Post Published On: March 14, 2019
Nowadays, IT security principles constantly change. All companies, organizations, governments and even private sector (SME and SMB) are discovering that a traditional security approach with even the most sophisticated technologies is not enough.
Traditional cyber security defenses are being circumvented by highly motivated criminals who understand the value of information from a successful breach. Criminals are highly skilled at what they do, and are becoming more sophisticated at exploiting systems, which can only undergo so much testing. Despite software vendors’ efforts to combat this trend by hiring more testers and implementing tools to ensure created hardware or software is less vulnerable to hackers, it is not working. The cyber-attackers perfectly understand the IT world’s most vulnerable area, this is: the human aspect, ourselves!
In this article, I will explore a few Cyber Security solution principles used in the market in 2019 to better protect assets. Including a modified mindset as to how investors, executives and IT users can save their businesses, data or intellectual property.
If a business is run 100% on Cloud, the business requires a slightly different approach which will be addressed in a later article. However, for companies with minimal on-premise assets to manage, the following approaches are still valid.
When a new business venture is started, investors want to maximize their returns by establishing a company which has a lean organization with smart processes. To support such processes, smart, robust IT systems are required to seamlessly and unobtrusively support the infrastructure and applications, which is scalable, fit for purpose and secure. However, with the big investment required to start a company, the need for Cyber Security approach to protect from threats to a business often come as an afterthought.
Start-up businesses are not alone in this consideration. Many well-established businesses are still coming across Cyber Security today with the same concerns. A need for education and the implementation of security technology.
In simple words, it is important to Protect. The size of a business determines the level of investment and the number of solutions to be implemented. Here is a snapshot of what is usually needed:
- Endpoint Security: This is what everybody thinks about when starting a Cyber Security project. It is a series of software implemented on all assets to protect its contents and the operating systems. The most common software is Antivirus on both work and personal laptops or smartphone. The offering on the market for this is prolific and among the best vendors for this solution there is Symantec, McAfee, Kaspersky Lab, Trend Micro, Sophos, Bitdefender, GFI, Carbon Black, etc.
- Firewall: The second most known element of Cyber Security implemented for an IT infrastructure with a communication network to use business processes. It can be hardware or software and has its own market. There are many configuration sizes from small for SMB to a carrier grade for large telecom providers or governments. It basically analyzes all network traffic to check it is legitimate based on company policies. Large vendors are positioned in this market and some of them are even focused only on this part. Some of the well-known ones are Cisco, Palo Alto Networks, Forcepoint, Fortinet, Sophos, SonicWall, etc.
- VPN (Virtual Private Network): A higher level of sophisticated hardware or software mainly built to secure private information or data exchanges between business offices. Access can be provided to all or selected users of an organization. Few large vendors are in the market of Enterprise Infrastructure VPN such as Cisco, Palo Alto Networks, Fortinet, etc. A much longer list of solutions is available for the private or Enterprise Software VPN
- IPS (Intrusion Protection System): Is a device or application that works in tandem with the Firewall which looks deeper into the packets of data circulating on the network to prevent intrusion. Some of the providers names are Cisco, IBM, McAfee, FireEye, Trend Micro,
Depending on the maturity level of the IT and business, other solutions include: ATP, NGFW, NAC, WAF, DLP, Email Security/Encryption, Web Security, PAM, DAM, IAM, CASB, etc. Companies using these solutions can be seen as following the Traditional Approach to Cyber Security.
As far as the names of vendors who provide these remaining solutions, they are mostly the same listed previously.
To secure the investment and understand how the security approach is effective, even once all the technology from a traditional approach is in place it can still be taken one step further. Reports or logs are required to understand how the invested Cyber Security solutions are protecting the network. This is achieved through the implementation of SIEM (Security Information & Event Management) whose role is to collect and aggregate information from all security devices and applications across the network. The outcome of a SIEM solution usually provides alerts with different levels of importance and severity. Attacks can be monitored in real-time for immediate and appropriate decision making, as well as plan for your upgrades or policy changes.
