Marc Kassis, Cyber Security Division Director, META, Ingram Micro on how end-users must adopt different solution thinking to combat cyber security adversaries.
Nowadays, IT security principles constantly change. All companies, organizations, governments and even private sector (SME and SMB) are discovering that a traditional security approach with even the most sophisticated technologies is not enough.
Traditional Cyber Security defenses are being circumvented by highly motivated criminals who understand the value of information from a successful breach. Criminals are highly skilled at what they do, and are becoming more sophisticated at exploiting systems, which can only undergo so much testing. Despite software vendors’ efforts to combat this trend by hiring more testers and implementing tools to ensure created hardware or software is less vulnerable to hackers, it is not working. The cyber-attackers perfectly understand the IT world’s most vulnerable area, this is: the human aspect, ourselves!
In this article, I will explore a few Cyber Security solution principles used in the market in 2019 to better protect assets. Including a modified mindset as to how investors, executives and IT users can save their businesses, data or intellectual property.
Traditional Approach:
When a new business venture is started, investors want to maximize their returns by establishing a company which has a lean organization with smart processes. To support such processes, smart, robust IT systems are required to seamlessly and unobtrusively support the infrastructure and applications, which is scalable, fit for purpose and secure. However, with the big investment required to start a company, the need for Cyber Security approach to protect from threats to a business often come as an afterthought.
Start-up businesses are not alone in this consideration. Many well-established businesses are still coming across Cyber Security today with the same concerns. There is a need for education and the implementation of security technology. In simple words, it is important to Protect. The size of a business determines the level of investment and the number of solutions to be implemented. Here is a snapshot of what is usually needed: Endpoint Security from vendors like Symantec, McAfee, Kaspersky Lab, Trend Micro, Sophos, Bitdefender, GFI, Carbon Black, etc. Firewall from some of the well-known vendors like Cisco, Palo Alto Networks, Forcepoint, Fortinet, Sophos, SonicWall, etc. VPN (Virtual Private Network) from few large Enterprise Infrastructure VPN vendors such as Cisco, Palo Alto Networks, Fortinet, etc. A much longer list of other vendor solutions is available for the private or Enterprise Software VPN. IPS (Intrusion Protection System) from providers like Cisco, IBM, McAfee, FireEye, Trend Micro, etc.
Now, depending on the maturity level of the IT and business, other solutions might be needed including: ATP, NGFW, NAC, WAF, DLP, Email Security/Encryption, Web Security, PAM, DAM, IAM, CASB, etc. Companies using these solutions can be seen as following the Traditional Approach to Cyber Security.
Enhanced Approach:
To secure the investment and understand how the security approach is effective, even once all the technology from a traditional approach is in place it can still be taken one step further. Reports or logs are required to understand how the invested Cyber Security solutions are protecting the network. This is achieved through the implementation of SIEM (Security Information & Event Management) whose role is to collect and aggregate information from all security devices and applications across the network. The outcome of a SIEM solution usually provides alerts with different levels of importance and severity. Attacks can be monitored in real-time for immediate and appropriate decision making, as well as plan for your upgrades or policy changes.
The major SIEM providers are IBM, McAfee, Micro Focus, AT&T Cyber Security (formerly Alien Vault), etc.
All solutions covered so far Protect a business, Detect and Stop attacks, next step is to Respond. At this stage of security development, the Cyber Security technology strategy is quite active and can even be considered as very reactive with the implementation of the SIEM. Some major questions that come to mind here are: Is your Cyber Security strategy enough? Is it Proactive? Can you really anticipate the attacks? Are you aware of the current risk landscape on the internet? What is the worst attack that has happened recently, last week or yesterday?
This is what Threat Intelligence implementation can add to a Cyber Security strategy. Anticipate a possible threat.
