Focusing on Cyber Resilience, Not Just Security

Video Transcript

What Is LevelBlue?
TOM FIELD: We know you as the evangelist, but now you are also an agent of LevelBlue. Please explain.
THERESA LANOWITZ: On Monday, May 6, 2024, AT&T and WillJam Ventures announced an alliance that formed LevelBlue. LevelBlue offers a strategic extension of your security team through our cybersecurity services, such as consulting, that will help you protect your business intelligence. Our managed security services will help you predict your security investments, and our LevelBlue Labs threat intelligence unit will help you mitigate risk and foster innovation. The fourth pillar is what we’re going to be talking about today: the Futures Report from LevelBlue, our thought leadership research.

The LevelBlue Futures Report
FIELD: What was the mission of this research?
LANOWITZ: This research is vendor-neutral, forward-looking in the 12- to 36-month time frame, and actionable. We did a quantitative survey of 1,050 C-suite executives and C-1 executives – those reporting directly into the C-suite in 18 different countries and seven different verticals. We wanted to find out the  big picture, which is: What are your barriers to cyber resilience? We also took a look at how cybersecurity organizations are performing today, what their missions are and what impact that has on business agility in general. Then we asked: Where do we go from there? What’s next? 
What are the new technologies that everybody is concerned with right now?

Report Highlights
FIELD: What are some of the highlights you want to share today?
LANOWITZ: One of the biggest highlights is that the cyber resilience barriers are pretty much the same across all of the verticals that we surveyed. A lot of people conflate cyber resilience with cybersecurity. But cyber resilience looks at the entire IT estate and how it, as well as the business, can recover from a cyberattack or from man-made accidents or natural disasters,  such as hurricanes, tornadoes, fires, floods and earthquakes. How does the business cope with recovering from a big catastrophic event? Cybersecurity resilience looks at the cybersecurity estate: How am I making sure that I am lowering my risk and protecting myself?

Who Owns Resilience?
FIELD: What does the report say about who owns resilience in an organization?
LANOWITZ: When we surveyed the seven different vertical markets, 72% of the governance teams said, “We don’t really know what cyber resilience is.” These are the people who are setting the rules and regulations, the way your business operates as a business. They don’t know what cyber resilience is. Likewise, executives said, “We’re not really sure what cyber resilience 
is and where it should be located.” And another large percentage said, “Cybersecurity and cyber resilience are the same. We’re already investing in cybersecurity, so we’re not going to invest in cyber resilience.” That’s a big disconnect, especially from the top down, about what cyber resilience is. Cybersecurity professionals can use this report as a guidepost. They can tell the C-suite executives and people higher up in the organization that it is not just about the cybersecurity controls that 
we’re implementing. It is about understanding what we are doing to make sure that the business is resilient and cyber resilient.

Funding Cyber Resilience
FIELD: If we don’t know where cyber resilience is located, how is it funded?
LANOWITZ: The funding for it is lacking at this point. But we have all these new regulations coming out, and a lot of them are asking for reports on information that is not easily obtained. We also talked to people about the concept of dynamic computing, this evolution of computing that says, “We’re continuing to innovate. There’s a ton of innovation going on, and we know the 
innovation is happening outside of the four walls of the organization.”
The network perimeter has been dissolved for a long time. People are looking at doing things such as putting sensors on everything – in rivers, for example, to watch high watermarks, or on a manufacturing floor to understand where a defect might be inserted along the production line. We see new types of innovative computing styles, led by technology such as IoT, 5G, Edge and so on. Of those surveyed, 85% said that there is so much innovation going on, but with that innovation, there’s a whole lot of new risk. But 74% said, “You know what? The innovation outweighs the risk, so we’re not going to worry so much about the risk.” That’s where it becomes a little frightening because we know there is risk out there but the innovation is just charging ahead.

Barriers to Improving Resilience
FIELD: What are the barriers to improving resilience?
LANOWITZ: One of the barriers to improving resilience is a lack of understanding about what cyber resilience really is. Sometimes it also comes down to organizations not necessarily being secure by design. Of those surveyed, 67% of cybersecurity organizations said that they are still siloed. They’re underfunded, overlooked and siloed. 
They’re coming in at the end of a project; they’re not included in the beginning. If you’re bringing your cybersecurity team in at the end, you’re causing problems because your architecture’s already set. You’re just bolting something on.
We also found out that cybersecurity is stillfairly reactive The reactive external triggers include a breach, a competitor’s breach, new regulations and compliance coming in, and understanding where you may have problems in your supply chain. We encourage people to think about the supply chain as the physical supply chain, where you may be getting your goods from to manufacture or build something, but also as the oftware supply chain. 

The Top 3 Attack Types
FIELD: What are the top three most concerning attacks you found?
LANOWITZ: We’ve asked this question now for the past couple of years, looking at what types of attacks organizations are really concerned about. This year it is ransomware. In 2023, the top attack that people were concerned about was DDoS. And when we said that in 2023, people said, “Oh, that can’t be.” But look at all the DDoS attacks that happened over the past 12 months. This year, the ransomware attacks just keep getting bigger and bigger.
This year, ransomware was followed very closely by business email compromise. These social engineering attacks are extremely powerful right now. Yet, organizations in all seven verticals said that they feel pretty good about remediating against ransomware and business email compromise. But none of those seven verticals said that they are prepared to remediate 
against DDoS or nation-state attacks. They said they just can’t handle them. At first you might think, “Why can’t they handle an old-fashioned DDoS attack? We’ve known about DDoS for a long time.” But DDoS can lead the way to so many other things.
Defining Nation-State Attacks
FIELD: How do you define nation-state attacks? They can be behind ransomware, DDoS and social engineering.
LANOWITZ: We define them by who the threat actor is, but that may change. You can have a threat actor that says, “Yes, we’re from this country,” or you may have somebody acting in a mercenary position, saying, “I’m going to get paid to conduct a cyberattack on behalf of a nation-state.” And we all have access to the weaponsnation-states use because our own tools that we use for good can be weaponized against us as well.

The Future of the SOC
FIELD: How do you envision the future of the SOC?
LANOWITZ: The future of the SOC is pretty exciting because of what’s happening now with dynamic computing. We now have all of these IoT- and 5G-led use cases – cashierless checkout, manufacturing floors with sensors to see when defects are inserted, kiosks, robots cleaning rooms. We have so many different types of endpoints. As the endpoints are expanding 
beyond the four walls and beyond typical things such as phones, tablets, laptops and desktops, the SOC will have to look at wearables, robots and autonomous drones and vehicles.Also, the idea of bringing cybersecurity in early and making cybersecurity part of the overall project speaks volumes for the idea of application security, and I’ve been an advocate 
for application security for a long time. And data security is a big one – understanding the whole data life cycle and what data is doing at rest and in motion. SOCs will have to start to look at more advanced things, such as: What is your attack surface? What is connected to your network? Not just the IP address, but is it a camera on a manufacturing floor, sitting in Detroit somewhere? Is it a moisture sensor on a riverbank in Mississippi somewhere?The SOC will have to be able to identify those 
endpoints and to protect and secure them and know exactly why they’re connected to the network. Automation and analytics will be neededto make sense of all that telemetry, and 69% of our survey participants said that they have all of these analytics, but they are not using them. Cybersecurity teams will have to take advantage of the data that they have and report out on that 
data and let people know what’s going on.

Get the Survey Report
FIELD: Where can folks get a copy of your report?
LANOWITZ: You can visit us at Levelblue.com and download your own copy