Cyber security: from prevention to mitigation

rossbrewerBy Ross Brewer, vice president and managing director of international markets, LogRhythm

Every organisation today is facing a transformative period. Over the last few years, the threat of cybercrime has steadily increased to the point where barely a day goes by without news of some form of security breach. Businesses are waking up to the fact that it is no longer a case of if they are breached, but rather when. The financial services industry is no different. While these businesses have traditionally been fairly shrewd when it comes to security, the sophistication of hackers today, coupled with the introduction of new technologies, means financial organisations are being breached too often.

Traditionally, security strategies have focussed on keeping external threats out with the implementation of perimeter security tools, such as firewalls and anti-virus software, providing enough protection to keep businesses relatively safe. Today, however, hackers are well organised and well-funded. They have sophisticated technical skills and they are relentless in their pursuit of their goals. To make things worse, almost anyone with a grudge to bear or a malicious streak can buy malware, rent botnets on the Dark Web, or simply take advantage of their privileged user status to wreak havoc. It is a formidable landscape where cyber-attacks can come from almost anywhere and anyone. In order to protect themselves, and their customers, banks now need to re-think their security strategies.

Threats at every turn

According to the World Economic Forum, the theft of information and the intentional disruption of online or digital processes are among the most prominent risks that businesses face today. The reality is that for most organisations, if a motivated adversary wants to penetrate the network, they will. As such, businesses now have to adopt the attitude that, if they aren’t already compromised, they could be at any moment.

The problem is that many organisations continue to focus their attention on identifying and blocking threats at the perimeter. Given that the network perimeter now extends well beyond the organisation and therefore, in reality, doesn’t really exist anymore, these prevention-centric strategies are failing, and have failed in some of the largest attacks making recent headlines. What’s more, a recent study conducted by the SANS Institute[1] found that the most prevalent cause of security incidents within financial services organisations is abuse or misuse of privileges by internal employees or contractors. Despite this, almost a third of respondents claimed that perimeter tools (firewalls, Intrusion Detection / Prevention (IDS and IPS)) are their most effective security solutions.

The study also found that, despite many experts highlighting advanced persistent threats (APTs) as a serious threat today, very few respondents felt the same, with only four percent citing the technique as a cause of security incidents within their business. However, given the fact that APTs often go un-noticed for a considerable amount of time, they may simply not be aware of the fact they have been breached. As SANS points out, the second most common threat faced by financial services companies is spearphishing emails, which are a common tool used in APT attacks. As such, the fact that respondents cite it as a major threat, but not APTs, suggests a serious disconnect in how many in the financial industry perceive APTs.

A fundamental shift is therefore required. As computing environments may already be compromised, businesses need to move their processes and priorities towards detecting when those compromises occur, and responding to them as quickly as possible. While that does not mean that threat prevention itself is obsolete (in fact it is still as important), it simply means these defences cannot be relied upon to protect against determined hackers and malicious insiders.

Reducing the time at risk with security intelligence

Effective IT security depends on skilled people, well-defined polices and processes, and a range of integrated technologies. As both the volume of cyber threats and the sophistication of attack methods continue to grow, security technology is critical in augmenting the human expertise necessary to successfully detect and respond to potentially damaging threats.

In the majority of organisations, threat detection is based on various security sensors, such as firewalls, intrusion detection / prevention systems (IDS/IPS) and so on, that attempt to look for suspicious behaviour or for known signatures of malicious activity. These sensors provide a continuous stream of data related to threat events. In enterprise organisations, there can be thousands, or even hundreds of thousands, of events every hour and with such a huge quantity of data, the security team can be blinded to those that really matter. If they cannot even pinpoint what needs investigating and what does not, they have little hope of responding in a timely manner. This means that many organisations operate in a mode where the time it takes them to detect and respond to threats can be months and weeks respectively. In fact, organisations often find that it is third parties that first suspect something is wrong – with, for example, strange activity on their credit card statements. The longer it takes an enterprise to discover there has been a breach, the longer it will take to respond and, during this time, there is the potential for a lot of damage to be done. As such, businesses must strive to reduce detection and response time to a maximum of hours and days – and ideally, hours and minutes.

