The processes around prescriptive security are distinct from those around traditional cyber
security in a number of ways. Here, we’ll examine the differences using the example of a device belonging to the executive assistant of a CEO having been subject to a phishing attack, resulting in a virus. As every cyber security expert knows, phishing email campaigns are increasingly targeting smaller, more focussed groups and becoming more sophisticated and therefore more likely to succeed and business email comprise (BEC) has taken over as one of the major challenges.
Traditional security processes
In a traditional security environment, the analyst must first log into multiple tools to work out what is happening. The analyst uses each tool to view the necessary logs and data to understand the incident. Whilst the analyst might quickly establish that there is a ‘0 day’ polymorphic virus, the tools may not link the endpoint with the user in order to easily trace the phishing attack. Without this link, actions to update security at the boundary may not happen quickly, if at all; as a result, more users could be affected.
The analyst also needs multiple security systems and applications to co-ordinate the right response. This will take time, especially if these security tools aren’t in daily use – again increasing the risks to other users. There may also be risks associated with the order in which remediation steps are configured into the various systems. Even worse, where devices are offline or not connected back into the corporate network, the design of the virus keeps them vulnerable to attack for some time.
If the analyst is not sufficiently trained, or has no access to a particular tool, they may need to raise service tickets to action a response, further lengthening the time to respond, especially if those processes take time or the tool is not managed 24×7.
Each of these steps must be fully documented, with processes for logging into the various toolsets such as anti-virus management, network access control management, endpoint detection and response, in order to manually trigger actions.
Prescriptive security processes
With prescriptive security, the time it takes to identify a problem shrinks to milliseconds. Information about multiple events is collated into one place and enriched with threat intelligence ready as a single ‘ticket’ for the analyst to analyse and make decisions.
Straightaway, the analyst has better visibility of the incident using advanced data processing, analytics and security event management systems so they can quickly link the virus to the phishing attack and to the CEO’s executive assistant. Given that this is a new problem, human intervention is needed and yet still minimal: the analyst selects the most effective playbook of automated actions to protect the whole estate.
This ultimately removes the risk of errors and not only improves the time to respond to the initial incident, but also helps to reduce or even eradicate the time to detect any similar subsequent incidents.
Ongoing service management
All security incidents are monitored, identified, prioritised and managed at the Security Operations Centre and a key part of security operations is integration with the rest of service management, for example, to ensure that every change to an IT estate is documented and audited.
If all details and current remediation tasks are held purely within traditional security tools, this is likely to lengthen the time to respond, and create extra change management tasks for the service management team. In contrast, with prescriptive security, everyone involved can easily be kept informed of the situation. So, for example, when the CEO’s assistant rings the service desk the following morning because the device cannot connect to the network, the service desk can instantly see how and why the device has been isolated and explain this.
Forensic investigation
Following any serious incident, thoughts will turn to reviewing how the incident occurred, and how to predict and prevent similar attacks in future.
Just as having data spread across disparate systems makes analysing and responding to an incident slower, it also makes it harder to fathom details of the attack path in retrospect. In contrast, with prescriptive security, there is full auditability and continuous learning, working in harmony to bolster the defences against cyber threats. Prescriptive security is a game changer: it transforms the way security analysts work so that teams can keep ahead of bad actors – even as they grow in number and get ever more sophisticated in their attack strategies.
This article has been adapted from Atos’ Digital Vision for Cyber Security 2 and was authored by Stephen Wing, Security Consulting Practice Lead, Atos UK & Ireland.