The major SIEM providers are IBM, McAfee, Micro Focus, AT&T Cyber Security (formerly Alien Vault), etc.
All solutions covered so far Protect a business, Detect and Stop attacks, next step is to Respond.
At this stage of security development, the Cyber Security technology strategy is quite active and can even be considered as very reactive with the implementation of the SIEM. Some major questions that come to mind here are: Is your Cyber Security strategy enough? Is it Proactive? Can you really anticipate the attacks? Are you aware of the current risk landscape on the internet? What is the worst attack that has happened recently, last week or yesterday?
This is what Threat Intelligence implementation can add to a Cyber Security strategy. Anticipate a possible threat.
The Cyber Threat Intelligence is a list of real-time feeds of information a SIEM will use to understand and interpret the threats that will or are currently happening or targeting businesses or organizations across the world. The SIEM will use it to prepare, prevent and identify among tons of collected logs all the threats directly concerned to a business. The hierarchy of the alerts and the accuracy of its priority coming from the SIEM is highly dependent on the Threat Intelligence feeds. This is also the way to reduce what is commonly known as “false positive”. The alerts which are classified as a threat or malicious activity, but while it is perfectly legitimate activity.
There are various Threat Intelligence providers on the market such as FireEye, Kaspersky Lab or Symantec. It is important to make an appropriate choice; therefore, I am sharing some of the most important elements to check with these providers.
Any business that follows the Cyber Security solutions already outlined, demonstrates a mature strategy in the form of a SOC (Security Operation Center) with several millions of USD having been invested. It is important to highlight that the SOC is not only a SIEM solution, but it is also a set of other tools, frameworks, resources and processes. It must operate 24/7 and have a certain level of comfort in reading the information to react quickly to alerts.
A mid-size organization or even an SMB need an Enhanced Security Approach. and they can achieve the same level of features (Protection, Detection and Prevention) by choosing to buy the SOC as a Service from an MSSP (Managed Security Service Provider). An MSSP will add several devices and applications to an existing security infrastructure to fulfil SLA obligations (Service Level Agreement). A commitment with an MSSP is typically for one to several years with payments on a monthly, quarterly or yearly basis.
Many Cyber Security vendors are having an MSS offering such as Symantec and IBM but there are a large number of independent MSSP on the market with several integrated solutions to offer the best SLA.
Many large enterprises are currently looking for the MSSP model for part or total coverage of their security. It might be a good way to control spending and better manage security expenses (Opex).
Every large company has plans and processes to describe how to handle the consequence of Cyber-Attacks (Incidents). CSIRT (or CIRT) is the acronym for Computer Security Incident Response Team. It is mainly oriented on how to manage the consequences from IT recovery, communication, business damage and other domains (customers, Intellectual Property, resources and brand value). The main objective of an Incident Response process is to minimize the cost of recovery.
In any case, enterprises need to have a plan and a team dedicated to managing the incident. One of the main aspects of the Incident Response is the IT part. Basically, this means investigating how the cyber criminals created the breach, what was the scenario of the attack and how to remediate. Sometimes, when the Incident Response team starts the network investigation, the cyber-attackers might still be inside your network and they will be stopped in real-time. One of the non-dissociated parts of the Incident Response is Digital forensics. It consists of collection and examination of digital evidence sitting on devices where the attackers stole the data. The Information Security part of Incident Response is often not easy to build due to a lack of resources and it is offered by large Cyber Security firms or MSSPs.
Incident Response is a high value investment that many organizations do not think to implement or buy as a service before getting breached. It can secure a fast recovery, reduce impact and losses. It is a pure service that can be bought like business insurance (often is a prepaid service).
There are not many large Incident Response providers in the market, but we can note that FireEye, IBM, Cisco and McAfee are offering it.