Just as business intelligence has helped organisations sift through irrelevant data to find opportunities that may otherwise have remained unseen, security intelligence does much the same thing with threat information. The main objective of security intelligence is to deliver the right information, at the right time, with the appropriate context, in order to significantly decrease the amount of time it takes to detect and respond to threats.

Security teams must be able to quickly evaluate threats to determine the level of risk, as well as whether an incident has occurred, and ensuring that analysts have as much information as possible enables them to react more efficiently. As such, when threats are identified – either via an enterprise’s vast array of sensors or through machine analytics – the role of security intelligence is to deliver actionable insight into potentially damaging threats, with supporting forensic data and contextually rich intelligence.

Understanding behaviour

Though it may seem basic, many organisations fail to have a true understanding of what constitutes ‘normal’ activity across their networks, yet this is key to determining threats – particularly from malicious insiders. Without this insight it is difficult to know what activity deviates from ‘normal’ and requires further investigation. Not only does this mean that potential breaches may be missed, but also that perfectly normal activity risks being treated as a threat, which equates to an unnecessary use of time and resources. On the other hand, while some network activity may seem perfectly innocuous on its own, when associated with other events, it may in fact point to anomalous behaviour or the beginning of a coordinated attack. Continuous network analysis is the only way for organisations to baseline normal behaviour and then scrutinise all activity against that.

A Security Intelligence strategy requires a system that can incorporate real-time analysis, advanced correlation, reporting technology and immediate remediation capabilities. This ensures any anomalous activity is identified in real-time, and gives organisations the ability to automatically correlate seemingly unrelated incidents, with potential danger being flagged as it occurs. Not only does this level of monitoring ensure breaches are more likely to be identified, but it also makes it very difficult for hackers to subvert the system.

Once this level of network visibility is in place, all relevant, or potentially relevant, data on the network can be accumulated and analysed, before baseline and trending activities can commence, in order to see and record what is happening over periods of time. It can, however, be difficult for some systems to distinguish between real threats and activity that is actually perfectly normal behaviour for a system or user but has been flagged as abnormal. In order to reduce the number of false positives, ‘behavioural whitelisting’ can be used, which monitors the regular activities of everything on the network, including host servers, apps and individual users. By building up a whitelist of normal activity, actions that are outside of the norm can be identified and, where appropriate investigated. This tactic allows security analysts to combine network generated data, with behavioural profile data and event trends to determine what activity is normal and what may require further analysis. While this strategy can help identify potential external threats, it can also help prevent insiders from causing harm. If a privileged user, for example, begins accessing financial systems when their usual remit is IT, it may point to untoward intentions. Without a baseline of the user’s usual activity, such a deviation would be difficult to spot. With it, the situation can be investigated and a potentially disgruntled employee thwarted.

From prevention to mitigation

The consequences of suffering a data breach can be crippling for many businesses – from financial loss to reputational damage, organisations need to do as much as possible to avoid becoming tomorrow’s headlines. Financial services organisations will always be a prime target for criminals, thanks to the information and assets they hold. As prevention becomes increasingly futile, banks need to focus their attention on identification and remediation strategies. Taking an intelligent approach to security will result in a reduction in the time it takes to detect and respond to threats and significantly reduce the risk of experiencing a harmful breach. Ultimately, financial services organisations should aim to identify and respond to threats in hours and minutes, rather than days and weeks. With a higher level of security intelligence, businesses can be assured that when a hacker does get in, they’ll be kicked out before any lasting damage is done.
[1] https://www.sans.org/reading-room/whitepapers/analyst/security-spending-preparedness-financial-sector-survey-36032