[BreachExchange] Cybersecurity Storms: Visibility is Key to Cyber Protections

Thu Dec 6 00:16:01 EST 2018

https://www.securityweek.com/cybersecurity-storms-visibility-key-cyber-protections

The most destructive disaster is the one you do not see coming. Before
modern meteorology, settlers along the Atlantic coast had no warning
when a hurricane was upon them. There was no way to escape from the
titanic forces of wind and rain. Now, scientific instruments such as
radar, barometers and satellites can see trouble brewing halfway
across the ocean, giving residents time to evacuate and save lives.

While there is no evacuating cyberspace to avoid a storm of hackers,
prior warning gives security teams a chance to stop cybercriminals
before they can wreak havoc and make off with sensitive customer data
or company secrets. There is an all too common adage that it is not a
question of if a company will be hacked, but when they will find the
hack. The realities of the cyberspace make it too difficult to
reliably keep hackers out of corporate networks. That is not to say
security teams should give up, but rather that they need to shift
their goals.

Instead of focusing on stopping hackers before they get in, security
teams need to move the real contest to their home turf where they have
the real advantage. Winning is about stopping hackers from leaving
with stolen data more than it is about keeping them out.

Achieving this requires security teams to make a concerted effort to
expand their visibility on their systems to better understand hacker
activity. In a properly set up system, one mistake on the hackers’
part inside the network will reveal their presence and make them easy
targets to block.

Everything the light touches

The first step in gaining enough visibility to address this new way of
approaching security is to make sure that security teams have
visibility into the digital assets under their control. This sounds
like a simple prospect, but it is growing increasingly complicated. In
the old days, just keeping track of the laptops and desktops doled out
to employees for their daily work was enough, since servers were
secured in the basement behind layers of firewalls and other security
filters.

Modern IT systems now have to contend with all of the above, in
addition to mobile phones and tablets, IoT devices and cloud servers,
not to mention remote workers accessing the corporate network from
dispersed locations. Security teams need to make sure they are keeping
track of all of the devices that can access their networks and make
sure all are behaving normally.

The easiest device to hack is the one that no one is watching. A
device that has been forgotten and neglected under the mountain of
other responsibilities IT and security teams must contend with is a
ripe target for hackers to establish a foothold and gather
intelligence about a network before executing the final phase of their
attack.

Building higher fences

A good first step to maintaining visibility is to conduct an inventory
of all devices and systems under the company’s control, everything
that could access the network (including wireless printers). This
requires constant maintenance as new cloud resources spin up and down
but makes it easier to track all points of access to the network.
Restricting access to the network to only this short list of devices
that the security team can monitor is a good step to making it harder
for hackers to sneak by unnoticed.

Once that list is in place it is also important to monitor activity at
the network level. That way every new interaction can be watched
carefully for signs of malicious intent. Cybercriminals do not know
the ins and outs of the network the way that the security teams who
work with it every day do. Intruders are groping their way through the
dark, not knowing what they will find with every ping. Network
defenders can turn this to their advantage by looking for exploratory
activity coming from unusual places such as automated devices or
employees in non-technical departments. It is also effective to deploy
decoys like honeypots that tempt intruders with promises of a big
payload but actually alert security teams to the unwanted activity.

It is also increasingly important for security teams to pay attention
to encrypted traffic. While encryption is an important way to maintain
the secrecy of data in motion, it is also a tool for cybercriminals to
hide their malicious activity. Security teams need to maintain
packet-level visibility into all traffic flowing across their
networks, even if it encrypted so that they can spot bad actors. The
most effective way to do this is to install a dedicated decryption
solution with the packet filtering solution on the network so that
decryption only happens once. The decryption and filtering combination
creates a center of excellence that specializes in sorting data. This
ensures that other critical devices on the network such as firewalls
and IPS tools are not bogged down with extra processing. It is also
important to make sure decryption solutions are applying the latest
encryption communications updates and standards to catch any network
traffic, malicious or benign, using those services.

You cannot protect against that which you cannot see. In the ever more
complicated world of modern IT networks, visibility is the
increasingly pressing challenge that security teams need to solve to
stop cyber attacks. The key is to simplify the problem as much as
possible and tackle it from multiple angles. The same way that
weathermen do not rely on a single data point to predict a storm,
security teams need to see their networks via multiple data streams to
make informed decisions that protect their organizations.