Our security mantra is “Prevent, detect, respond”, but if we’re honest, the main focus should really be on preventing cyber attacks first and foremost.
The first important point is that detection has now become a form of prevention and a significant rethink is required to really stay on top of security. The current onslaught of ransomware and malware has proven that signature-based antivirus and next generation firewalls do not offer as much protection as might be hoped.
Why is this?
Hackers have evolved mechanisms which involve targeting specific soft targets within the organisation and this is achieved by baiting or laying a trap with the promise of a prize, or even something as simple as a site offering information which arouses human curiosity – “You won’t believe the latest celebrity craze in beauty products” or “Sign up here to receive a nice picture of dogs/cats” etc. These tempting invitations are usually found on the bottom of harmless and trusted websites.
Crucially, this is not representing any form of a threat yet, so it will not be detected by the antivirus or firewall/web filter. After a period of time the hacker will infect the website which users visit, with a runtime scripted component which again will not trigger any alarms. The next stage of the cyber-attack is now in progress – by the hacker using this script to drop the runtime component onto the endpoint this allows the hacker to gain control or carry out the desired activity. With the sign up trap, the user will receive an infected jpg or pdf which will carry out a similar activity. All of this activity will be undetected by your antivirus or next generation firewall, so something else is required.
Advanced Malware Protection
Malware which gets through initial defences and sits dormant and undetectable for a while before starting to behave maliciously requires retrospective security and continuous analysis of the network and all of its endpoints in order to be detected. In the mid-market, advanced malware protection (AMP) products like Cisco’s FirePower Services reduce cost and complexity compared to having different tools from different vendors in an effort to trying to make connections and link information. By identifying suspicious activity on the network, AMP generates alerts for system administrators to investigate further. Where the activity doesn’t look quite right, AMP will send the data onto big data systems like Talos Cloud and Threat Grid which share information to identify potential issues by looking for indicators of a compromise in end points before they happen.
If you need more than AMP, you need SIEM
AMP products do a great job of spotting and stopping attacks and supporting the “what just happened?” investigations that are needed before the IT team can figure out what to do next.
In the world of the larger enterprises, SIEM (security information and event management) software aggregates log files from a multitude of end points and applications, to provide a centralised view of activities throughout a network with the intent of spotting problems before they are noticed by the average user.
In many circumstances, however, SIEM is simply too complicated and too costly to be justifiable.
What if you don’t have AMP or SIEM?
All too often, it’s the smaller organisations who haven’t invested in AMP who suffer a security breach; their users have alerted the IT team to unexpectedly encrypted files, for example, and they need to do something about it fast.
This puts IT on the back foot – they have to act urgently to get people back working effectively.
What does best practice response look like?
Often the next step is to isolate the device or part of the network that has been affected so that the malware cannot spread.
Network partitioning will limit the spread of the malware and protect against extensive problems. This can be done in response to an attack, but is best done up front.
Having backups and knowing how to use them efficiently is key to getting your users back and working quickly. If an end point is compromised and needs to be rebuilt, having an image of the settings, applications and so on will make for a rapid rebuild to get the user online. If a file or set of files become encrypted, the ideal scenario is to be able to restore them from just before they were encrypted, so it’s important to be clear on the suitability of your backup recovery time and recovery point objectives.
How do you stop it happening again?
Learning from experience, understanding what went wrong and putting software, hardware and user education in place will help to prevent it happening again. Vendors are constantly updating products to protect against the latest vulnerabilities – constantly learning through the log files that their products feedback, but the end user organisations need to take a proactive approach to improving cyber security too.
If you'd like to discuss how Novosco can help your organisation optimise and secure your infrastructure, get in touch - our trusted experts are here to help. https://www.novosco.com/cloud-services/strategy-assessment