Normal view

There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

Data Protection Day 2024: As Technology and Threats Evolve, Data Protection Is Paramount

31 January 2024 at 20:13

Today’s cybersecurity landscape poses one of the most significant risks to data. This holds true for organizations of all sizes, across all industries, tasked with protecting their most essential data amid an increasingly regulated environment and faster, more innovative adversaries.

Recent years have introduced a steady drumbeat of new data privacy regulations. There are now 14 U.S. states that have passed privacy laws. In July 2023, the Securities and Exchange Commission (SEC) adopted new rules requiring organizations to disclose material cybersecurity incidents, as well as information regarding their risk management, strategy and governance. On a global level, dozens of countries have updated their guidance on data privacy.  

Organizations must now comply with an “alphabet soup” of data protection requirements including GDPR, CCPA, APPI, PDPA and LGPD. Some of these are evolving to incentivize the adoption of stronger security practices. Newly updated regulations in Brazil, for example, give breached organizations a fine reduction of up to 75% if they have state-of-the-art protection in place at the time of a cyberattack. 

The list is growing: In 2024, many organizations will face new requirements stemming from the SEC’s new rules and state privacy laws, including amendments to the CCPA, industry-specific mandates, and those imposed on critical infrastructure by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). These developments include new incident reporting obligations and requirements to implement certain security technologies, as well as demonstrate compliance through cybersecurity audits, risk assessments, public disclosures and other measures. 

These myriad legal requirements broadly raise the bar for “reasonable” security. However, adversaries typically move faster than data protection mandates can keep up. Organizations must pay close attention to how adversaries are evolving their techniques and determine whether they’re prepared to defend their data against modern threats.

Data Extortion and the Defender’s Dilemma 

The emergence of new regulations has been a game-changer for adversaries and defenders alike. Protecting against data breaches has only grown more challenging as threat actors evolve their tradecraft and quickly learn the pressure these regulations put on breached organizations.

Today’s adversaries are working smarter, not harder. This is clear in the growth of data extortion, which has emerged in recent years as an easier, less risky means for adversaries to profit. Threat actors are shifting away from noisy ransomware campaigns, which typically trigger alarm bells in security tools — instead, they are quietly stealing victims’ data and then threatening to leak it if their financial demands aren’t met. 

The rise in data extortion has corresponded with adversaries increasingly targeting identities, a critical threat vector organizations must consider as they build their data protection plans.  Rather than relying on malware-laced phishing emails to breach target organizations, they can use a set of compromised credentials to simply log in. A growing number of access broker advertisements enables the sale of credentials, vulnerability exploits and other forms of illicit access: Last year, CrowdStrike reported a 147% increase in access broker ads on the dark web. Adversaries can now more stealthily infiltrate organizations, take valuable data and demand their price, putting victims in a tough position.

Data protection regulations change the calculus for organizations hit with data extortion — and adversaries know it. When threat actors steal information and tell their victims they’re in violation of HIPAA, GDPR, CCPA or other regulations, the stakes are higher. They know exactly how much an extortion attack will cost a business once it’s disclosed to regulators, and they can use this to coerce organizations into paying them instead. This may be a false choice, as many disclosure requirements apply regardless, but the coercion is real.

There are other ways adversaries use regulation consciousness to their advantage. In one 2023 case, a ransomware gang filed an SEC whistleblower complaint directed at one of its victims. The complaint, filed before the new SEC rules actually went into effect, attempted to claim that the victim was in violation of its duty to disclose a material cyber incident. 

Organizations must be incentivized to protect their data from modern threats. They should not feel stuck between the fear of reporting a breach and the pressure to meet adversaries’ ransom demands. With the right safeguards in place, businesses can protect their data from adversaries’ evolving attempts to access it. This is where CrowdStrike comes in. 

How CrowdStrike Can Help 

As we recognize Data Protection Day 2024, it is essential we consider what data protection involves and how critical cybersecurity is — not only for compliance, but for protecting privacy. Organizations must adopt best practices to protect their data in addition to achieving compliance requirements. 

