The recent global ransomware attacks that have dominated television news and headlines across the UK and Europe should be a call to arms for organisations around the world. Hundreds of thousands of computers in more than 150 countries have been affected and organisations are clearly under siege as cybercriminals execute campaigns that spread fast and cause damage. But, why have so many organisations been affected?
Most organisations tend to build their security strategy on defence-in-depth, which is defined by risk assessment. Since not all applications present the same level of risk if they were to be compromised, a defence-in-depth approach (the first pillar of security strategy) consists of assessing the risk and then applying controls and protections accordingly. For example, a partner-facing application where proprietary and financial information is shared, may present more risk than an internal web page used by HR to share general company information. Based on the criticality of the application, risk assessment teams determine the security requirements and layer the appropriate defences.
This approach worked for a while, but organisations soon realised that even the best defences can be hacked. Adversaries make it their mission to successfully navigate obstacle courses of layered point products to steal, disrupt or damage what’s not theirs. Instead of considering solely what must be protected, organisations also had to look at what could be threatening those assets and added a second pillar to security operations – surveillance.
The objective with surveillance is to detect and respond to threats. This has proven to be a challenge since a defence-in-depth strategy has left many companies with 40+ security products and vendors in 40+ silos. What’s more, since these products aren’t integrated, organisations are left only partially protected, facing a massive data management challenge as each layer in the architecture creates its own logs and events. Worryingly, but sadly unsurprisingly, recent ESG research finds that 42 percent of security professionals say that their organisation ignores a significant number of security alerts due to the volume, and more than 30 percent say they ignore more than half! In most cases, it is the security operators within the Security Operations Centre (SOC) that find themselves drowning in this data as they undertake the onerous task of manually correlating logs and events for investigations and other activities.
In an attempt to overcome the data overload challenge and lighten the heavy burden on analysts, security information and event management, or ‘SIEM’, emerged as a way to store all this data and aggregate and correlate logs and events. The SIEM has been the tool of choice for SOCs to look at logs and events and determine if they are noise, false positives, or real threats that warrant escalation. The Computer Security Incident Response Team (CSIRT) is charged with stopping malicious threats, learning from them to make sure the defence will never suffer again from the same attack.
These two pillars have served us well in a period of peace, when issues were exceptions. However, when “exceptions” occur every 10 minutes, as they so often now do, they can no longer be considered exceptions, rather direct attacks. With a posture that centres on handling exceptions and reacting, security operators and incident response teams can’t keep up. What’s needed is a proactive approach to dealing with threats. This starts by understanding the movement and evolution of adversaries by geography, vertical industry and, ultimately, as it relates to your specific organisation.
With adversaries attacking us with greater frequency on multiple fronts, it’s time to add a third pillar to your security strategy– intelligence. Used to help you understand your adversary, threat intelligence focuses on the world outside of the company perimeter. It sifts through an unlimited universe of global threat data to help you see what is happening, analyse it and take action. Threat monitoring allows you to become more proactive and anticipatory by profiling not only the attack, but also the attackers who rapidly change their tools, techniques and procedures (TTPs) to evade defensive technologies.
With intelligence-based workflows, security operators can then use these insights into adversaries and how they are evolving to enrich internal surveillance, focusing on high priority and relevant threats and minimising alerts that are just noise or are false positives. Security teams can strengthen defences by automatically sending relevant threat intelligence directly to the sensor grid (firewalls, IPS, IDS, NetFlow, etc.) to create and apply updated policies and rules, and proactively protect the organisation from future threats.
In times of war, successful military leaders evolve their strategy and intelligence becomes paramount. Over the last several months it has become clear that we are no longer in a period of peace. Adversaries are rapidly evolving and executing large scale, damaging attacks. I’m fairly certain any general would tell you that power shifts when you know your enemy. With intelligence as the third pillar to your security strategy – and the cornerstone of your defence – you can know your enemy and shift from a reactive to a proactive security posture to better protect your organisation.