Denis Makrushin, MTS RED: The state of security is unattainable, but business resilience to cyber threats can be ensured

Denis Makrushin: We see that the number of attacks has increased multiple, and the number of solutions available for protection, on the contrary, has decreased multiple. The technologies of foreign vendors, which have been cultivated in the infrastructures of Russian companies for many years, are no longer available. Their departure left gaps that customers are forced to close with less mature counterparts. A striking example is the next generation firewalls (NGFW, Next Generation Firewall).

The existing domestic solutions, as a rule, are focused on highly specialized tasks, so the defending side is forced to collect "assorted" products and services in order to close its needs at all stages of the information security life cycle. In small companies, this does not create difficulties, but on a large-scale infrastructure, such a lot of separate protection systems require a staff of information security specialists. And even in this case, often the level of observability of events in the infrastructure remains low, because "assorted information security products" need to be correctly exploited and integrated among themselves.

For this reason, companies are already looking for opportunities from all this set of products to make a well-coordinated orchestra. The lack of approaches and products to create an information security ecosystem is the next challenge the industry will face after closing all technological gaps.

Denis Makrushin: For a year and a half, a lot of new domestic products have appeared, we can even say that there are too many. And this also became a problem, because with so many systems of different vendors and different levels of maturity, the need for a single connecting link, a certain integration bus, increases even more.

Denis Makrushin: Unlimited budgets also require prioritization when choosing tools to protect against cyber threats. Practice shows that incidents even happen in companies with huge budgets for information security.

The fact is that the problem of cyber defense is asymmetric, because the attacker is always in a better position than the defender. This can be compared to wildlife, when a predator watches its victim for a long time before attacking it, and the victim is forced to "study" the predator already in the moment of attack.

Therefore, priorities must be set based on the fact that the state of absolute security is like an asymptote of a function: one must strive for it, but it is unattainable. However, it is possible to ensure that the business is resistant to the most significant cyber threats for it.

Cyber resistance implies that an attack can occur, but it should not have a significant impact on the company's activities, on the continuity of business processes. Thus, the concept of cyber resistance changes the attitude towards information security strategy: now all scenarios for the implementation of attacks are becoming part of the company's life cycle.

We believe that in modern realities it is necessary to work with cyber threats, as with other business risks, that is, not only to take measures to reduce them, but also to know what to do if the risks have been realized. This can be compared to fire safety: of course, it is necessary to take all possible measures to ensure that the fire does not occur, but it is also important to have an evacuation plan in case it does happen.

If we turn to reliability theory, then cyber resistance can be determined by three key parameters: the criticality of the incident, the time to analyze this incident and the time to recover from the incident. And you need to work with each of these parameters.

Accordingly, the priorities in the company's information security strategy are set in accordance with the risks to business sustainability: the higher the likelihood of a threat, the more you should invest in protection in this direction and develop response scenarios.

Denis Makrushin: There are four stages of the life cycle of adaptive information security: protection against threats, their detection, response and forecasting. Now most Russian companies focus on protecting and identifying cyber attacks. Cyber resilience supports this life cycle but enhances focus in the response and prediction phases. As a rule, traditional security implies that all measures must be taken to ensure that the incident does not happen. And the concept of resilience allows you to look at incidents from a different angle: "What will I do if the incident happens? What damage can he do to business? Do I have a recovery plan? "

Denis Makrushin: A business leader primarily thinks in the categories of resources, damage, business continuity, and not cyber attacks. It may not matter to him what interrupts the business: a computer incident or a man-made disaster.

The concept of cyber resistance just shifts the focus from the task of protecting against the maximum number of cyber threats to achieving the operational goals of the company and thereby makes information security a business function. Cyber resilience aims to minimize the company's damage from cyber attacks, and protection from hackers is only one of its tools. This focus on the needs of the business helps to clearly argue the need for costs.

In addition, businesses have long known the principles of sustainable development, which are included in the strategy of any organization, as well as the concept of continuity management (Business Continuity Management) as a set of relevant practices, methodologies. And in this context, the risks of cyber resilience disruption are a subset of the risks that can negatively affect business nano-continuity.

Denis Makrushin: Here you can distinguish three steps, and the first of them is forecasting. This is a basic action when the most significant business processes that need to be made sustainable, including cyber attacks, are highlighted. The second step is to identify technologies that can ensure the continuity of these processes and which will ensure the full observability of events within the business process. And the third step is to check the sustainability of business processes after the introduction of protection technologies.