Visibility is essential to maintain regulatory compliance and protect sensitive data from today’s adversaries. If you don’t have visibility into your data flows, your credentials or the sensitive data your organization holds, how can you know whether that data is at risk? 

An organization’s data is among its most valuable assets — and adversaries are after it. Protecting that data should be a top priority. CrowdStrike Falcon® Data Protection provides deep, real-time visibility into what’s happening with your sensitive data as it flows across endpoints, cloud, web browsers and SaaS applications. As the modern approach to data protection, our technology ensures compliance with minimal configuration and provides comprehensive protection against modern threats. 

It is more important than ever for organizations to understand data protection and data security are interdependent and cannot be considered in isolation. Both are critical in protecting privacy. Moreover, if personal data is stolen in a cyberattack, those affected can claim damages — but certain jurisdictions provide fine and liability mitigations where the breached organization can prove its cybersecurity protections were reasonable and state-of-the-art.

In this threat landscape and regulatory environment, Data Protection Day provides an opportunity for privacy and security teams to align on modern threats to privacy, risks of non-compliance and the best technical and organizational means to protect data.

Additional Resources

CrowdStrike’s View on the New U.S. Policy for Artificial Intelligence

21 November 2023 at 20:37

The major news in technology policy circles is this month’s release of the long-anticipated Executive Order (E.O.) on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. While E.O.s govern policy areas within the direct control of the U.S. government’s Executive Branch, they are important broadly because they inform industry best practices and can even potentially inform subsequent laws and regulations in the U.S. and abroad.

Accelerating developments in AI — particularly generative AI — over the past year or so has captured policymakers’ attention. And calls from high-profile industry figures to establish safeguards for artificial general intelligence (AGI) in particular has further heightened attention in Washington, D.C. In that context, the E.O. should be viewed as an early and significant step addressing AI policy rather than a final word.

Given CrowdStrike’s extensive experience with AI since the company’s founding in 2011, we want to highlight a few key topics that relate to innovation, public policy and cybersecurity.

The E.O. in Context

Like the technology it seeks to influence, the E.O. itself has many parameters. Its 13 sections cover a broad cross section of administrative and policy imperatives. These range from policing and biosecurity to consumer protection and the AI workforce. Appropriately, there’s significant attention to the nexus between AI and cybersecurity, which is covered at some length in Section 4.

Before diving into specific cybersecurity provisions, it is important to highlight a few observations on the document’s overall scope and approach. Fundamentally, the document strikes a reasonable balance between exercising caution regarding potential risks and enabling innovation, experimentation and adoption of potentially transformational technologies. In complex policy areas, some stakeholders will always disagree with how to achieve balance, but we’re encouraged by several attributes of the document.

First, in numerous areas of the E.O., agencies are designated as “owners” of specific next steps. This clarifies for stakeholders how to provide feedback and reduces the odds for gaps or duplicative efforts.

Second, the E.O. outlines several opportunities for stakeholder consultation and feedback. These will likely materialize through Request for Comment (RFC) opportunities issued by individual agencies. Further, there are several areas where the E.O. tasks existing — or establishes new — advisory panels to integrate structured stakeholder feedback on AI policy issues.

Third, the E.O. mandates a brisk progression for next steps. Many E.O.s require tasks to be finished in 30- or 60-day windows, which are difficult for agencies to meet at all, let alone in deliberate fashion. This document in many instances provides for 240-day deadlines, which should enable 30- and 60-day engagement periods through RFCs, as outlined above.

Finally, the E.O. states plainly that “as generative AI products become widely available and common in online platforms, agencies are discouraged from imposing broad general bans or blocks on agency use of generative AI.” This should help ensure that government agencies explore positive use cases for leveraging AI for their own mission areas. If history is any guide, it’s easy to imagine a scenario where a talented junior staffer at a given agency identifies a key way to leverage AI at some time next year, that no one could easily forecast this year. It would be unwise to foreclose that possibility, as innovation should be encouraged inside and outside of government.

AI and Cybersecurity Provisions

On cybersecurity specifically, the E.O. touches on a number of key areas. It’s good to see specific callouts to agencies like the National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA) and Office of the National Cyber Director (ONCD) that have significant applied cyber expertise.

