Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Anyone in the cyber security industry will agree that without proactive monitoring and context, organisations are blind to today’s sophisticated and tailored cyber-attacks.
Moreover, what was once the purview of highly-skilled cybercriminal groups, well-refined, multilayered malware systems, combining social engineering, zero-day vulnerabilities and custom exploits are becoming more of the norm than the exception.
This is the new frontline of the cyber battleground, where daily skirmishes are leaving security operations teams battered under the withering firepower of enemy attacks. But what can you do get ahead of your adversaries? Let’s look at what matters – proactive monitoring and context.
Proactive and continual tuning of security controls ensures they remain effective in keeping out the bad guys while letting the business continue to meet its strategic objectives. Security operations teams need to quickly find breaches and clean up the mess before the attacker has a chance to cause harm – but this is not an easy task. The reality is that most businesses don’t have breach detection capabilities that work or, at least, remain capable as the attackers change their tactics. In fact, even moderately sophisticated attacks are exploiting more than one vulnerability to achieve its goal.
For example, the recent WannaCry outbreak saw multiple payloads compiled together to allow the attacker to gain access to the target’s computer, then to spread laterally through the target’s network, encrypting each computer it encountered along the way. And while this malware seemed sophisticated with its layered exploits working together to make the germ even more virulent, the technology wasn’t smart at all. It required a little lateral thinking and a lot of luck to bring over 200 companies to their knees.
Furthermore, most of the organisations that were infected by WannaCry had serious deficiencies in the most basic of cyber security defences. If they’d have only patched their Microsoft Windows computers with the latest set of updates, they’d have been immune.
Patching is often not the responsibility of the security team, yet they are still expected to keep the wolf from the door. So, how can security operations teams tune their systems to detect and shut down attacks such as WannaCry when the patches haven’t been rolled out? Firstly, you need a Security Information and Event Monitoring (SIEM) system that collects the logs and security information continually being produced by your network appliances.
The source of an attack, such as WannaCry, can appear to be external when it’s coming in for the first time, or internal when it’s spreading laterally or trying to encrypt your data. But each kind of attack is different in its behaviour, which you can use to your advantage if you know how your systems are supposed to behave under normal operation. To stop an attack, you can detect these changes to normal patterns of services which act as early warning signals.
Being able to detect attacks at the beginning of the kill chain requires that you have deep insight into how you configure your systems. Knowing how they are architected and how they perform under duress will help you find anomalies. Once you have this knowledge (which we’ll call context), you can tune your SIEM to alert you when odd things start to happen. One viewpoint that security operations teams can take is that of the context of users’ assets.
Furthermore, if you combine the use of contextual behaviour monitoring with real-time threat intelligence about rogue sites and IP address, you’ll be able to pre-empt the attackers and detect them during early recognisance rather than when the user calls the service desk wondering why their files won’t open.
There are several modes of context that you can use to focus your activities when building correlation rules, helping you tune your security devices against each of these viewpoints. Take the user context, for example; if you are a Microsoft Active Directory user, you can use user authentication, assignment to groups and organisation units and general privilege and ACL usage to profile how regular user activity looks. You can also use this activity to help the Active Directory team refine their access policies since you’ll be feeding back incidents to them to investigate what you might consider indicators of attack.
When you are locating false positives that might look like patterns of behaviour associated with an attack, you are helping the other technical teams in the investigation understand how the baseline appears. Any help in this space is usually welcomed and helps the organisation develop a richer understanding of what’s going on ‘under the hood.’ Other contexts that you can profile might be the system, security appliances, vulnerabilities, and even different user groups’ contexts, such as Executive, Sales, Finance and HR. You might even profile the attackers’ context. Model each viewpoint, determine what changes to the baseline indicate an attack. You can then determine if any systems need to be reconfigured to notify you of these behavioural anomalies, which can then help you tune the SIEM.
You can develop use cases within security operations that are optimized to each of your contexts, spending development time working on cross-sections of contexts to see how each of the different styles manifest in an attack.
In security, proactive monitoring and context is everything. To get security operations finally back on the front foot, you need to understand how things work. How are systems configured? Who is authorised to access file stores and your intranet? Why is that account accessing that information repository? Once you have context, it’s so much easier to locate intruders and kick them off your network before they cause harm.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.