If there's one thing SolarWinds showed us, it's that the world's digital supply chain was clearly not ready to protect itself from a large-scale hack. Around the globe, and here in Germany too, companies have been going about their daily business without a strong security foundation beneath them, leaving them critically vulnerable to cyber terror.
Security architecture is the process by which an organization can build that strong foundation, and prepare themselves for future hacks. So why isn't it more widespread, and how can you better secure your own network by using simple security architecture steps?
If you look at the trends in cyber crime, it's clear to see that the problem is only getting worse.
Just a few years ago, 2017, the NotPetya attack by Russian agents on Ukraine showed the globe just how vicious a large-scale hack can be. Russian military hackers infiltrated a Ukraininan company (Linkos Group) and installed a back door into their system, allowing them to inject the NotPetya malware into the network. NotPetya was designed to dish destruction and spread rapidly, and it did its job perfectly - soon spreading outside Ukraine, even back into Russia, and becoming so powerful it took down the world's biggest shipping company, Maersk.
Now add the modern trends. It's 2021, and last year the German Federal Office for Information Security (BSI) discovered more than 117.4 million new malware variants, an increase on the year before. Not only that, but Microsoft found that state-backed cyber terror attacks are also on the rise, targeting private sector businesses as well as public.
Read more: "Is German cyber security ready for 2021?"
Case study: SolarWinds
SolarWinds is the current example of widespread cyber terror, a hugely damaging hack that is still unfolding as we write this article.
In 2019, Russian FSB-backed cyber terrorists snuck into the SolarWinds system, testing their abilities before eventually injecting their attack malware - Sunburst - into SolarWinds' Orion product, which delivered a patch (and the malware) to more than 18,000 customers.
Since that point, at the end of 2020, the world's top security firms have uncovered that the Russian agents used as many as five different strains of malware in the months-long operation, and dealt untold havoc to businesses up and down the digital supply chain. Microsoft Azure was one such victim, as was FireEye, a host of other US brands, and even Duetsche Telekom here in Germany.
It would be easy to lay all the blame on cyber terrorists, who grow increasingly sophisticated (and well funded) every year.
But the reality is that organizations must share the responsibility. Security is an often-overlooked part of the business, a box to tick. There is poor awareness of security policies up and down companies outside of the IT department and low cyber culture knowledge among staff (i.e. does your receptionist understand your security policies and their responsibilities, or the board, or sales, marketing, accounting, HR?).
Yet, staff have access to the network, and that network contains sensitive information and mission-critical applications. Anyone can make a mistake, especially if they don't know what they don't know.
Case study revisited: SolarWinds
To use some real-world examples, it's been discovered since December 2020 that SolarWinds had a number of vital flaws in its security perimeter.
Analyzing threats and developing control strategies is a key part of security architecture's Create and Implement & Manage phases.
The best way to look at security strategies going forwards is to assume that a breach is definitely going to happen.
That said, supply chain attacks are very often hard to defend against. No matter how hard you work to protect your organization's data, it can all be undone through a single vulnerability in your partners and vendors.
However there are always solutions for your organization to mitigate or minimize the likelihood of those attacks having a negative impact on your business. We will discuss some of these practicalities below.
Supply Chain Management (SCM) is a common business attribute in security architecture.
Read more: "How to respond to a cyber breach"
Here we're going to learn how to:
Security architecture takes place in phases. Without going through the earlier steps, jumping ahead could mean you're flying blind - and therefore wasting time on strategies that won't work.
First we have to Define the different factors that are important to our organizational security, including our business objectives, drivers and attributes. In the next phase, Create, we start to model our threats and their potential impact and only then, after all of those steps have been completed, can we begin to build and implement (Manage) control strategies.
So, any process designed to secure your business with better security architecture must go back to those fundamental steps of the Define and Create phases.
More practical steps to follow
Security policies are written documents outlining how to protect your organization from threats, including computer security threats, as well as how to handle them when they occur.
These documents must identify all of your company's assets (physical and digital) as well as the potential threats to those assets. This is what we talked about when we introduced you to Matko's Pizzeria in our article, "Behind the scenes of security architecture". Matko's greatest asset was his kitchen, and insects posed a threat to that kitchen - so he developed control strategies (i.e. cleaning regimens) to mitigate their likelihood of attack.
Security policies are at the heart of the Logical security architecture phase (a part of the wider Create phase), but require physical procedures, component configurations and operating instructions at the Service Management layer, too.
In addition to those policies, you need well-defined procedures containing a detailed description of how the instructions in the policies should be carried out. Then, all of the above must be reviewed regularly to remain effective.
More practical steps to follow
Want your organization to be as safe as possible when it comes to third-party vendors? Treat them as your own.
Compare your defined business attributes with theirs. If you don't think their policies follow the security protocols that are important to your enterprise, you may have to reconsider the agreement and look elsewhere.
You can't change their policies, but you have a choice of who to work with.
Cyber awareness is a crucial step to cyber protection. Anyone can make mistakes when they don't know, say, how to set a strong password, use two-factor authentication, check a USB drive is safe, which links are OK to click in their emails … and so on.
Your auditing process should have highlighted key gaps in staff knowledge across the business. Over time, it would be wise to fill them - but remember that not everyone is IT savvy, so training will need to be catered to a language people understand and can engage with.
This step is linked with the idea of building agility across your organization, which is part of developing an agile security architecture with the SAFe framework - which you can learn more about in the video below.
More practical steps to follow
None of these steps individually are a silver bullet for countering cyber threats, but together they can improve your security, harden your enterprise through resilience and awareness, and make it more difficult for potential hackers to access your networks.
But security architecture is a full-time discipline all of its own. Your company may not have the right expertise in house - and that's OK. That's why we're here.
You know your business. We know ours. Working together, we can help you walk through the security architecture process and tailor a unique solution to your specific business needs.
Interested in learning more? Join us for a live webinar on "Transforming Business Through Security Architecture". Or, to speak with one of our experts, book a free maturity consultation today.