What we can learn from the Lazarus attacks

Alex Taverner of BAE Systems shares a few lessons CISOs can learn from the recent Lazarus attacks to help them direct their increased security investment wisely.

cybersecurity board

The Bangladesh Bank SWIFT heist and Polish Bank network attacks perpetrated by the now famous Lazarus group, were without doubt a wake-up call for all Chief Information Security Officers (CISOs) around the world. Those attacks were a combination of custom malware and insider knowledge with a highly granular understanding of the banks' networks and operational processes used to perpetrate the heists.

These attacks, and many like them, are shifting the role of CISOs in the corporate boardroom. More than ever, CISOs are accountable to the board as cyber protection strategies and tools are elevated as a strategic priority to the enterprise. There are a few lessons CISOs can learn from the recent Lazarus attacks to help them direct this increased security investment wisely.


Lesson #1: It's not just about defending against potential threats; it's about maximum speed of detection and response

Today, security needs to be managed from a risk management capability perspective, with a focus on increasing the speed of detection and response. 

One of the core objectives of today's CISOs is not just to focus on the prevention of incursions across the increasingly porous and ill-defined perimeter, but to also work with the rest of the business to make sure risks and their impact is fully understood by everyone. CISOs should focus their efforts on reducing the duration and extent of security incidents. It's about being proactive at all stages of the cyberthreat lifecycle.


Lesson #2: Legacy detection tools aren't enough to fight sophisticated cyberthreats

While legacy Security Operations Centre (SOC) tools such as SIEMs (Security Incident and Event Management [tools]), fuelled many conversations a few years ago, they are not equipped to detect advanced threats.

Amit Yoran, in his 2015 RSA Conference keynote address, stated that according to his own company's research only 1 percent of advanced threats can be detected with SIEMs. The research showed that these legacy toolsets are blind to 99 percent of advanced threats.  It is imperative to detect advanced, rapidly evolving threats such as the ones illustrated by the Lazarus attacks as early as possible, and organise timely and tailored responses.

Whilst the obvious exercises of minimising the vulnerabilities that might be exploited is as essential as ever, CISOs should move beyond technology designed solely to identify the threats that they already know, to those that can detect the ones they don't. In this effort, they should open the doors to big data, analytics and machine learning that have proven their worth in other business areas. 

1  2  Next Page