One section of the E.O. attempts to reduce risks of synthetic content — that is, generative audio, imagery and text. It’s clear the measures cited here are exploratory in nature rather than rigidly prescriptive. As a community, we’ll need to innovate solutions to this problem set. And with U.S. elections around the corner, we hope to see rapid advancements in this space.

In many instances, the E.O.’s authors paid close attention to enumerating AI policy through established mechanisms, some of which are closely related to ongoing cybersecurity efforts. This includes the direction to align with the AI Risk Management Framework (NIST AI 100-1) and the Secure Software Development Framework. This will reduce risks associated with establishing new processes, while enabling more coherent frameworks for areas where there are only subtle distinctions or boundaries between, for example, software, security and AI.

The document also attempts to leverage sector risk management agencies (SRMAs) to drive better preparedness within critical infrastructure sectors. Specifically, it mandates:

Within 90 days of the date of this order, and at least annually thereafter … relevant SRMAs, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security for consideration of cross-sector risks, shall evaluate and provide to the Secretary of Homeland Security an assessment of potential risks related to the use of AI in critical infrastructure sectors involved, including ways in which deploying AI may make critical infrastructure systems more vulnerable to critical failures, physical attacks, and cyber attacks, and shall consider ways to mitigate these vulnerabilities.

This is important, but we also encourage these working groups to consider benefits along with risks. There are many areas where AI can drive better protection of critical assets. When done correctly, AI can rapidly surface hidden threats, accelerate the decision making of less experienced security analysts and simplify a multitude of complex tasks.

At CrowdStrike, AI has been fundamental to our approach from the beginning and has been built natively into the CrowdStrike Falcon® platform. Beyond replacing legacy AV, our platform uses analytics to help prioritize critical vulnerabilities that introduce risk and employs the power of AI to generate and validate new indicators of attack (IOAs). With Charlotte AI, CrowdStrike is harnessing the power of generative AI to make customers faster at detecting and responding to incidents, more productive by automating manual tasks, and more valuable by learning new skills with ease. This type of AI-fueled innovation is fundamental to keep pace with ever-evolving adversaries incorporating AI into their own tactics, techniques and procedures.

In Summary

This E.O. represents a key step in the evolution of U.S. AI policy. It’s also particularly timely. As we described in our recent testimony to the House Judiciary Committee, AI is key to driving better cybersecurity outcomes and is also of increasing interest to cyber threat actors. As a community, we’ll need to continue to work together to ensure defenders realize the leverage AI can provide, while mitigating whatever harms might come from threat actors’ abuse of AI systems.

This article was first published in SC Magazine: The Biden EO on AI: A stepping stone to the cybersecurity benefits of AI

Additional Resources

Prevention Is the Best Preparation for the SEC’s New Breach Disclosure Rules

31 July 2023 at 15:24

The U.S. Securities and Exchange Commission (SEC) this week voted to adopt new rules for how companies inform investors about cybersecurity concerns. The vote comes after years of gradually increasing guidance and scrutiny over companies’ handling of cybersecurity events and follows a lengthy comment period where companies, including CrowdStrike, provided input. 

The new rules, which go into effect later this year, will require publicly listed companies to disclose material cybersecurity incidents within four business days of determining a material incident occurred. This includes stand-alone incidents as well as the cumulative impact of a series of related incidents. They also require these companies to regularly disclose how they manage cybersecurity risks, who is responsible and how these risks are reported to the board of directors.

From our view, the intent of the SEC rules is to protect investors by requiring more clarity, consistency and timeliness in how companies handle cyber-related disclosures. An ancillary effect is that companies may implement better overall cybersecurity hygiene and risk management processes to be more resilient to cyber incidents in the first place. 

While there will continue to be a debate on whether the new disclosure rules will ultimately force organizations to prematurely disclose details of an incident that may be ongoing, public companies, or any organization looking to implement more mature security controls, can use this opportunity to double down on proactive defenses that can get them ahead of a potential incident.

Contact CrowdStrike to schedule an SEC security briefing to learn more about the new SEC rules on cybersecurity and how your organization can prepare.

