Infosec leaders are still behind on cybersecurity fundamentals, leaving their organizations unnecessarily open to attacks, says Microsoft vice president of security.
Kelly Bissell told The Times that cyber attacks do not succeed because they are becoming more sophisticated CyberX CISO Forum Canada on Tuesday.
“Ninety-eight percent of attacks are primary,” he said, and take advantage of unpatched tools, lack of multi-factor authentication to protect logins, no privileged controls, no identity management and password vulnerabilities.
“Those things are happening every day. I think that’s why we’re getting more [successful] The attacks are because this is one of those industries where crime really pays.
Seventy-eight percent of computing devices have an unpatched vulnerability that is at least nine months old, he said. “We’re not patching our systems. We’re taking the approach of, ‘I’ll fix these systems if I can.’ But what you’d do better is patch now, even at the risk of breaking an application.
“We need to re-think our DevSecOps function to be far more flexible in patching our environments.”
The good news, he said, is that law enforcement agencies around the world have had some success against the attackers. He urged CISOs to work with police agencies if their IT environments are compromised.
He said there are several things CISOs should do to tighten their security, including
– One platform beyond best-of-the-kind solutions;
– Receive intelligence feed;
– move workloads to the cloud;
– invest in artificial intelligence solutions for motion analysis and response;
– Make sure the data is well protected;
– “Be brilliant at the basics,” especially a well-designed Active Directory security infrastructure;
– Have privileged access to controls to prevent lateral movement;
– and optimize and simplify your IT architecture.
On this last point, Bissell presented proof:
“I was part of an organization a while back that had a ransomware attack on our AD domains. By the way, we had 90 domains. Thank god we had the right architecture. The ransomware was contained within a domain structure. If our If you didn’t have the right design, it would spread across all domains. It would be catastrophic. That’s why the structure of your security environment matters.”