Johannesburg, 01 Mar 2022
Today all organisations rely in some way or another on technology. But when technology fails, it results in significant outages that can be catastrophic for both business and the economy. That is why often organisations rely on cyber insurance to cover the business liability from cyber threats. Ultimately, cyber security is about managing risk. As such, organisations are looking to understand their exposed attack surfaces and trying to identify ways to reduce risk as effectively as possible.
Over the years, some organisations settled for operating system-based turnkey platform security solutions that provide them with the majority of their required IT, security and compliance services. In theory, these solutions are compelling as they allow organisations to have one enterprise agreement that gives them access to the different technologies that they might require. And oftentimes the price is “free” or “included” in the broader subscription. However, today this has started to become a disadvantage, because these organisations have become overly dependent on platform-operating systems vendors. Security is not their core business for an operating system vendor. When a platform vendor is impacted by a system flaw, or by a cyber attack, many of their customers run the risk of not being able to operate. As such, in the cyber security industry, there are concerns raised around over-using platform vendors and the possible impact for organisations.
“With Windows, Microsoft provides one of the world's most widely used operating systems. That is why it’s not surprising that we continue to see more vulnerabilities and exploits every year,” says Milad Aslaner, Head of Technology Advisory Group at SentinelOne, who refers to Microsoft Windows 10 as an example.
In 2021, 485 new vulnerabilities were discovered and, this year to date, security professionals have already identified 80 new threats – some of which include the ability to run malicious code and to bypass built-in security capabilities. Aslaner continues: “Some vulnerabilities, like CVE-2021-24092, allowed attackers 12 years to abuse a vulnerability in Microsoft Defender for privilege escalation.”
As organisations started to adopt cloud services widely, many falsely assumed that securing the service would be the sole responsibility of cloud solution providers like Microsoft Azure, Google Cloud Platform or Amazon Web Services. “While the operating system already offers a large attack surface, we also need to consider the acceleration of identified vulnerabilities in cloud services,” explains Aslaner.
All organisations can be targeted, and it’s not about if but when they will be attacked. “In the insurance world, it’s all about risk management – how likely is something to happen?” he says. “When an organisation is overly dependent on a single vendor, this increases their risk exponentially and that’s a big red flag that some companies have started to raise.”
This is the reason why organisations are reconsidering their operating system security vendor selection. Organisations can’t afford to be overly dependent on a single vendor. “If the organisation is using a platform vendor and that vendor experiences downtime for whatever reason, the organisation will automatically be impacted as well,” explains Aslaner.
Reducing risk starts with having a formal information security programme. There are many frameworks available, such as the Cybersecurity Framework or the National Institute of Standards and Technology (NIST). Frameworks like these can improve cyber resilience by helping organisations to construct a more robust cyber security programme. Aslaner says: “Organisations are looking for vendors that give them flexibility by integrating various best-of-breed solutions into a unified platform.” He continues: “Organisations can no longer afford good enough security that forces them into a closed ecosystem.”
Every day, new cyber attacks make it to the headlines – it doesn’t matter if you’re in the private or public sector, or how big your organisation is, everybody can be compromised.
“Taking a data-driven risk management approach is critical. As such, an organisation must understand their cyber dependencies,” adds Aslaner. “Organisations often choose between best-of-suite versus best-of-breed solutions. However, in recent years, even organisations that previously chose closed ecosystems are moving away to open platforms that are built for best-of-breed choice.
“Assume you rely on a single vendor to provide you with most of your IT and security services,” he explains. “This could be a single vendor that ends up providing you with identity and access management, e-mail, operating system, security and compliance capabilities. From a threat actor perspective, attacking that vendor is very lucrative because if they breach them successfully, they have potential access to their customer base.
“Let’s take Microsoft as a platform vendor, for example. Suppose an organisation uses Microsoft 365 for all their IT and security requirements, and a threat actor can compromise just a single security administrator identity. In that case, they could end up reconfiguring all of the security controls, and they now operate completely in the shadow.”
That is why it is not surprising that in the cyber security industry and in discussion with cyber insurance companies, often the over-utilisation of operating system platform vendors is marked as a red flag that could even increase the organisation's premiums.
“Organisations, where the majority of their IT and security capabilities are delivered by a single vendor, are challenged because what it translates to is the fact that a single tactical cyber attack can shut them down entirely. This is not necessarily the case with a diversified portfolio of vendors.”
Share