White Paper |
A Case for Managed Detection & Response
Most firms believe security breaches happen because of one key malfunction that leaves a system vulnerable, but looking at current trends, it’s rarely a single element that causes an issue; it’s a confluence of many weaknesses in an environment, often small and seemingly unimportant. With the average cost of a breach now sitting at $4 million, the saying “the devil is in the details,” is more important than ever. Especially when you realize how little it takes – in over 80% of breaches, it takes hackers only minutes to get into your environment, and in nearly 70% of hacks, it takes attackers only days to exfiltrate your data. The nature of the attacks is changing as well, becoming more sophisticated with improved bad actor tactics, techniques, and procedures – to the point where breaches have become difficult to detect and challenging to investigate and remediate.
CYBERSECURITY THREATS IN A NUTSHELL
To understand how you can better protect against, and prepare for, cybersecurity threats, it’s important to first understand the current threat landscape.
Advanced Persistent Threats & Data Exfiltration
An Advanced Persistent Threat (APT) is where attackers relentlessly scope out a business or government entity over a period of time looking for an opening to infiltrate the system. Attackers are willing to wait a long period of time for an opportunity, making this one of the most dangerous threat types. Adversaries leveraging APTs do not need to breach external perimeter security controls to reach their goal. The attacker will stay “invisible” for as long as possible, and will often use techniques such as command and control along with other malicious code to exfiltrate data. This illegal extraction aggregates the targeted data (i.e. trade secrets, intellectual property, etc.) to an external collection point.
Flaws exist from the moment they are coded into the software we use every day. A zero-day attack occurs once that flaw or vulnerability becomes known to attackers and before the developer creates a patch or fix for the vulnerability. This window is often months, if not years, of time when the cyber-criminal has the opportunity to compromise your systems and data without being detected. The uses of zero-day attacks run the gamut of nasty outcomes, including the infiltration of malware and spyware or gaining access to the data you need most. When the flaw is only known to the criminal, it’s extremely difficult to detect or prevent its exploitation. We also know the traditional cyber-criminal isn’t the only player in this game. The recent release of the “Vault 7” data from the CIA via WikiLeaks indicates that they too were hoarding undisclosed vulnerabilities for many software and hardware devices we use today.
A couple of things to remember:
- The best defense against zero-day attacks is a strong security program that uses a combination of positive and negative security models. A negative security model involves blacklisting the “known bad” using virus signatures, anti-spam signatures, and so on. A positive model uses a whitelisting approach of the “known good.”
- Close monitoring of critical systems can alert you to malicious activity so it can be suppressed as soon as possible.
Ransomware is the fifth most common type of malware and occurs when a system, including anything from a single computer to a whole network, is encrypted by an outside party. The attacker then attempts to extort a ransom before giving access to the key used to recover the data. CryptoLocker, and most recently WannaCry, made this phenomenon a household name. In our practice, we have witnessed over 200 variations of the theme, itself. From Alpha to Zyklon, this form of nasty-ware makes the case for prevention and stringent backup strategies. In the past year alone, Hitachi Payment Services, Arby’s, Yahoo!, Apple, Verifone, and Dun & Bradstreet have had their own troubles. But what can be done to prevent this from happening to your organization? Assuming your environment will be compromised, how do you quickly detect and respond to the attack?
A few things to keep in mind:
- Prevention is key. Once your data is encrypted by an attacker, it is most likely unrecoverable.
- Phishing emails have been the primary delivery mechanism, so educating users is crucial to prevention.
- We don’t recommend paying the ransom, which might sound counterintuitive, but at the end of the day there’s no guarantee the criminal will deliver the decryption key, in which case you’ve lost money and your data.
A CASE FOR MANAGED DETECTION & RESPONSE
The best managed detection & response (MDR) solution is a 24x7x365 service, leveraging engaged and experienced security professionals to monitor all security devices, such as firewalls, VPN devices, authentication servers, as well as servers, such as Active Directory servers, anti-virus servers, and application servers. Looking at all of these devices, the service monitors how your data is accessed, as well as who accesses it. The solutions should also include continuous vulnerability scans, identifying areas that pose a risk to compliance or to external threats. Lastly, when a problem does arise, MDR needs to provide quick identification and resolution.
More specifically, a service like this typically has the following functional components:
- Security Analysts who constantly monitor your event data and the overall security landscape.
- A Security Incident and Event Management (SIEM) component that collects and correlates security event data so that it can be acted upon.
