Features, Insight, Opinion

Enterprise Environments, Exposed Endpoints, and the Best Practices for Threat Hunting

By Tamer Odeh, Regional Director at SentinelOne in the Middle East

One of the primary challenges for security professionals today is understanding how to protect, detect, and respond to cyber-attacks across all the operating systems within their enterprise environment. Most organisations today have mixed fleets running various flavors of Windows, macOS, and Linux. In many cases, the operational reality is that a sizable portion of some or all these endpoints will not be on the latest release of their respective operating system version.

In the past 18 months, businesses in the Middle East have experienced a new wave of cybersecurity attacks. This means that protecting endpoints, networks, and the enterprise’s most important asset – data, has become more challenging than ever. According to a 2020 study by the Ponemon Institute and IBM Security, the cost of a data breach in Saudi Arabia and UAE rose by 9.4%. These incidents cost companies $6.53 million per breach on average, which is higher than the global average of $3.86 million per breach.

In today’s rapidly evolving cybersecurity landscape, it seems that barely a day goes by without news of a new threat notification, from minor to major incidents affecting organisations across the board. This necessitates that organisations adopt a proactive approach to cybersecurity.

Attackers Always Look for the Weakest Link

Attackers target victims, irrespective of where the target is located, which operating system they are targeting, or if this endpoint is a known or unknown device.

The chances are very high that during an attack, as they are jumping between endpoints, they target different operating systems, and some of these endpoints might be in a blind spot for the security team. In the end, as an attacker, they want to reach their end goal by any means necessary.

Working in IT Security means understanding how to harden the environment and protect, detect, respond, and recover against cyber-attacks. When choosing the technology to achieve these goals, it is critical to clearly understand operating system differences, their respective attack surfaces, and what capabilities the chosen tools must perform tasks like Digital Forensics Incident Response (DFIR).

Understanding Threats in Context is Vital

Dealing with commodity malware should be trivial. Today, security operations centre (SOC) analysts shouldn’t need to spend time investigating commodity malware that even a legacy Antivirus solution should be able to prevent. Instead, SOC analysts should spend most of their time defending against more sophisticated attacks; and for that, it is critical to understand the correlations between a chain of activities.

Visibility Is Crucial for Effective Threat Hunting

Sometimes, just preventing or detecting threats isn’t enough, and security teams need to unleash the threat hunter in themselves. Consider the situation when a security team receives new threat intelligence and decides to sweep the environment for a specific Indicator of Compromise (IOC) or Indicator of Attack (IOA). For that, security professionals cannot just rely on the prevention or detection logs from their security solution. Instead, they need to be able to access contextualised telemetry data to hunt for the unknown.

On average, cybercriminals spend 191 days inside a network before being discovered, and that’s more than enough time to cause some damage. Simply stated, if you aren’t looking for threat actors inside your network, you may never know they are there.

Simplify Remediation and Mitigation 

Once security teams understand the incident, it’s time to move into the remediation and containment phase. Typically, they are looking for mitigation actions like stopping all processes related to a threat, encrypting, and moving the threat and its executables into quarantine, deleting all files and system changes created by a threat, and restoring file configurations, the threat changed.

When choosing a modern security solution, CISOs should look for tools that simplify the security stack and offer a single and simple interface for managing security controls, mitigation, remediation, threat hunting, and all other aspects related to security.

With the right interface, CISOs can reduce the time it takes to deal with threats, which should be simple, intuitive, and easy to learn.

Overall, for security professionals, every day brings new developments and fresh challenges. While some CISOs might be working on responding to an incident, others might be working on identifying ways to improve the security posture of the enterprise environment. In the end, this line of work requires a good understanding of the enterprise environment. Only by having the right tools with the right level of visibility will businesses successfully protect, detect, respond, and recover in times of need. Therefore, it is crucial to select an endpoint security vendor based on whether they can provide the comprehensive capabilities required across the entire digital estate.

Previous ArticleNext Article


The free newsletter covering the top industry headlines