Lapsus$, Microsoft and Okta: Cybergeddon or cyber non-events?
Now Reading
Lapsus$, Microsoft and Okta: Cybergeddon or cyber non-events?

Lapsus$, Microsoft and Okta: Cybergeddon or cyber non-events?

The business typically seeks efficiency while those who worry about availability need redundancy

Gulf Business

Collectively, we have a tendency in the cybersecurity industry to think in binaries and extremes — good or bad, secure or insecure, disaster or non-event. Going back over a decade, big breaches caused fear and uncertainty on an unprecedented scale. When companies like RSA, Symantec, FireEye, or SolarWinds are compromised — and most recently Microsoft and Okta — the world panics. Rightly so, but we need to get past ‘cybergeddon’ reactions and, even if we don’t get to treat them as cyber non-events, we should get more resilient and be more prepared.

Right out of the gate, I will say that all the companies listed here are excellent companies with mature, complex, competent cybersecurity programmes. And while we should never complacently accept failure in the face of a concerted attack, neither should we vilify them. There are object lessons in these compromises, and those might have to do with ethics (as was the case with HP Gary), but more often they highlight for us both how to improve our own cybersecurity programmes and, most importantly, how to mitigate many more types of risk. In cyber, we deal with second-order risk. This is what Yuval Noah Harari refers to in Sapiens as ‘intelligently adaptive risk.’ It’s the same type of risk that legal departments and sales teams face, much more so than operations or IT departments normally deal with.

The lesson here is that processes and adaptations are the measures for dealing with second-order risk. In the world of first order risk, we seek to remove waste from processes and to reach the vaunted ‘five 9s’ of availability. In second-order risk, we should measure ourselves on our own adaptability and fitness, on resilience and antifragility, and on ‘efficient redundancy,’ which sounds like an oxymoron but isn’t. The business typically seeks efficiency while those who worry about availability need redundancy. This is expense vs. efficiency. And in this world, efficient redundancy could be defined as enough redundancy to mitigate risks and build antifragility but no more. It is not the profligate waste and inefficiency of traditional Defense-in-Depth, it is instead making sure that single points of failure are reduced and eliminated in a fiscally responsible way.

So back to the announcements from Microsoft and Okta with respect to Lapsus$. This isn’t the first time Microsoft has been hacked. It isn’t the first time that a universal identity trust provider has been hacked as there’s an extensive list of these (including Microsoft) going all the way back to RSA and beyond. But the people who are coping with the fog of war in both organisations should by default receive our support even as we ask them questions and seek ways to maintain services with their potential compromise. On Tuesday, March 22, Okta announced that the supposed hack wasn’t really real and on March 23 announced that approximately 2.5 per cent of their customers were affected. It’s clear that it’s hard to know what has or hasn’t happened in the hot seat. There is not, as some pundits seem to believe, a screen that is green in the CISO’s office that suddenly flips to red when bad things happen. It doesn’t work that way.

It’s high time that we take responsibility for our own antifragility. Now is the time to update plans and shake things up. Cybergeddon can be a cyber non-event.

To use one more allusion, the cheese has moved. Time to adapt. If not now, then when?

Sam Curry is the chief security officer at Cybereason

You might also like


Scroll To Top