The Best Preparation Is Proactive Prevention

The best strategy for handling the SEC’s disclosure rules is to prevent material incidents from occurring in the first place. While a company is debating whether an incident is material, they’ve already missed the opportunity to do something about it. Proactive prevention is the best opportunity to stop an incident completely or minimize the damage during a critical period. 

When it comes to cybersecurity, speed is essential. According to the CrowdStrike 2023 Global Threat Report, the average time it takes an adversary to compromise a system and move laterally into the rest of the network is just 84 minutes. Companies need to ensure they have the tooling and teams necessary to respond to and remediate an incident with the same speed. This means augmenting existing teams with services and AI that can automate protection and accelerate investigation.

Although it’s up to a company to make its own legal determination as to whether a series of related occurrences is material, adversaries increasingly utilize public, coercive techniques to force victims to comply with demands. CrowdStrike’s 2023 Global Threat Report also found that data leak extortion campaigns are at an all-time high, and certain threat actors taunt victims with references to privacy, data protection or other compliance obligations breaches might impact. Consequently, holistic visibility into security events coupled with intelligence about the threat actors behind them can play an important role in assessing obligations.

It is not enough to work reactively after an incident has occurred. Configuration management — through endpoint and cloud hardening, Zero Trust architectures and external attack surface management — needs to be a cornerstone of a robust security posture. Proactive threat hunting to identify activity that tools missed and threat intelligence to hone in on what to look for also need to be part of this mix. 

Even with proactive prevention in place, companies will still need a game plan for complying with the new disclosure rules should an incident occur. This requires defining how they will assess materiality and who will ultimately sign off on what constitutes a material incident. To date, this has not been a standard component of most incident response plans, so most companies will need to develop a framework and conduct exercises to test and refine it. From a technical perspective, companies will need to ensure they have a system of record that tracks the impact of incidents so they are able to consider the cumulative impact of smaller related incidents when making their materiality assessments. 

Companies that cannot investigate incidents quickly will be seriously disadvantaged in trying to make these assessments. Not only can investments in rapid detection and remediation capabilities reduce the likelihood of material incidents, they also increase the amount and reliability of the information available when evaluating incident impact and defending the decision later.

Register for our live webinar to learn more about the new SEC rules on cybersecurity and how you can prepare.

How CrowdStrike Can Help Your Organization Prepare

The best thing public companies can do in the face of these new requirements is focus on the fundamentals of good security practices. These both reduce the likelihood that a cyber incident will be material and provide a foundation for an organization’s required annual disclosure on cyber risk management. 

The CrowdStrike Falcon® platform delivers the highest levels of visibility, simplicity and control by providing the necessary capabilities for unified prevention, detection, hunting, intelligence and remediation. With CrowdStrike, organizations are able to prepare for the new disclosure rules by embracing proactive prevention and empowering them to:

