{"id":14364,"date":"2025-07-01T07:06:18","date_gmt":"2025-07-01T07:06:18","guid":{"rendered":"https:\/\/newestek.com\/?p=14364"},"modified":"2025-07-01T07:06:18","modified_gmt":"2025-07-01T07:06:18","slug":"cisos-must-rethink-defense-playbooks-as-cybercriminals-move-faster-smarter","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14364","title":{"rendered":"CISOs must rethink defense playbooks as cybercriminals move faster, smarter"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Last year nation-state incidents dominated cybersecurity headlines, as Chinese Typhoon threat groups<\/a> and others made waves across several industries. But throughout the first half of 2025, most publicly known, high-profile attacks have been the work of cybercrime actors.<\/p>\n

Financially motivated attacks are on the rise, with retailers<\/a>, industrial control systems<\/a>, financial institutions<\/a>, and healthcare<\/a> among the hardest hit sectors this year.<\/p>\n

The recent surge in ransomware incidents<\/a> is taxing the capabilities of even well-prepared cybersecurity teams to detect, track, and eject cybercrime adversaries before significant damage is done. Remediation efforts have also been strained, as have security teams\u2019 ability to incorporate lessons learned into their incident response plans once an incident has been resolved. \u00a0<\/p>\n

As such, experts believe that old cyber defense playbooks no longer work, placing even greater pressure on CISOs to develop more modern and effective programs for dealing with today\u2019s intruders.<\/p>\n

\u201cAttackers are quicker, they\u2019re smarter, they\u2019re using more automated tools with AI and not legacy tools,\u201d Matt Immler<\/a>, regional CSO for Okta in the Eastern Americas, tells CSO. \u201cWhen you\u2019re looking at things that are these very static defenses, like regular passwords, perimeter firewalls, those sorts of things that have just been the classic security defense, they\u2019re just not as effective against those modern techniques.\u201d<\/p>\n

Visibility and behavior tracking: More important than ever<\/h2>\n

Accelerating attack timelines are putting greater pressure on organizations\u2019 ability to detect cybercrime activity before adversaries gain a foothold and spread laterally throughout organizational networks.<\/p>\n

\u201cIf you would ask most CISOs, what\u2019s your ability to detect something in 48 minutes or less, they would be hard pressed to give you an answer,\u201d says Tom Etheridge<\/a>, chief global professional services officer at CrowdStrike. \u201cBut we have seen the fastest recorded breakout time as low as 51 seconds. Those are the things that keep me up at night.\u201d<\/p>\n

Because the speed at which adversaries can cause problems<\/a> is accelerating, CISOs must have clear visibility across their environments. \u201cFor many organizations, security teams and structures are set up to respond to alerts they\u2019re seeing in their platform,\u201d Etheridge says. \u201cBut if the alerts are not in that platform, they may not be aware of a zero-day vulnerability and a part of their infrastructure that a threat actor is exploiting.\u201d<\/p>\n

Another step to better spotting an intruder is to establish better tracking mechanisms \u2014 especially because most attackers these days rely on abusing the identities of authenticated users<\/a>. \u201cIdentity is the front door to all these organizations and preventing intrusions within the network and looking at what an adversary [is doing] in the network\u201d is essential, Okta\u2019s Immler says.<\/p>\n

\u201cWe have this saying, \u2018Threat actors aren\u2019t hacking in anymore; they\u2019re logging in,\u2019\u201d CrowdStrike\u2019s Etheridge says. \u201cOnce they\u2019re able to gain access to privileged credentials, and then they\u2019re in that breakout, time gets accelerated. Understanding identity and the cloud is another big area that threat actors converge on; they understand the lack of visibility and controls around the cloud plane. It\u2019s a big target area for threat actors.\u201d<\/p>\n

As a result, today\u2019s security teams must employ and emphasize anomaly detection techniques<\/a> to more quickly ascertain when a seemingly authenticated user could be a threat actor operating in stealth. Anomalous behaviors are any deviations from a user\u2019s routine activity. To detect them, security organizations need to establish baseline profiles for the various user types operating within their systems and networks.<\/p>\n

\u201cBuilding a specific profile for each identity isn\u2019t always totally feasible,\u201d Immler points out. \u201cBut building profiles based on either maybe department level or function level is. If somebody is working in accounting, should they be accessing an IT resource that\u2019s not usual or vice versa?\u201d<\/p>\n

Developing these segment profiles can help security teams determine \u201cisolation points\u201d that can help them stop threat actors from gaining the entry to the systems they seek, says Pierre Cadieux<\/a>, senior manager at Cisco Talos\u2019 incident response group. Here, CISOs should ensure their behavior profile and network segmentation strategies operate in tandem.<\/p>\n