Denis Makrushin: At a minimum, network security tools are needed - for example, NGFW, and Endpoint Detection & Response solutions. They must be linked by a system that provides correlation of events, giving an understanding that an incident in the network and on a workstation is part of a single attack. These three tools are considered the basis for ensuring the observability of events within the IT infrastructure.

What other tools will be needed depends on the specifics of the business. For example, if a company develops internal or external applications, a system for monitoring events during development is required. For example, ASOC (Application Security Orchestra and Correlation) class platforms. If you work with containers, you will need to ensure observability in the container infrastructure, this is helped by systems of the Container Security class.

Denis Makrushin: There are two aspects here: the human factor in the processes associated with managing information security incidents, and the malicious actions of ordinary employees, intentional or accidental.

The first problem is gradually being solved by automation technologies (called Security Copilot), which help analysts make decisions. Due to this, it can focus on more intelligent and complex tasks, such as threat forecasting.

The second, even more urgent problem of the human factor, is solved only by continuous training of employees, increasing their awareness of cyber threats. To what extent, how it should be carried out - in each specific case, these issues are resolved separately. A small company can even conduct such training on its own; an organization larger needs a centralized automated solution.

Denis Makrushin: In management practice, there is such a figurative expression: "culture eats strategy for breakfast," therefore - yes, the formation of a culture of employee behavior in the IT space occupies a large place in ensuring the cyber stability of the business.

Denis Makrushin: It is appropriate to remind you of the key stages of information security: protection, detection, response, forecasting. Accordingly, we understand that within the framework of this concept, it is necessary to offer customers tools to implement and support all four stages. We create products and services to ensure the full life cycle of information security.

But, in addition, we are ready to help customers in building a cyber resistance strategy - not necessarily based on MTS RED solutions. And in general, ensuring business resilience to cyber attacks is largely a matter of creating or debugging the necessary processes, not only the use of specific information security technologies.

Denis Makrushin: We fill our line of technologies so that as a result, the customer, regardless of his level of maturity or business specifics, can get all the necessary solutions or services from a single window. And of course, we want to proactively solve the problem with their mutual integration and a single point of control by creating a cybersecurity platform.

Denis Makrushin: We ensure the mutual integration of our solutions. We understand that we need an integration layer, a platform into which each of the products can be built. So we are developing, firstly, specialized technologies and, secondly, a platform that can combine all these modules. It will allow mutual enrichment of data collected by different systems, unify user experience and give companies a unified cybersecurity management system.

Denis Makrushin: At this stage, it exists as a prototype. The developed components of this platform are already being integrated into our products.

Like MTS in general, we adhere to the principles of ecosystem. And in order to implement them in practice, it is necessary already at the stage of creating new products and services to lay the possibility of mutual integration in them.

Denis Makrushin: The key area of ​ ​ development is automation of incident processing, which will reduce response time. Artificial intelligence technologies can help solve this problem, and today they must be integrated into any information security product. On the basis of our Security Operations Center, we study existing technological and most effective ideas in the form of technologies and products.

Denis Makrushin: The key and quite obvious trend is the consolidation of the market around large players. In 2024, the market will complete the transition from a suite of products to platforms. This was a trend of the current year. In the next, it will strengthen and bear the first fruits. At the same time, the division into two types of platforms will remain: open, ready for integration with any product and service, and closed platforms that are built on the ecosystem of technologies of one vendor.

In addition, an increase in the number of startups and small "garage" projects in information security is expected. "Disruptive" innovative technologies will begin to appear on the market, that is, those that offer radically different ways to solve existing problems.

In 2025, artificial intelligence, machine learning will be part of each of the platforms for providing cyber defense. 2026th year - monitoring and response centers will begin to transform into "next generation" SOC monitoring centers of the next generation, the work of which will be based on the execution of response algorithms. These teams will consist of data Scientists who will train these algorithms to identify, respond to and restore business processes. Security analysts will still remain part of the team, but will work with non-trivial incidents, and playbooks for simple incidents will no longer be implemented by people, but by algorithms.

Denis Makrushin: In 2027, we will meet with you and conduct a retrospective analysis of my forecasts.