The Cyber Threat Intelligence is a list of real-time feeds of information a SIEM will use to understand and interpret the threats that will or are currently happening or targeting businesses or organizations across the world. The SIEM will use it to prepare, prevent and identify among tons of collected logs all the threats directly concerned to a business. The hierarchy of the alerts and the accuracy of its priority coming from the SIEM is highly dependent on the Threat Intelligence feeds. This is also the way to reduce what is commonly known as “false positive”. The alerts which are classified as a threat or malicious activity, but while it is perfectly legitimate activity.
There are various Threat Intelligence providers on the market such as FireEye, Kaspersky Lab or Symantec. It is important to make an appropriate choice; therefore, I am sharing some of the most important elements to check with these providers.
Any business that follows the Cyber Security solutions already outlined, demonstrates a mature strategy in the form of a SOC (Security Operation Center) with several millions of USD having been invested. It is important to highlight that the SOC is not only a SIEM solution, but it is also a set of other tools, frameworks, resources and processes. It must operate 24/7 and have a certain level of comfort in reading the information to react quickly to alerts.
A mid-size organization or even an SMB need an Enhanced Security Approach and they can achieve the same level of features (Protection, Detection and Prevention) by choosing to buy the SOC as a Service from an MSSP (Managed Security Service Provider). An MSSP will add several devices and applications to an existing security infrastructure to fulfil SLA obligations (Service Level Agreement).
A commitment with an MSSP is typically for one to several years with payments on a monthly, quarterly or yearly basis.
Many Cyber Security vendors are having an MSS offering such as Symantec and IBM but there are a large number of independent MSSP on the market with several integrated solutions to offer the best SLA.
Going the Extra Mile – The Offensive Cyber Security:
While Threat Intelligence collects all information about existing threats and attack scenarios, it does not cover all malicious scenarios that are under development by cyber criminals. There are many Threat Intelligence providers on the market but the most effective ones with the fastest detection of malicious activity are those putting enough resources and skills into Threat Hunting.
Threat Hunting is becoming increasingly important in governments but also in large and modern corporations, as organizations strive to stay ahead of the latest threats. As a result, Threat Hunting becomes a must-have feature in any high-powered SOC. We are speaking about not only sophisticated tools but also highly skilled resources such as Ethical Hackers, teams of real-time developers as well as technology gurus. These resources are going to provide a fast path to extend Threat Hunting capabilities.
We then see the emergence of “Proactive Cyber Defense” or “Offensive Cyber Security”. It is defined as being the process of proactively and iteratively searching through networks to detect and isolate advanced threat activity. This implies that the Ethical Hackers must track cyber gangs and infiltrate them to understand their intentions before any cyberattack scenario is even developed. Many reputable Cyber Security vendors or MSSP offer a list of Threat Hunting activities to their clients which include “Social Media Sentiment Hunting”, “Enterprise Brand Surveillance” or even deep tailored hunting in the dark web for a given topic. In other words, finding the evil, hunting for adversary activity and eliminating the threat before it is developed Threat Hunting and its detailed activity is the basic part of the new Advanced Managed Security Services. Commonly known in the market as “Managed Detection and Response” (MDR). It provides Threat Intelligence, automated Threat Hunting, Security Monitoring, Incident Analysis & Forensic and Incident Response. The major difference between the new MDR offering and the traditional MSSP offering is that the MDR goes beyond intrusion and malicious activity “Detection” but also “Responds” quickly to eliminate and mitigate the threat, with proactive hunting activities as described.
The MDR providers with Threat Hunting capabilities in the market today are just a small number even though many are claiming to be.
Some of the large names such as IBM, Symantec, Cisco and FireEye are having a solid offering. If you are looking to engage with one of the few MDR firms available on the market, remember to check the Threat Hunting activities they are offering within their packages. Most of them are claiming to only do automated Threat Hunting which is very similar to Threat Intelligence. Only a few are proposing the proactive and offensive activities.
This article touched upon the human element and how only people can stop other people’s motivation to harm or make money illegally through data theft. In my next article, I will be developing the human from the Risk Management aspect and how people can be the single point of failure inside organizations. Cyber Security is also the science of how to protect organizations’ business and values from insider threats.