\u201cIn the event of a compromise or an incident, you can say we\u2019re dropping the shields on this specific network or these specific segments, or you have the ability of doing network isolation maybe on a building-wide, campus-wide, or regional basis depending on the kind of threat we\u2019re dealing with,\u201d Cadieux explains.<\/p>\n

Threat actor containment: Increasingly \u2018surgical\u2019 and best with a plan<\/h2>\n

Even after an intruder has been identified, today\u2019s rapid pace of adversary activity is also straining cybersecurity teams\u2019 ability to contain intruders before they can cause damage.<\/p>\n

\u201cIf I\u2019m a CISO, if I\u2019m responsible for detecting and remediating that incident before it progresses to becoming a big problem in my environment, I need to be able to move faster than the adversary,\u201d CrowdStrike\u2019s Etheridge says. \u201cAnd being able to have the confidence in your capabilities in your team to be able to stop an adversary within 48 minutes of being able to break out in your environment is a daunting activity.\u201d<\/p>\n

The trick, Etheridge says, is not to overcorrect and jam up your systems. \u201cYou need to be very, very surgical about it. There are plenty of examples where containment actions can overcorrect and create business disruption, operational, and potentially financial impact.\u201d<\/p>\n

Resiliency in the face of intrusion has become a greater emphasis today, and CISOs must consider this as part of their containment plans. Here, Okta\u2019s Immler advises employing automation to ensure a more targeted approach to triaging issues.<\/p>\n

\u201cI am always a big proponent of automation in those security systems as a first line of defense, particularly if it\u2019s not going to be an overly damaging action,\u201d Immler says. \u201cAutomations are really helpful as first lines of defense when you see something happen and you need a chance to triage it, where that can get problematic if you go overboard.\u201d<\/p>\n

He adds, \u201cI think it\u2019s good to be very nimble and selective and recognize this account just tried to do something that it should never be doing and disable that account for a little while or issue a logout for a universal logout, something like that to remove their access to what they\u2019re doing until somebody\u2019s had a chance to go, \u2018Hey, is this what you should have been doing? Or did you mean to do this? Was it an accident?\u2019\u201d<\/p>\n

Moreover, having an incident response plan<\/a> beforehand and then following it is a must when containing a threat actor, Cisco Talos\u2019 Cadieux emphasizes. \u201cIt goes back to the IR plan that they should have developed. There should be a basis for how to do containment, the options based on our people and technology, and how to execute those. And then, of course, the plan should be tested.\u201d<\/p>\n

The methods for containing and ejecting the intruders depend on the nature of the breach and response plan, \u201cbut the things that you can do technically to block them without them noticing immediately are the best,\u201d Immler says. \u201cOtherwise, if you see sensitive data going out, you have to bring down the hammer and cut them off.\u201d<\/p>\n

Incident post-mortems: Improving future responses to accelerating threats<\/h2>\n

The pace of adversarial activity is also placing greater emphasis on the importance of conducting post-mortems on any intrusion to fine-tune incident response plans for better future performance. Here, sound logging systems are essential, Immler says.<\/p>\n

\u201cThat\u2019s where having a good SIEM [security information and event management<\/a>] system in place is vital for all of your critical systems because you\u2019re going to go through your logs and say, \u2018Okay, we identified and contained the attacker. Let\u2019s look at every single system they touched,\u2019\u201d he says.<\/p>\n

\u201cOften when we deal with ransomware, for instance, we are dealing with an accelerated threat that\u2019s happening right then, which the bad thing is actually triggering right now,\u201d Cisco Talos\u2019 Cadieux adds. \u201cIf root cause analysis or initial point of entry are critical, you must consider how long you retained those logs.\u201d<\/p>\n

After that, CISOs must stay ahead of the curve by following industry trends and staying informed about the latest threat actor characteristics. \u201cYou need to look at the newer technologies and ensure that you\u2019re keeping up with them,\u201d Immler advises. \u201cSo just because something worked last year or the year before or has served you well for 20 years doesn\u2019t mean that it\u2019s going to keep up with the changing landscape.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Last year nation-state incidents dominated cybersecurity headlines, as Chinese Typhoon threat groups and others made waves across several industries. But throughout the first half of 2025, most publicly known, high-profile attacks have been the work of cybercrime actors. Financially motivated attacks are on the rise, with retailers, industrial control systems, financial institutions, and healthcare among the hardest hit sectors this year. The recent surge in… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14364","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14364","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14364"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14364\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}