In the era of a security breach being now inevitable, one of the best analogies to describe how we need to address this situation is that of how security controls are applied at an airport. Whilst customs and security (to be equated to good old perimeter firewalls) serve a purpose historically and still today to a degree, it is more important to observe the behaviour of the tourist once inside the transit lounge or supposed secured area. Are they behaving suspiciously, what are their movement patterns, have they moved to the gate or lounge they are supposed to be in, have they changed their appearance after a visit to the rest room, did they depart on the flight they were meant to board or are they sitting in silence for their opportunity to act. Also, have these passengers been tagged as dangerous in other countries by Interpol, and do they exist on any no flight lists?
A report by PwC found that as business size increases, so does the average cost of their most damaging breach. At the same time, whilst it is essential to now establish an even tighter grip over a complex IT estate to aide in ensuring a better security posture, it has become increasingly difficult to gain full control and transparency in this regard, since most businesses don’t grow organically over time; they grow through a series of mergers and acquisitions which each play a part in changing their IT landscape. As their infrastructure evolves, it becomes a mixture of new, established, and legacy systems from a range of different suppliers. In this complex, blurred environment, finding threats can be challenging, because there are lots of places for suspicious activity to hide.
Despite these challenges, users expect IT to be operationally seamless and secure, as well as borderless in the sense that ubiquitous access to private services or public cloud needs to be equally secure. This makes it more difficult to clearly define the lines between applications and user groups.
So, what can you do? There are six recommendations that should be considered as a start.
Recommendation one: Know the personas on your estate
Over 70% of new network cyber-attacks are no longer malware initiated. Interestingly the leading cause of a breach is down to a hacker gaining access to a network with valid log on credentials, and often even as a privileged user.
To an attacker, overly permissive accounts or being able to use a compromised device to move laterally around an organisation is very appealing. A cyber-criminal will follow a set path of attack, often referred to as the Cyber Kill Chain (Lockheed Martin®). Once inside an organisation, an attacker will look to protect their access by creating alternative covert entry paths to the organisation’s assets and elevate their privileges to make it easier to move and hide within the organisation, and then move laterally to find what they’re looking for.
As a result, a recommendation would be initiating a high confidence audit to establish a firm understanding of the roles and users in your organisation. This, coupled with the associated reporting and alerting will go a long way to help detect malicious behaviour more rapidly and would also limit the impact by ejecting an attacker earlier in their campaign.
Recommendation two: Understand your assets
If you don’t know what you have, how can you protect it? When a business lacks an understanding of their hardware and software assets, the consequence is often the creation of a few security blind spots where an attacker who has already infiltrated a business could hide.
Often, when a serious vulnerability is identified, it can be very difficult to track down the assets affected, and hard to understand their patching or version status so that you can update and defend the device. Breaking the asset lifecycle into three logical steps helps to optimise each step and makes it easier to carry out patching, should the worst happen.
1. Know what you have
Creating a high-integrity asset or configuration database of what is connected to your infrastructure helps to rapidly assess the scope of vulnerabilities. Ideally, you’ll update this whenever new devices are detected. A strong asset approach can also help in managing licenses and support costs, as well as in identifying end-of-life or legacy IT that may be hiding in your network.
2. Know what is vulnerable
Regular scanning of your asset database to identify the versions of software in use and any potential vulnerabilities can help you frame the IT risk your organisation faces and help to prioritise your remediation strategy.
3. Resolve the risks
A solid approach to patching which makes the most of your asset knowledge will mean you can close vulnerabilities faster, while minimising the impact to your business operations.
Recommendation three: Modern end-point tooling is important
Cyber-attacks continue to become more sophisticated and difficult to defend against. Incidents such as SolarWinds create a new paradigm that challenge the basis of what we thought we knew and our understanding of who we trust.
Endpoint Detection and Response (EDR) solutions tackle this issue by bringing together next-generation antivirus with threat hunting and threat intelligence on the endpoint device, constantly analysing events to identify malicious behaviour. However, the primary focus historically has been remediation on the End Point device. Due to the increasingly more advanced nature of threats we are experiencing lately, businesses require a more sophisticated, unified view of threats which span across multiple devices and network sources.
XDR (Extended Detection and Response) provides just that. XDR collects and aggregates data from multiple sources, including EDR, network security devices, cloud services, identity, and email security solutions, and uses analytics and machine learning to detect hidden threats. Whilst EDR gives excellent visibility of adversary behaviour as it occurs, organisations often need prior understanding of this behaviour to detect and prevent it effectively. When this information isn’t available, and prevention and detection fail silently, many EDR solutions monitor and record the chain of execution of activities occurring on the endpoint, and then retrospectively security operation centre (SOC) teams would look back and verify where the attack happened. XDR’s AI integration has become more advanced than EDR’s and has resulted in less analytical effort from SOC teams during and post attack, reducing the workload on security teams.
Recommendation four: Make it difficult to move between zones and workloads
This is where a zero-trust approach alongside a strong micro segmentation strategy comes in. Instead of allowing every device to communicate with whatever they need to, businesses should only allow traffic to flow between applications that have been positively verified against a stringent zero trust policy.
Furthermore, businesses need to create boundaries between different zones of their network, using network segmentation and application micro-segmentation. This can make it considerably more difficult for an attacker to move laterally around a breached infrastructure, while enabling a business to rapidly restrict access as needed.
Recommendation five: Take a systemic approach to detecting threats
To develop operational resilience, businesses should assume they have already been breached. They should also act on the premise that a sophisticated attacker will find – if they haven’t already – a way into their infrastructure and manage to stay hidden for some time before being detected.
It is incredibly valuable to understand a hacker’s typical pattern of attack. Once they have successfully breached a network, an attacker will follow a set path of attack. This entails protecting their access by creating alternative covert entry paths to the business’ assets, then elevating their privileges to make it easier to move and hide within the network; and finally move laterally to find what they’re looking for.
A strong XDR implementation – and a security information and event management (SIEM) option if governance and compliance is top priority – coupled with expert threat intelligence input will go a long way to making this approach a reality.
Recommendation six: Be curious.
Tools and processes are great, but people are better. Encouraging your end users to be curious about how they can support your organisation’s security aims and providing them with the skills they need to protect you, will bring significant benefits.
Consider analytics and user behaviour analysis to model normal behaviour so that you’re in a better position to detect strange behaviour and deviations. I refer you to the airport analogy mentioned earlier. Traditional examples focus on geographical or temporal anomalies but consider first-time activity and unexpected volumes of transactions as well. If you understand how business processes work, you’re better able to detect deviations from the norm, and more likely to pick up and prevent fraud and financial crime especially.
The reality is that attackers and criminals will never stop trying to invent new ways of gaining a return on their efforts. But, if you can make it expensive, difficult, and time-consuming for a cybercriminal to achieve their goal, this will limit the range and motivation of attackers targeting your business. It will also serve as a foundation for cultivating operational resilience.