With phishing and other security attacks on the rise, are you confident that your network is secure?
We ask clients all the time how they would know if a cyber-attack compromised their network or users. Responses generally include:
– When someone has an issue with their computer
– If we start getting complaints that the network is slow or applications aren’t working properly
– We’ve never had one, so I’m not sure
These are all valid answers. Most of the mid-market IT community would answer similarly today. Generally, mid-sized companies have what they believe is a strong protective security posture. But there is a strong and growing group that is taking security to the next level – adopting additional strategies to identify and address threats early before they can do damage.
Current State
All of our clients have substantial defensive security strategies. These strategies are focused on keeping the bad stuff away from the network or device. These are the locks and moats we build around our critical environments to feel safe and protected.
A typical defensive cybersecurity posture includes:
- Firewall: Today, firewalls normally included traditional stateful and stateless session management, intrusion protection and prevention services and deep packet inspection.
- Endpoint Protection (EPP): Hopefully, this is more than the basic anti-malware and anti-virus solution and includes personal firewalls, file and data encryption, application control and access controls as well.
- Secure Email Gateway: Cloud-based email filtering to remove most spam and phishing attempts before delivery to your users.
- Virtual Private Networking (VPN): Secure remote access to resources for offsite users. VPNs allow authorized users a portal through the defensive measures.
This defensive security posture was the industry best practice just a few years ago, but threats have evolved and defensive measures (i.e., keeping bad things out) are no longer enough to secure your company’s critical data.
Threat Evolution
You now know from the numerous breaches of leading companies and many stories you’ve heard from your peers that malicious activity will get through even the best defensive measures.
The challenge with defensive strategies today is that to maximize your protective posture, you also keep a lot of the good stuff out. To allow the valid data to flow into and out of your organization, we tune security tools to more permissive levels. These permissive settings ultimately allow some bad stuff to filter through.
Today, more than ever: It’s a matter of when you get hacked, not if you get hacked.
Why are the risks higher today? Because the cyber-threat landscape has changed significantly in just the last two years. Hacking is no longer a random teenager on a computer having some fun by seeing what mischief they can stir up. Today, cyber-hacking is a big for-profit industry. Hackers today have a very specific goal: to extract value from their targets.
Importantly, attack profiles have changed. Ransomware, viruses, and other malware have become very sophisticated in lurking undetected in your network. They spread slowly and remain dormant so as not to draw attention. Newer strains even seek out your backups for infection. Backups have become key targets of ransomware. If the ransomware corrupts your ability to restore and not pay the ransom, you are far more likely to pay the ransom.
Unfortunately, less than 50% of ransom payments unlock all the data encrypted during an attack. Your backups are not the fail-safe we once thought they would be.
Different Strategies Required
With the understanding that a hack is inevitable, and your recovery strategies are not foolproof, we are working with clients to develop proactive or offensive measures to address current threats.
Today, IT leaders must acquire visibility into threats on their network in real-time and understand whether changes on the network are authorized or potentially malicious.
Security platforms should be able to compare signatures with known bad actor databases (Security Incident Event Management, or SIEM). Your platform should also be able to correlate and analyze information from multiple log sources and identify what might be unusual behavior (Threat Detection).
SIEMs and Threat Detection use the same data sources but operate in very different ways. SIEMs aggregate logs from across the network’s different devices. Log sources might be endpoints such as workstations or servers, network equipment like switches, and policy equipment like firewalls. Logs come in all different formats, so the logs are normalized and parsed. The SIEM evaluates the logs against a database of known malicious signatures. When there is a close enough match, the SIEM triggers an alert.
Threat Detection services use logs as their main inputs. Threat Detection platforms create large data lakes of the logs and then use artificial intelligence and machine learning to establish typical usage patterns. A pattern might be as simple as User A gets on machine 1 every weekday from LAN port XYZ between 8:00 and 8:30 am. If the network then sees Bob logging in from somewhere random, the Threat Detection system raises the alert level on that activity. The better Threat Detection platforms will run additional tests to validate the anomaly before launching an alert.
If you’ve evaluated a SIEM or a threat detection solution in the past, they have been expensive and out of reach for many businesses. However, as the threat landscape has changed, so too has the solution landscape.
Fortunately, log correlation and behavioral analysis are merging. ARG clients no longer have to purchase both platforms to level-up to full visibility. Gartner refers to these new solutions as Machine Learning Log Analysis (MLLA). Gartner cautions that MLLA is not a full replacement for a SIEM. For Gartner’s enterprise audience, we would agree. But, if for the lighter requirements of the mid-market, we do not believe you need to buy both.
The relative cost of MLLA is substantially lower than purchasing two complementary solutions (SIEM and threat detection). Additionally, MLLA solutions typically reduce the incidence of false-positive alerts.
Reducing false positives further improves the economics of the MLLA solution by reducing staff time required to work false alerts. Additionally, with fewer alerts to address, your staff avoids alert exhaustion and will be more attentive to the actionable alerts. More attentive staff working just actionable alerts will naturally raise your security level.
Take Away
The cyber threat landscape has changed dramatically in the last two years. The traditional approach of defensive measures with a strong recovery solution is no longer all that is necessary. IT leaders must have early warning systems built into their networks. Identifying and mitigating threats within a short time span is critical, or the organization risks catastrophic consequences.
If you’d like to discuss your security posture with one of ARG’s industry experts, please contact us at info@myarg.com or click on the button below.