You don’t know what you don’t know; that seems to be the mantra for most information security programs today. Security visibility is grossly lacking in so many environments. For many, this ignorance — and the ensuing lack of security alerts — is bliss.

No Visibility Equals No Worries — Right?

I’ve seen it time and again: Management, including technology and C-suite executives, intentionally avoid acknowledging or properly addressing the information security weaknesses — or even breaches — impacting their business. On the opposite end of the spectrum, others struggle to keep up with and determine what’s going on because of too much information, a lack of expertise or the improper use of existing security tools. Sometimes it’s all three.

I’ve yet to see an IT environment where those in charge truly understand the state of security at any given moment. I think that’s why we keep seeing the waves of data breaches come in. Regardless of where your organization falls within the spectrum of security visibility and control, the reality is that someone can be doing something bad on your network at this very moment. And odds are good that you don’t even know about it.

Then what happens? Maybe you’ll detect the breach eventually. Perhaps you’ll be lucky enough to be notified by someone else, which, according to studies such as the “Verizon Data Breach Investigations Report,” is a common scenario. It could be that you never find out and long-term damage is inflicted over time, hurting your bottom line and your brand reputation.

Working Through Security Challenges

These security challenges impact both small and large enterprises and even the federal government. It’s interesting — I’ve heard stories from security vendors who say that they will demo their product in a customer environment for proof of concept to show advanced persistent threats (APTs) and related criminal activity in the networks, yet a common response is: “Thanks, Mr. Vendor. We appreciate the insight and will put your product in our budget for next year.” So an intruder is in the house, but people will pretend like nothing bad is happening.

No matter the scenario, the fines, lawsuits, discovery requests and depositions will likely ensue, especially if personally identifiable information (PII) is breached. There are also the long-term costs associated with stolen intellectual property, impact to your brand and so on. Is this a challenge that management is willing to take on?

You don’t know what you don’t know, but that’s not a defensible approach to information security. Heads in the sand never helped anyone. If you’re going to stay out of trouble, you have to find out what’s happening on your internal network, across your mobile workforce and in the cloud. Then, when threats, vulnerabilities and risks are identified, vow to do something about them in the very near future, if not immediately. Criminals attacking your business have nothing but time. You don’t.

more from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however,…

World’s Largest Darknet Market Shut Down, $25 Million in Bitcoin Seized

On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down. On its website, the Federal Criminal Police Office (BKA) stated it had secured and…