  • Understand Risk and Enforce Cyber Hygiene: Cyber resiliency starts with an assessment of where an organization is at greatest risk for a security incident. This enables an organization to proactively address the risk before an incident happens.  CrowdStrike Falcon® Surface enables companies to understand their external attack surface and minimize the risk of a cyber incident stemming from an exposed asset, while CrowdStrike Falcon® Spotlight helps prioritize the vulnerabilities that threat actors are most likely to target.
  • Automate Protection and Accelerate Investigation: With CrowdStrike Falcon® Insight XDR, companies can detect incidents faster and with greater accuracy. With AI-powered automation embedded across the Falcon platform, organizations can rapidly ingest data and generate detections across domains to stop breaches earlier, reduce the materiality of an incident and speed overall response times.
  • Protect Cloud Environments: The CrowdStrike 2023 Global Threat Report highlights that cloud exploitation continues to rise. Cloud exploitation cases grew by 95% and incidents involving cloud-conscious threat actors nearly tripled from 2021. CrowdStrike Falcon® Cloud Security provides complete protection and visibility to prevent incidents and breaches of cloud environments. 
  • Stop Identity-Based Attacks: 80% of cyberattacks now leverage stolen or compromised credentials. CrowdStrike Falcon® Identity Threat Protection provides organizations with comprehensive protection against identity-based attacks. Organizations can rapidly detect an attack, stop lateral movement and prevent an incident from escalating into a material event. 
  • Leverage Managed Detection and Response (MDR): Outsourcing critical security capabilities to leading MDR services can help organizations overcome the skills gap and reduce the complexity of their security environment. CrowdStrike Falcon® Complete is widely recognized as the industry’s leading MDR, providing the 24/7 prevention, threat hunting, detection and response capabilities needed to reduce the likelihood of a material incident. CrowdStrike Falcon Complete XDR extends these powerful capabilities across all key attack surfaces to help organizations close the cybersecurity skills gap and stop attempted threats quickly, making disclosures within the time frame more possible, if required.
  • Integrate Threat Intelligence into Security Strategies: A comprehensive threat intelligence program can align an organization on which threats and adversaries to focus their security efforts. CrowdStrike Falcon® Intelligence enables organizations to easily operationalize intelligence within the security operations center, gain visibility into adversary tactics and motives, and receive best-of-breed intelligence reporting and technical analysis.
  • Proactively Hunt for Threats and Incidents: Cyberattacks continue to become more sophisticated and harder to detect. Seventy-one percent of attacks are now malware-free. CrowdStrike Falcon® OverWatch provides proactive threat hunting capabilities that enable organizations to detect and disrupt hidden attacks. Identifying hands-on-keyboard activity can minimize the scope of a potential incident. 
  • Optimize Your Logging Strategies: It is not an uncommon occurrence during investigations to run into a lack of available logs to support an investigation. The availability and cost of logging has been the challenge of many CIOs and CISOs, and the migration to cloud has compounded the problem. Solutions like CrowdStrike Falcon® LogScale deliver powerful logging capabilities that speed investigations and deliver full visibility while reducing overall costs. Understanding what to log, how long the log data should be retained and the capabilities of staff/responders to access this data quickly when needed should be part of the overall plan.
  • Train for the Fight: Regular exercises are a critical part of maintaining an organization’s readiness posture as well as testing out new plans and processes. CrowdStrike’s Red Team/Blue Team exercises give technical responders an opportunity to practice against hands-on-keyboard threat activity, while Tabletop Exercises test coordination across security teams, business leaders and the board. Any new frameworks for reviewing materiality and making disclosures should ideally be exercised in a simulation. 

Preparing People and Processes for Risk Management Disclosure Rules

In addition to pushing public companies to implement better cybersecurity hygiene, the SEC is also pushing to strengthen risk management processes. This will put more of an onus on executive leaders and the boards that advise them. By requiring organizations to identify which business leaders are responsible for cyber risk, as well as their level of expertise, the SEC is underscoring that security oversight cannot be a rubber stamp. 

For boards of directors, CIOs and CISOs, this means asking probing questions about the tooling, people, processes and vendors that make up your security ecosystem, and supporting change where appropriate to uplevel the ability to detect, prevent, respond, recover and report as effectively as possible. It also means challenging claims of inexpensive, “check-box” solutions and focusing on the ability to evolve the security posture as the threats to your business and the rules change.

To the extent that cyber risk assessments are not already formalized, public companies will need to ensure they have a strategy for evaluating their risk exposure. In most cases, this will involve a layered approach, including periodic holistic risk assessments, more frequent red teaming, and tooling that supports continuous risk identification and management. It’s also recommended that companies use this opportunity to strengthen their internal risk governance practices and monitoring processes, which can help expedite and inform the evaluation requirements. 

The new rules suggest that directors and officers across the board — even if they are not directly responsible — will need to expand their knowledge of cyber risk. Most are already doing this. Many of our customers’ board members have asked to participate in or observe cyber tabletop exercises focused on testing their organization’s response. Others are requesting dedicated training or more frequent briefings on the threats to the business as well as the results of tests and assessments. 

CrowdStrike will continue to engage with the SEC and other regulators to advocate for the harmonization of new and existing cybersecurity incident reporting requirements. As new rules are put forth, it will be important to ensure alignment with existing regulations so that victim organizations can comply in a timely and transparent manner while continuing to focus on the fundamentals that keep their networks secure.

Additional Resources

❌
❌