They will get in – Detect and Respond

We now live in the era of mega-breach. Almost every month, some large company sees tens of millions of confidential records exfiltrated from their databases. It doesn’t seem to matter what resources are in place – adversaries seem to always find a way through.

“Everybody has been hacked or will be hacked” says LogRhythm’s vice president for the APJ region,

Bill Taylor-Mountford. “Quoting a senior US intelligence official who said, 90% of people have been hacked and 10% lie”.

Taylor-Mountford says almost every company has been at least scanned by hackers looking for make quick and easy returns. Those hackers, he says, fall into three groups: criminal, ideological and nation-state.

In the UK, the drug trade is no longer the most lucrative form of criminal activity with cyber-crime taking over the mantle. That money is being used to fund other illegal activities such as people trafficking, arms dealing and the drug trade and with ideological hackers and nation-states motivated by their own specific needs, it’s clear determined adversaries will be difficult to stop.

A good example was the recent hiring of a team of hackers to the Cyber Caliphate by ISIS. Within several months, the French broadcaster TV5Monde was breached which resulted in all of their TV and radio stations taken off the air for several hours.

“They took one of the mouth pieces of France and made it redundant for five or so hours,” says Taylor-Mountford. “If they can do that, they can do more”.

One of the challenges is a lack of understanding in what is really going on over the Internet. Like an iceberg, only about 5% of the Internet is visible to most people. The remainder is unindexed, and all but invisible to most of the world. This is where hackers spend most of their time.

Detection requires understanding

For enterprises, this might seem very grim but Taylor-Mountford says there is a way to navigate these dark waters. It starts with understanding your own environment.

“There’s only one thing you can do – that’s to deploy a GEN 4 SIEM, or now more easily referred to as an Actionable Security Intelligence Platform (ASIP) and whitelist/baseline your environment”, “These are my users, these are the types of passwords we use, the types of usernames, the authentication process, these are the destinations they go to, the servers/files they access and services they utilise and whitelist them”.

This process can help detect anomalies within the environment before they are exploited. For example, it makes it easy to find users with multiple user accounts or accounts with permissions that don’t match their expected and observed behaviour.

This can be fine-tuned down to the specific individual’s access rights. With the prevalence of personal file sharing systems such as Box.net, Dropbox and OneDrive, it’s important to carefully track the movement of data as well. Taylor-Mountford says monitoring the movement is critical. This covers both malicious acts of exfiltration and staff inadvertently putting data in unsecured locations.

When it comes to detect and respond, Taylor-Mountford say’s “we’re the mouse and they’re the cat”. That’s why the current practice of adding more firewalls or older first generation SIEM’s isn’t the answer and a robust security intelligence system is needed to improve your mean time to detect and respond, whilst also complimenting existing security procedures and tools.

Most breaches, according to recent reports, go undetected for many months (The average is approximately seven) using traditional means. That’s why security intelligence systems are critical as they can correlate data from multiple sources to detect anomalous activity.

Responding to the invisible

Given many adversaries come from the invisible depths of the bottom 90% of the iceberg, how can companies respond?

“One of the things we don’t do enough of worldwide is we don’t talk about it,” says Taylor-Mountford. “It’s fractured. Some are government, some are QNGOs, some are commercial – we don’t share enough information. If I could get 100 banks in a room and ask who saw a specific piece of Malware over the last year – with just a simple yes or no – we would get a percentage without any other detail and that would be helpful. But we don’t get together and share nearly enough”.

In summary, deploying a Security Intelligence system across your environment with a robust infrastructure will give you the most effective method of detecting, responding and protecting your valuable assets and people.

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?

Join the CSO newsletter!

Error: Please check your email address.

Tags TV5MondeGEN 4 SIEMDetect and RespondOneDriveIsisBill Taylor-Mountfordmega-breachLogRhythmCSO Australia

More about BillBox.netDropboxLogRhythm

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

More videos

Blog Posts