They will get in – Detect and Respond

We now live in the era of mega-breach. Almost every month, some large company sees tens of millions of confidential records exfiltrated from their databases. It doesn’t seem to matter what resources are in place – adversaries seem to always find a way through.

“Everybody has been hacked or will be hacked” says LogRhythm’s vice president for the APJ region,

Bill Taylor-Mountford. “Quoting a senior US intelligence official who said, 90% of people have been hacked and 10% lie”.

Taylor-Mountford says almost every company has been at least scanned by hackers looking for make quick and easy returns. Those hackers, he says, fall into three groups: criminal, ideological and nation-state.

In the UK, the drug trade is no longer the most lucrative form of criminal activity with cyber-crime taking over the mantle. That money is being used to fund other illegal activities such as people trafficking, arms dealing and the drug trade and with ideological hackers and nation-states motivated by their own specific needs, it’s clear determined adversaries will be difficult to stop.

A good example was the recent hiring of a team of hackers to the Cyber Caliphate by ISIS. Within several months, the French broadcaster TV5Monde was breached which resulted in all of their TV and radio stations taken off the air for several hours.

“They took one of the mouth pieces of France and made it redundant for five or so hours,” says Taylor-Mountford. “If they can do that, they can do more”.

One of the challenges is a lack of understanding in what is really going on over the Internet. Like an iceberg, only about 5% of the Internet is visible to most people. The remainder is unindexed, and all but invisible to most of the world. This is where hackers spend most of their time.

Detection requires understanding

For enterprises, this might seem very grim but Taylor-Mountford says there is a way to navigate these dark waters. It starts with understanding your own environment.

“There’s only one thing you can do – that’s to deploy a GEN 4 SIEM, or now more easily referred to as an Actionable Security Intelligence Platform (ASIP) and whitelist/baseline your environment”, “These are my users, these are the types of passwords we use, the types of usernames, the authentication process, these are the destinations they go to, the servers/files they access and services they utilise and whitelist them”.

This process can help detect anomalies within the environment before they are exploited. For example, it makes it easy to find users with multiple user accounts or accounts with permissions that don’t match their expected and observed behaviour.

This can be fine-tuned down to the specific individual’s access rights. With the prevalence of personal file sharing systems such as Box.net, Dropbox and OneDrive, it’s important to carefully track the movement of data as well. Taylor-Mountford says monitoring the movement is critical. This covers both malicious acts of exfiltration and staff inadvertently putting data in unsecured locations.

When it comes to detect and respond, Taylor-Mountford say’s “we’re the mouse and they’re the cat”. That’s why the current practice of adding more firewalls or older first generation SIEM’s isn’t the answer and a robust security intelligence system is needed to improve your mean time to detect and respond, whilst also complimenting existing security procedures and tools.

Most breaches, according to recent reports, go undetected for many months (The average is approximately seven) using traditional means. That’s why security intelligence systems are critical as they can correlate data from multiple sources to detect anomalous activity.

Responding to the invisible

Given many adversaries come from the invisible depths of the bottom 90% of the iceberg, how can companies respond?

“One of the things we don’t do enough of worldwide is we don’t talk about it,” says Taylor-Mountford. “It’s fractured. Some are government, some are QNGOs, some are commercial – we don’t share enough information. If I could get 100 banks in a room and ask who saw a specific piece of Malware over the last year – with just a simple yes or no – we would get a percentage without any other detail and that would be helpful. But we don’t get together and share nearly enough”.

In summary, deploying a Security Intelligence system across your environment with a robust infrastructure will give you the most effective method of detecting, responding and protecting your valuable assets and people.

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?

Join the CSO newsletter!

Error: Please check your email address.

Tags TV5MondeGEN 4 SIEMDetect and RespondOneDriveIsisBill Taylor-Mountfordmega-breachLogRhythmCSO Australia

More about BillBox.netDropboxLogRhythm

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place