Microsoft Exchange Attack, Facing the Board of Directors, Part II

Every CISO or IT leader has experienced the tough conversations informing the C-Suite and Board of Directors that their company has been breached. I’ve been there and it’s nothing new in the life of a CISO. Even worst is the situation where the CEO informs us that we’ve been hacked. Unfortunately, the practice of “IT or security teams discovering the breach first” no longer applies causing much hair-pulling and sleepless nights.

I’m sure the recent Microsoft Exchange attack raised major concerns and had organizations scrambling to see if they got hit like many of our customers did. So, I asked my circle of security experts how they would approach working with C-Level management and the board when major attacks hit like this one and SolarWinds.

Jack Leidecker, CISO at Gong

I think it’s easier that you have more organizations getting hit all at once. As ridiculous as that sounds, it leads to a numbness factor which is not what you want because ultimately it doesn’t lead to good decision making. RiskIQ found that 69,548 Microsoft Exchange servers remain unpatched (as of 3/14/21) with nearly 17,000 servers located in North America. That’s a whole lot of major numbness and head shaking going on.

As a first step, I would talk with my board and discuss the following:

• Did we get breached or not?
• What happened? And why?
• What’s lacking in our security operations?
• What do we need to do? Any investment needs? Any resource and talent needs?

If we didn’t get breached, the discussion turns in to how do we avoid future attacks?

• Assess what our security risk posture is today
• Where do we want to expand?
• How do we get there?
• How do we utilize managed security services to fill in the operational gaps?

Despite initial finger pointing, both parties will need to take joint responsibility and move forward. There’s going to be fall out and it’s up to the IT and security leaders to best respond and build a strategic plan to ensure modern security tools are in place to protect the company’s business and brand reputation.

Sean Cordero, Founder at Cloud Watchmen

This leads to another interesting angle, organizations will compare why they were impacted while other companies were not, especially those running in cloud environments. These companies will claim their environments weren’t exploitable as Microsoft Office 365 was not impacted. This will lead other companies to rethink their entire strategy around messaging solutions and shift towards cloud or hybrid cloud solutions.

Brandon Hoffman, CISO at Netenrich

With the recent increase in remote work and rise in major attacks (SolarWinds), is this the opportune time for security professionals to push their board to invest into a more proactive mindset and digital transformation initiatives?

John Bambenek, President of Bambenek Consulting

Despite the immediate “reactive” need to fix the exchange situation, the reality is security professionals will not make headway in convincing their board to invest in change. Historically, we have used technology as an industry in dividing the haves and have nots. The larger companies can afford to scale and implement modern security practices with their boards approval. For the majority of organizations, they’re left behind lacking budgets, resources and expertise.

The exchange attack also shows that network security and application services remain a big target for attackers. It was hidden for a while because the web became a much richer target environment.

Jack Leidecker

This leads to another important point “Does your company need to re-evaluate what they’re doing from a security infrastructure perspective?” One of the easiest things to do but very few companies do it well is threat detection and exposure assessments to really understand what’s going on in their networks. I’ve been a big proponent of “What’s our threat model using a MITRE Attack framework?”

• How are we doing on assessing risk and not just basic threat hunting?
• Can we detect some of these attacks as its happening?
• Are we able to constantly evolve with the emergence of new attacks?
• Are we taking a proactive risk perspective as well as proactive security measures?

Brandon Hoffman

Our panel also shared their “in the trenches best practices” to working with executive leaders and the board.

• Get your board to understand what the risk is, articulate it so that it makes sense and how its impact affects business outcomes.
• Working with the board is an ongoing and evolving process. Articulate what the current risk is, share findings from threat and risk analysis, show what corrective measures are being taken and provide real-time results.
• Focus security and risk analysis across cloud applications. Understand the company’s dependency on 3^rd party applications and vendor partners. Investigate their ability to detect and respond to attacks.

To learn more from our panel, watch our webinar and drop us a line if you need help. See our previous blog entitled “Microsoft Exchange Attack, What You Need To Know And Do Now.”

Also take a read on how Netenrich’s Resolution Intelligence Cloud™ solutions can tackle the questions CISOs and boards face. We can help transform your digital operations to gain improved visibility and intelligence across your IT, security and cloud environments.