To recap, the implemented solution so far with an Incident Response team (either internal or out-sourced) is still a reactive model. There is a heavy reliance upon Threat Intelligence feeds that are provided by a well-known Cyber Security firm which are reacted on as fast as possible by using your own SOC or an MSSP provider. Some Threat Intelligence providers also offer “zero-day attack” which promises no system downtime only if a threat is known or happening! And this is the point: Only if a threat is known or is happening!
Hence an organization with this set up cannot be considered proactive. One question remains unanswered: Do you really anticipate the attacks?
Some examples of very large and recent breaches: Marriott, Equifax, German Bundestag, Saudi Shamoon, etc. Can we imagine one second that these governments or corporations did not implement the best of breed of the above-mentioned technologies in the Traditional Approach? They have certainly invested a lot of money in building their own SOC or partnered with the best MSSP. They most probably all followed the Enhanced Approach explained here. But they still have been attacked and lost a lot of data and revenue.
Going the Extra Mile – The Offensive Cyber Security
While Threat Intelligence collects all information about existing threats and attack scenarios, it does not cover all malicious scenarios that are under development by cyber criminals. There are many Threat Intelligence providers on the market but the most effective ones with the fastest detection of malicious activity are those putting enough resources and skills into Threat Hunting.
Threat Hunting is becoming increasingly important in governments but also in large and modern corporations, as organizations strive to stay ahead of the latest threats. As a result, Threat Hunting becomes a must-have feature in any high-powered SOC. We are speaking about not only sophisticated tools but also highly skilled resources such as Ethical Hackers, teams of real-time developers as well as technology gurus. These resources are going to provide a fast path to extend Threat Hunting capabilities.
We then see the emergence of “Proactive Cyber Defense” or “Offensive Cyber Security”. It is defined as being the process of proactively and iteratively searching through networks to detect and isolate advanced threat activity. This implies that the Ethical Hackers must track cyber gangs and infiltrate them to understand their intentions before any cyber-attack scenario is even developed. Many reputable Cyber Security vendors or MSSP offer a list of Threat Hunting activities to their clients which include “Social Media Sentiment Hunting”, “Enterprise Brand Surveillance” or even deep tailored hunting in the dark web for a given topic. In other words, finding the evil, hunting for adversary activity and eliminating the threat before it is developed
Threat Hunting and its detailed activity is the basic part of the new Advanced Managed Security Services. Commonly known in the market as “Managed Detection and Response” (MDR). It provides Threat Intelligence, automated Threat Hunting, Security Monitoring, Incident Analysis & Forensic and Incident Response. The major difference between the new MDR offering and the traditional MSSP offering is that the MDR goes beyond intrusion and malicious activity “Detection” but also “Responds” quickly to eliminate and mitigate the threat, with proactive hunting activities as described.
Is this evolution not like the state’s Police Departments or government’s Intelligence Service Agencies evolution across the centuries? The most effective way to stop terrorists today who are targeting a country is using the State Intelligence Services with field operations, such as infiltration and individuals collecting information. Similarly, cyber-terrorists are threatening businesses today. To combat them it is important to infiltrate them and collect relevant information.
Companies and their related SOCs must evolve if they hope to deal with a peace of mind!
The MDR providers with Threat Hunting capabilities in the market today are just a small number even though many are claiming to be. Some of the large names such as IBM, Symantec, Cisco and FireEye are having a solid offering.
If you are looking to engage with one of the few MDR firms available on the market, remember to check the Threat Hunting activities they are offering within their packages. Most of them are claiming to only do automated Threat Hunting which is very similar to Threat Intelligence. Only a few are proposing the proactive and offensive activities.
This article touched upon the human element and how only people can stop other people’s motivation to harm or make money illegally through data theft. In my next article, I will be developing the human from the Risk Management aspect and how people can be the single point of failure inside organizations. Cyber Security is also the science of how to protect organizations’ business and values from insider threats.
Article Written by Marc Kassis – META Cyber Security Division Director