Central defense: cybersecurity with an inward view. Due to the threat situation, organizations are strengthening their defense against external cyber attacks. However, they often forget to look inward. New technologies help stop attackers who are already on the network.
For cyber criminals, the corona crisis and its consequences mean a gold rush mood - never before have many companies been as vulnerable as they are today. However, IT security is slowly following in order to secure the attack surface, which has been enlarged by the distributed employees - and increases the security walls around the company and its employees in the home office. Many organizations overlook the fact that the solutions used are only directed outwards and not inwards - where the sometimes greater dangers lurk.
Cyber blackmailers are becoming more and more targeted
The encryption of data by ransomware is a good example of outside threats. They are widely dispersed by the attackers using the watering can principle and success for the criminals is more or less fortuitous, depending on which employee clicked on a phishing e-mail. But even if data has been encrypted, companies can use decryption tools, recoverware or simple backups to counteract it and restore the data.
In response, many cyber blackmailers are more focused. Their attacks are increasingly targeting organizations whose data is viewed as more valuable or where reputational damage is potentially greatest. Because these companies are more willing to pay a ransom - even if it is for the fact that the data is not made public. For this purpose, the criminals study potential victims individually and in great detail in order to be able to precisely assess the potential for a successful attack. Ultimately, they decide which organizations to attack based on profit expectations. These new, much more targeted threats require a different response than the more indiscriminate ransomware attacks.
New threats require smarter responses
From the point of view of IT security operations, a large part of the challenge to defend against cyber criminals lies in the detection and investigation of potential attacks using Indicators of Compromise (IOCs). These can be suspicious and / or blacklisted IP addresses, known phishing URLs and signatures for malicious files. Ideally, classic security tools based on these IOCs such as intrusion detection, firewalls and endpoint security prevent organizations from falling victim to a successful attack.
Classic tools for classic attacks
This approach may work for ransomware, where data is immediately encrypted after a successful attack. In the case of targeted attacks, the criminals have to look around the network for a while in order to find the right data for them that is worth stealing. Organizations can have petabytes of data in many different locations. In order to get to this valuable data, the criminals have to invest significantly more time and effort. Outward-looking security tools cannot detect compromised insiders, however, because at first glance they are completely legitimate in the network. In order to be able to detect attacks at such a stage, companies need other security tools. And since the criminals can sometimes stay in the network for a long time, it is important to identify them as early as possible before they can cause greater damage.
The time factor offers IT security an advantage
Egon Kando is Area Vice President Of Sales Central, Southern and Eastern Europe at Exabeam (Photo: Exabeam).
Sometimes the criminals spend months or even years within an infrastructure and go to great lengths to remain undetected while they work their way through the defense chain to the company's data crown jewels. However, this also offers the defense small advantages: On the one hand, compared to ransomware, they have more time to search for the intruders - and on the other hand, the criminals leave traces behind when they move around the network.
IT security can use these opportunities to prevent worse - provided it has the necessary tools to look inward for security. Because IOCs are all directed outwards, which makes them useless for the detection of attackers who are already in the network.
SIEM and UEBA: The effective central defense
SIEM (Security Information and Event Management) solutions compile logs from a variety of sources and analyze them for normal and suspicious behavior in the network. The latest generation of SIEMs are based on UEBA (User Entity Behavior Analytics), which is based on machine learning algorithms and continuously monitors the behavior of users and devices in the network. For example, when unusual files are accessed or suspicious applications are run. This analysis of log data on the network must be done automatically because there are simply too many of them for security teams to manually examine effectively and in real time.
Shorten responses to attacks
Detecting suspicious behavior, however, is only part of the task. Because now it is necessary to react as quickly as possible in order to prevent impending damage or to limit it as far as possible. In order to be able to define the scope of the response, the incident must be fully investigated. This includes the creation of a timeline that shows all activities of the users and devices involved and evaluates whether these are normal or unusual. Once this is done, the response can be planned and carried out. The IT security teams are supported by SOAR solutions (Security Orchestration, Automation and Response) for the automation and orchestration of necessary defense measures through various security products. SOAR is, so to speak, the libero of the defense, who reacts to the attacks as quickly as possible after detection and analysis.
Defensive measures, such as isolating a host or blocking an IP address to limit the effects, can be completely automated using defined playbooks. In addition to a faster response time, this reduces the mean time to recover (MTTR) in these critical scenarios where time is of the essence.
Never feel safe
Even if the external defense solutions such as intrusion detection, firewalls and endpoint security have not sounded the alarm, IT security in companies should always expect that cybercriminals are somehow in the network - and the attackers are proactively trying track down. To do this, it needs security solutions that are inward-looking.”
More on this at Exabeam.com
About Exabeam Exabeam stands for Smarter SIEM ™. Exabeam enables companies to more efficiently detect, investigate, and respond to cyberattacks so their security and insider threat teams can operate more efficiently. Security organizations no longer have to live with inflated prices, missed distributed attacks and unknown threats or manual investigations and countermeasures. With the Exabeam Security Management Platform, security analysts can collect unlimited log data, use behavioral analysis to detect attacks and automate the response to incidents, both on site and in the cloud. Exabeam Smart Timelines, sequences of user and entity behavior created through machine learning, further reduce the time and specialization required to identify attacker tactics, techniques and procedures. Exabeam is privately funded by Aspect Ventures, Cisco Investments, Icon Ventures, Lightspeed Venture Partners, Norwest Venture Partners, Sapphire Ventures and well-known security investor Shlomo Kramer. More information is available at www.exabeam.com. Follow Exabeam on Facebook, Twitter, YouTube or LinkedIn.