Lessons in Layered Cybersecurity – Part 2

Organizations must have a layered, holistic approach to cyber resiliency

Rodney Turner, Director, Solution Engineering

Niki Rabren, Executive Director Cybersecurity & Professional Services

The Recap

Last week we shared our thoughts on the importance of layering cybersecurity programs holistically across people, process and technology – our biggest takeaway from the December 2020 SolarWinds attack.

This isn’t a new approach by far, but too often security leaders take a single “check the box” approach when investing in any single category, without thinking about interconnected failure points. Doing so compromises what we call “cyber resiliency.” Although companies are spending more on cybersecurity than ever before, organizations continue to be vulnerable for one simple reason.

What the Criminals Have Figured Out

Our clients continue to be vulnerable because threat actors are designing attacks with their own multitude of layered methods for gaining access to data, including the use of social engineering and widely available open-source tools. Covid-19 has also created vulnerabilities for our clients as they continue to move their presence to the cloud, and have been forced to support more mobile and remote workers than ever before.

Addressing Our Technical Vulnerabilities With Layered Solutions

To combat cyber vulnerabilities within an enterprise, technology leaders should consider layering strategies into their cybersecurity roadmaps that include:

1. Modernizing traditional “infrastructure” and “security” tools;
2. Implementing tools that detect “unknown”, or zero-day, threats; and
3. Developing “early warning sign” programs that detect possible threat activity.

Modernizing Traditional “Infrastructure” and “Security” Tools

While VPN tools have grown in popularity as a security solution, millions of users have been compromised through VPN breaches in the last few years. These breaches have occurred on both software and hardware VPNs. Attacks have been as simple as a username and password capture, or a man-in-the-middle attack. However, VPN breaches have also included more sophisticated scenarios involving organizations running enterprise-grade Pulse Secure VPNs with an unknown vulnerability allowing hackers to bypass authentication and run malicious code on vulnerable servers.

Likewise, SD-WAN solutions have grown in popularity as enterprises have sought to reduce OPEX connectivity costs. Inherently, SD-WAN does not have any security built-in. In order to achieve security while using SD-WAN, most vendors and customers will employ VPN Tunnels – which unfortunately has proven to be problematic.

Emerging technologies like Secure Access Service Edge (SASE) allow enterprises to combine the capabilities of SD-WAN, FWaaS (Firewall as a service), CASB, zero-trust network access, and other solutions into a single cloud-delivered service model. We believe SASE solutions will replace VPN as the secure method of choice to connect to cloud resources. Gartner expects more than 40% of enterprises to adopt SASE within the next 3 years.

Implementing Tools That Detect Unknown Threats

But simply modernizing traditional technologies isn’t enough. Organizations need to also take advantage of solutions that analyze threats attempting to penetrate their systems in real-time.
Tools offering the most benefit for adapting to unknown threats are AI and machine learning tools. These tools help organizations detect and stop zero-day threats.

Many technology leaders groan when they hear vendors talk about AI because these tools have been on the market for several years yet have delivered mixed results. When it comes to analyzing AI tools, however, note whether the tools you are considering offer dynamic and static AI analysis methods.

Dynamic monitoring, as expected, is the more thorough and time-consuming AI method. As a result, this model increases overhead and lowers compute efficiency. However, it is the method that is most effective at detecting those unknown and zero-day threats. Static analysis, on the other hand, is very efficient, but often lacks deeper visibility into a proposed threat. Dynamic analysis tools watch what a program does when it has been executed. Static analysis tools analyze what a file looks like when it is not running. The use of both methods, where appropriate, are important.

Endpoint protection tools like CarbonBlack, SentinelOne, and Sophos InterceptX take advantage of both methods, dynamic and static. Many other security tools beyond endpoint protection also incorporate dynamic and static AI as part of their architecture, It is important to understand the “how and why” for each toolset.

Another breed of technology that detects unknown threats is machine learning technology, a subset of AI. Machine learning tools have long been in technology environments, but also like AI, not all tools are created equally.

Supervised machine learning allows us to make decisions based on previously classified information. This means software developers of these tools have to know what threat to look for which contradicts the notion of being able to detect unknown threats.

Unsupervised machine learning does not require previously labeled or classified information. This allows threat learning and response to grow at scale. Tools like Darktrace utilize unsupervised machine learning and allow enterprises to both detect anomalous behavior as well as respond to it and act accordingly. Some tools only notify customers of anomalous behavior, thus putting the onus back on the customer to decide what threats are real as well as what to do about it and how to do it. In many cases, by the time that happens, the damage is already done and hackers are already wreaking havoc in your environment.

Developing “Early Warning Signs” That Detect Possible Threat Activity

The field of threat hunting and cyber threat intelligence is growing and can be helpful in analyzing trends on the dark web and applying that to an organization’s business and technical risk profile. While there are software tools that aim to report on cyber threats, those tools are often reporting known threats.

There are services, however, including those offered by Tier4 Secure, that are zeroing in on threat actor information before they launch an attack. This includes chatter about cyber attacks they plan to execute, their own tracking of malware planted in targeted organizations, as well as stolen information like user passwords and customer information threat actors have to help them design and orchestrate an attack. This information, combined with analysis of an organization’s threat profile, can serve as an early warning system to future attacks, allowing cyber teams and business leaders to take appropriate actions to mitigate their risk.

Staying Resilient in the Fight Against Cyber Crime

Those who work in cybersecurity often feel like the Dutch boy who puts his fingers in the dike to plug the leaks only to be faced with another leak popping up. We are constantly plugging more and more holes using methods the threat actors have already figured out how to manipulate.

It is up to all of us working in cybersecurity to continually analyze cyber breach activity, understand threat actor behavior, and creatively apply available technology in our fight against cyber crime. Tier4 Group can work alongside customers to help them reach these attainable goals.