During her testimony at a Senate hearing on Wednesday, former Yahoo CEO – Marissa Mayer said that “Even robust defenses and prosecutors aren’t sufficient to protect against the state-sponsored attack, especially when they’re extremely sophisticated and persistent.” IT security experts commented below.
Jason Garbis, Vice President, Products at Cyxtera:
“Former Yahoo CEO Marissa Mayer’s testimony during the US Senate hearing raises an important issue that requires more consideration and debate. Mayer contended that robust defenses aren’t enough to protect against advanced persistent threats (APT). Certainly, APTs present an enormous cybersecurity challenge. They are particularly dangerous because attackers lay-low and go slow, with patience and resources they stalk their prey. While it’s true that no single approach can solve all issues, we must begin to rethink traditional defensive strategies to be less network-centric and more user-centric. If you can control access based on someone’s identity, and assigned privileges, you can start to turn the tide. A zero-trust model using software-defined perimeter technology, dictates that you verify first, then allow access to only what is needed and authorised. So, in the case of an APT, if a legitimate user’s password is compromised, applications are still secure because multiple thresholds would have to be met before access to resources is granted. And because users have precisely controlled access, even attackers with compromised credentials cannot see, scan, or exploit any unauthorised systems. This prevents lateral, slow movement through the network that can result in attackers going undetected for years, like in the case of Yahoo.”
Edgard Capdevielle, CEO at Nozomi Networks:
“The views expressed at the Senate hearing Wednesday highlight just how challenging the evolving threatscape is for organisations – whether its data or critical infrastructure they’re trying to protect. Governments and private industry need to expand collaboration and intelligence sharing to defend from such attacks and organizations need to deploy the most advanced defences to rapidly identify and mitigate cybersecurity threats whatever form they take, and who ever is behind them. One example is the International Electrotechnical Commission’s working group (IEC’s WG15) that brings together ICS operators, SCADA engineers, security and networking experts representing 90 organizations worldwide to introduce effective end-to-end security for power systems. This, and similar, collaborations will prove invaluable in defining best practices and frameworks that will help organizations stand stronger against increasingly devious attacks.”