- A vulnerability scanner that continuously scans an environment for known vulnerabilities.
- An intrusion detection system that identifies malicious network traffic.
Marriage Between Tools & People
A vulnerability scanner that continuously scans an environment for known vulnerabilities. Again, the underlying system will include a SIEM platform used for log collection, correlation, alerting, and analysis. It looks at actions on a system that are relevant to security such as password changes, VPN connections, web logins, port scans, and denied firewall connections. Event data is then analyzed in real-time to generate alerts, create actionable cases, and provide notifications to engineers. It’s important to note that a SIEM should collect information from most security devices and applications, firewalls, network equipment, Active Directory, Linux servers, and in general, anything that produces syslog output.
The intrusion detection component analyzes network traffic and identifies malicious activity, while another tool must be responsible for vulnerability scans, ensuring the environment is consistently up-to-date with the latest standards in cybersecurity. Cases are typically submitted to a proprietary case management system, via email, a phone, or by a security appliance. These cases are then assigned to an engineer, based on the required area of expertise, who will follow a case through to resolution, leveraging historical cases and client data.
While the technology behind MDR is important, it is the people who make the difference when it comes to a superior MDR solution. Once the data from your environment is collected by the service provider and stored in their infrastructure, the security engineers are the individuals who will analyze all of that information.
Network engineers are trained and experienced on specific network devices, systems, applications, and operating systems. They respond to and troubleshoot incidents of all types, and when necessary, escalate security issues to a Security Operations Center (SoC). MDR engineers are certified and experienced in information security and are equipped to respond to security incidents and troubleshoot security-related problems. In cases where there is the absence of competent and experienced security professionals, alerts are still flagged by the control systems, but a proper and speedy response might not be taken afterward. This reinforces the need to make sure both aspects, people and tools, are state-of-the-art.
So, what does the data flow of an MDR system look like, specifically? Your internal systems create local log data. Depending on its type, your system will either forward this log data to the data collector, or the collector will contact your system to “pull” the log data. The collector will then send the log data over an encrypted SSL tunnel to another system where a proprietary set of alerting rules are executed. Then, the data is stored by the service provider, often in a secure cloud environment. In tandem, the security appliance is “sniffing” strategic network segments so that malicious network traffic can be detected and blocked. Events of this nature are forwarded from the Intrusion Prevention module to the collector, and on to the supervisor. Periodically, the security appliance will scan the environment looking for known security vulnerabilities and policy compliance failures. This data is retrieved by the collector, and like all other data, is analyzed by the system, reviewed by SoC personnel, and acted upon.
What to Look For
Not all MDR solutions are created equal. As such, there are a few important aspects to keep in mind when considering a service:
- Be sure your solution includes a dedicated engineer, who will personally get to know the ins and outs of your environment. The better they know your environment, and the more dedicated they are
to understanding you as a company, the easier and faster it will be for them to catch and resolve any
security issues when they arise.
- In the case of security incidents that require human intervention, make sure your security partner will provide advice and guidance throughout the remediation process.
- The solution must include best-of-breed security tools. Enterprise-class tools provide the foundation
for the attack signatures, alert algorithms, and vulnerability detection policies that are used as an important part of the service.
- Make sure your managed security service provider is secure. This goes without saying, if your security provider isn’t secure, neither is the work they do for you. It’s important to look into what steps and certifications they take in order to protect themselves against cybersecurity threats.
- Be sure consulting services are available as well, for example, to help build incident response policies and procedures, if you don’t already have them.
- Make sure your service level agreement (SLA) includes a target resolution time of four hours or less
for critical situations.
The cybersecurity landscape will continue to explode with new threats, and unfortunately, there is no fail-proof solution to 100% protect you. The best posture to adopt is one that detects and reacts appropriately through a combination of vulnerability identification, prevention techniques, and quick identification and resolution when something does occur. And since most firms don’t have the bandwidth or experience to maintain a healthy security posture, oftentimes they find themselves far from the ideal situation, exposing their firms to risk as well as creating complex compliance issues.
An MDR solution helps bridge the gap. It enables organizations to take a strategic, risk-based approach to protect against the attacks we are seeing day in and day out. An ideal MDR solution includes a consistent and continuous focus on the security basics, including understanding the data being protected, maintaining an effective vulnerability program, continually updating key systems, maintaining secure configurations, and closely monitoring for suspicious activity. No matter what type of cybersecurity threat you’re concerned about, detection and appropriate reaction are key.