Want Better Security? Get Back to the BasicsEighty-three percent of the attacks we see are commoditized threats. By: Terry McGraw
Advanced analytics, blockchain, strong encryption, managed detection and response, machine learning—you can find all of these on a “Best New Security Solution” list. Breakthroughs and improvements in enterprise protection definitely benefit the business and consumer ecosystem. But before you implement the latest security technology, consider whether you have the basics covered. After all, that's exactly what your adversaries are doing.
Commoditized malware is inexpensive and prevalent. It's still the predominant threat we see (at 83 percent of successful attacks), coming through the same three vectors: email, social engineering and strategic web compromise. Between 70 and 80 percent of initial entry into a corporate network still comes through email alone. Faking the CEO's email account and sending a company-wide message may be passé, but it plays on our human instincts and it still works quite effectively. Conversely, less than 10 percent of the threats a CISO will deal with come from advanced adversaries or nation states. Clearly, we need to get back to basics when it comes to enterprise security—basics like patch management, sandboxing and good old fashioned attention to people, process and technology.
What Does My Network Look Like to an Adversary?
Most businesses still don't understand how they appear to a malicious actor. Many times, there is something more attractive than your PCI or PII data that you've probably already secured for compliance sake. Can an adversary monetize your intellectual property by theft? Do your vendor relationships make you a target, or provide a vector of attack you haven't considered before? Taking time to analyze your relationships with other partners, suppliers and even customers is difficult and requires genuine security expertise.
Security generalists and people who know how to manage specific tools are not always ready to evaluate threats in this manner and build strategies accordingly. Look for people with data science and cybersecurity skills that can perform this level of analysis.
Looking Inward. Do We Understand Our Own Environment?
Just as critical as the external perspective, you must also understand your own internal processes and infrastructure. How does your corporate board define your business? What are the security implications to those mission critical aspects of your enterprise? If any of them were affected by compromise, would you be able to prioritize and triage effectively? This exercise will help you consider cyber insurance properly, risk mitigation strategy offsets and out-of-band solutions should a critical system become disabled by attack.
Tackling the Basics
After taking stock of the external and internal view of your business computing environment, you can confidently approach (or re-approach) the security basics, including:
- Reviewing security architecture and design.
- Hiring the right type of security experts.
- Documenting and practicing robust security procedures and processes.
- Performing regular telemetry to fine-tune your environment.
Sandboxes and SIEMs
In a review of findings from our Incident Response engagements over the course of 2017 and early 2018, we found that basics like two-factor authentication, complex password use, sandbox technology and a formal incident response plan were often not in place. When it comes to sandboxing, there are still many businesses that lack a way to scrutinize email. Even if sandbox technology were to decrease just 50 percent of malicious intent from ever entering your environment, that would have big ramifications for your overall security program.
Conversely, the implementation of a SIEM may not offer an immediate way to identify attack vectors or make sense of threats. Even though they are powerful tools, a SIEM is still only a tool kit. A SIEM requires extremely knowledgeable security experts to optimize it specifically for your environment, and keep it operating effectively. That's where the list of security basics above comes in handy.
Managing the SIEM is only one piece of the puzzle. You also need the environmental awareness—the external and internal perspective—to better manage security processes, formulate use cases, and generate responses that will flow through the SIEM. With the right security experts, you can build and maintain use cases and apply correlation rules that are specific to your unique business environment. Practicing the basics should generate more valuable insights from a SIEM and improve the discovery to response timeline.
The Basics Don't Have to be Difficult
If getting the basics of security was easy, would we still see so many successful commoditized attacks? It's an interesting question. With commoditized threats, if you're vulnerable, you will get hit, and if you're not, you won't. It sounds pretty simple, right?
In today's landscape, protecting a network is impossible. But defending one is absolutely within reach. The primary question is how quickly can we detect and identify the threats inside our network, and how soon can we eradicate them and prevent the same compromise from occurring again.
We assert that a fully functioning security operations center should address three major components:
- The adversaries' perspective of the network.
- The internal understanding of the environment, including network operations and security architecture.
- The business context around the environment—the uniqueness that affects architecture, procedures and incident response components.
Perhaps by tackling these basic questions, we can break down a massive array of threats against our networks into manageable, incremental and meaningful improvement.
*Included data comes from Secureworks® data based on SOC operations and Incident Response engagements