activity beyond your perimeter is important to more quickly identify advanced attacks. And, ideally, you're not always reacting. Your teams should have the ability to proactively hunt for emerging threats and continuously monitor for persistence mechanisms to hold off repeat attacks and attack variants.
After an Attack
An incident has occurred. Now what? Does your cross-functional team (e.g., executives, organizational leaders, security and IT teams, legal, public relations) know what to do in the first minutes, hours, and days following incident detection? The time to build an incident response plan is not in the middle of an incident, but all too often organizations find themselves caught off-guard and unsure how best to contain and remove the threat without impacting the ability to preserve and safeguard evidence. You can mitigate the business impact to your institution and keep the incident from becoming a breach if you handle it quickly and efficiently. Building and testing your response program will be critical to how you handle attacks in the future. Keep in mind cyberinsurers often consider incident response preparedness in their cybersecurity risk assessments and policies.
Preparing for Future Attacks
Hiring, training, and retaining information security professionals is challenging for all organizations, as there's a shortage of skilled cybersecurity professionals in the market. Keep your security and IT teams engaged and up-to-date on the latest attacker tools and tactics by flipping their roles and putting them in the shoes of the attacker. Hands-on learning opportunities that help them recognize and prevent attacks will make them more effective in their jobs and will inspire them to bring their A game to work every day.
Is Your Team Up for the Challenge?
This October 19–20, during National Cyber Security Awareness Month, Symantec is offering a free Higher Ed Cyber Security Challenge for higher education IT and security staff to engage in a real-life scenario cyber competition. This challenge will allow your staff to earn continued education credits and uniquely develop their skills by getting them to think like an adversary.
Each institution can have up to three teams of four register. Points are awarded based on obtaining flags and entering them into the scoring system. Using hints will lower a team's score, but offers participants a learning opportunity and enables them to progress through the scenario. Winning teams will be announced at the EDUCAUSE Annual Conference in Philadelphia. All teams will be provided a postevent summary that includes details of their progress and areas for improvement. Register online using the event key "highed17."
Megan Imbert is the state, local, K–12, and higher education marketing manager at Symantec Corporation.
Brandy Markey is the director of product marketing, cybersecurity services, at Symantec Corporation.
Follow @Symantec_K20 and #CyberReady for updates!
© 2017 Megan Imbert and Brandy Markey. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.