Developing A Culture Of Enterprise Cyber Security Resilience

A lot of money is being spent on securing critical infrastructure for enterprise businesses and government agencies. However, due to the tight-lipped nature of information security, we typically only hear about the bad news when a data breach occurs.

Organizations have been breached by relatively simple attacks with root causes including a lack of patching software applications and operating systems, mismatched server and firewall configurations, and human error. Despite current and future plans to grow the cyber security investment, many organizations are still getting breached.

A security team that is frequently requesting funding will fall under increasing levels of scrutiny. Where should the investment start? Our Digital Summit speakers described the value in a network triage from patching end-of-life systems and applications to scanning for open applications and open ports to monitoring early warning systems from networks of honeypots where attackers unknowingly practice their craft on legacy systems and inform advisory services of attack trends and new exploits.

See Related: Patching And The Basics

Lack of robust authentication tends to represent the low-hanging fruit in many of the less sophisticated attacks. Server entry points include SMB, Telnet, and FTP protocols due to non-encrypted authentication or even clear text transmission. HTTP and PHP distributions suffer from unsupported, end-of-life deployments that have not been patched. Verifying the versions and support for your releases goes a long way toward reducing these unsophisticated attacks.

On the opposite end of the vulnerability scale are zero-day exploits. Organizations spend significantly more in the threat cycle at an earlier stage to fend off these rare encounters in the wild than for the long-tail events of maintaining legacy software systems and equipment. The Digital Summit speakers reminded cyber leaders to follow the 80/20 rule when considering how to balance spending.

Avoid Investments In Security Symptoms And Tactics

Once the organization’s house is in order, presenters recommended broadening the security effort to include penetration testing (often shortened to “pentesting”) and developing cyber security resilience. The thinking behind a resilience approach is to consider the overall business specifically from the cyber security parameters. By analyzing information systems and potential vulnerabilities, one can identify the exposure, which leads to response and prevention.

Realizing a 100% secure environment is not practical and therefore an organization needs to be prepared to detect the breaches that get through. With increased legislation to protect critical information and the privacy of citizens passed and more on the way, governments are weighing fines against both public and private sector offenders that mishandle data. Add on top of this a global skills shortage for security professionals and the odds increase quickly.

Our experts observed that organizations tend to invest in security symptoms and other tactical approaches. When a phished employee surfaces or malware is identified, it gets patched or fixed. This response-driven behavior leads to organizations accumulating 50+ security tools, few of which that have any form of coordination or common interface between them. This behavior also distracts from the focus on detection, people, or the process.

The Value of Incident Detection & Response

In the Asia-Pacific region, research from the speakers found the average enterprise threat detection occurred in a little over 200 days (roughly 3 months) during 2018. While still quite lengthy, consider that the average in 2017 was 400 days to detect a threat. The value of incident detection and response is to reduce the 200-day dwell time and contain the threat.

The traditional means for an organization to detect a threat is through comparison of system event logs against known threats. Security Information and Event Management (SIEM) is the go-to security management system to ingest logs to be aggregated, correlated, analyzed, and searched for known threats. The SIEM system is supplemented with multiple technologies including threat intelligence, deception technology, user behavior analytics, and endpoint detection and response. Some SIEM users have observed that a team of 3-7 dedicated specialists is necessary to operate and maintain a SIEM environment.

An audience member during the Digital Summit asked if Vulnerability Management has the potential to replace SIEM. The speakers believe the two are complementary technologies. Vulnerability management is viewed as an important input while SIEM collects information from multiple sources, including Vulnerability Management. The SIEM system uses Vulnerability Management to correlate attacks in a more meaningful way. When combined, a security team is able to determine if a type of attack is likely to be successful.

Incident Response and Containment

Preparing for a cyber security incident response can be summed into 3 questions for the security team:

• Has an Incident Response Plan & Playbook been developed?
• Have the organization’s key stakeholders been identified?
• Has the Incident Response Plan been tested?

See Related: Preparing For Battle: Building An Incident Response Plan

The incident response plan spells out the methodology for investigation, including areas such as triaging the incident to ensure that it’s not a false positive, determining the extent of the problem, and integrating with existing workflows.

Furthermore, the playbook details the organization’s response to an incident. The playbook must reference the incident response plan and enrich alerts with additional data that leads to actions, such as logging a ticket, disabling a user, quarantining a file, and killing a process.

Security Orchestration, Automation & Response (SOAR)

The final aspect of moving away from tactical security approaches is to develop repeatable workflow, such as trigger events, automated actions, and data enrichment. The scope and scale of security orchestration, automation, and response (SOAR) depends on the organization’s maturity and what problem is trying to be solved.

See Related: How SOAR Technologies Force Multiply Your IR Assets

Digital Summit Summary

After the presentations were made and the audience questions answered, it was time to wrap up the main points for the Cyber Security Hub APAC Digital Summit. For organizations to consider their Cyber Security Resilience, they must understand their ability to detect attacks, develop and implement an Incident Response Plan, and identify ways to automate mundane processes. These steps do not guarantee 100% security; however, an organization with a strategy that practices how it will respond when an incident does occur will not get itself lost investing in security symptoms and tactics.

Watch: Matching Your Investment To Security Outcomes - Incident Detection & Response Done Right