Threat Detection and Response as a Service: A Comprehensive Primer for Cybersecurity Architects
In cybersecurity, vigilance is key.
In the ever-evolving landscape of cybersecurity, the role of a Cybersecurity Architect is becoming increasingly critical. With the rise in cyber threats from various threat actors and the growing complexity of systems, proactive and robust threat detection and response (TDR) services are more important than ever. Advanced persistent threats (APTs) represent a significant challenge, requiring continuous monitoring and interaction to meet specific objectives, rather than immediate financial gain. This blog post will delve into the world of TDR, exploring its concepts, importance, and various types of services to help you navigate this complex landscape.
Let’s uncover the integral components of threat detection as a service and its impact on safeguarding our digital world.
What is Threat Detection and Response (TDR)?
TDR is a comprehensive approach to cybersecurity that involves three primary components:
-
Threat Detection (T.D.),
-
Threat Intelligence (T.I.), and
-
Incident Response (I.R.).
It can be conceptualized as:
TDR = (TD + TI + IR) × (Technological Solutions + Trained Teams + Awareness and Teamwork)
Each component plays a vital role in fortifying an organization’s security posture.
Breaking Down the Components of TDR
-
Threat Detection (T.D.): Identifying potential security threats and vulnerabilities in an organization’s network, systems, and data. Enhanced with proactive threat hunting, advanced threat detection plays a crucial role in identifying sophisticated threats, such as advanced malware and persistent threats, by continuously monitoring for suspicious activities and anomalies.
-
Threat Intelligence (T.I.): Gathering and analyzing information about existing or emerging threats. This intelligence is crucial for understanding potential attackers’ tactics, techniques, and procedures.
-
Incident Response (I.R.): The set of procedures and tools used to respond to detected security incidents. This includes the ability to quickly contain, mitigate, and recover from a threat.
-
Technological Solutions: The hardware and software tools that detect and respond to threats. Examples include firewalls, endpoint protection, intrusion detection systems, and advanced cybersecurity software.
-
Trained Teams: Skilled cybersecurity professionals responsible for implementing proactive threat detection measures, analyzing threat intelligence, and executing incident response protocols.
-
Awareness and Teamwork: Continuous learning and training for cybersecurity teams to stay updated with the latest threats and response techniques.
Overall, TDR is a holistic approach to cybersecurity that combines threat detection, intelligence gathering, and incident response, powered by cutting-edge technology, highly skilled teams, and continuous education.
As Max Shier, CISO at Optiv, puts it, “The social engineers who craft phishing, smishing, and vishing attacks are banking on the fact people are busy and likely going to overlook red flags.”
As we explore the nuances of TDR, it’s helpful to keep in mind its various types and how they contribute to a robust cybersecurity framework.
Threat Detection Fundamentals
In the realm of cybersecurity, threat detection is the cornerstone of a robust defense strategy. It involves the real-time identification of potential security threats, enabling organizations to respond swiftly and effectively to prevent or mitigate security incidents. Understanding the fundamentals of threat detection is crucial for any cybersecurity architect aiming to safeguard their digital assets.
Different Types of Advanced Threat Detection
Threat detection in cybersecurity can be categorized into four primary types:
-
Configuration Detection: This involves identifying misconfigurations in systems and networks that attackers could exploit.
-
Modeling Detection: This type uses statistical models to identify activities that deviate from the norm, which might indicate a security threat.
-
Indicator Detection: This type relies on known indicators of compromise (IoCs) to identify threats. IoCs can include specific malware signatures, IP addresses known as malicious, and unusual file hashes.
-
Threat Behavior Detection: This approach focuses on identifying patterns of behavior typically associated with malicious activities rather than relying only on known indicators. It effectively identifies new or evolving threats that do not match known IoA/IoCs indicators.
Each type supports different cybersecurity requirements and approaches, enabling security teams to defend their environments more effectively. Cyber threats keep evolving and becoming more AI-aware. It’s crucial to look beyond conventional threat detection methods. Organizations must be prepared to detect threats, both known and unknown, using advanced technologies like AI and machine learning. So, let’s delve into the critical role of proactive Threat hunting in cybersecurity and how it redefines the traditional paradigms of threat detection.
The Critical Role of Proactive Threat Hunting in Threat Detection
We’ve all heard the saying, “Environment maketh the man.” the same is true for threat detection and response; these security events shape our approach.
According to IBM, the Mean Time to Identify (MTTI) an attack has slightly decreased to 204 days in 2023, down from 207 days in previous years. That’s a slight improvement in organizations’ ability to detect breaches, which we can attribute to advancements in Threat Detection Technology.
However, the problem persists. As attacks get more sophisticated with A.I., the Mean Time to Contain (MTTC), an attack once identified, has increased to 73 days in 2023, up from 70 days. So, while organizations are getting slightly faster at detecting threats, it’s taking longer to contain them.
Leveraging Machine Learning in Threat Hunting
In the realm of managing detection and response, controlling the environment is paramount. This includes configurations and integrations with partners. Most threat detection routines are trained with machine learning, using environmental detections and sets of models that measure deviations over time. But is this enough?
Next, we have the behaviors of threats - indicators of attack (IOAs) that help generate meaningful detection. This is where a proactive approach comes into play: controlling before the exploit happens, both in terms of environment and behavior. Not just relying on automated threat detection but actively hunting for threats. A dedicated security team plays a crucial role here, employing advanced techniques like threat hunting and setting traps with honeypots to detect malicious activities and bolster their response efforts. Why wait for the bad guys to strike when we can identify them during their reconnaissance phase of an attack?
But how exactly does proactive threat hunting transform the effectiveness of threat detection strategies? Let’s look at the mechanics of this advanced approach and understand its impact on cybersecurity ROI.
The Mechanics of Proactive Threat Hunting
Proactive Threat Hunting hinges on two critical concepts: Indicators of Compromise (IOCs) and Indicators of Attacks (IOAs). In essence, it’s all about gathering and analyzing information to detect any malicious activity before it actually gets triggered by the attackers. Protecting sensitive data through proactive threat hunting is crucial to ensure that attackers are unable to access sensitive information during their intrusion attempts. Here are three typical IOCs:
-
Hashes: These are unique identifiers for specific pieces of malware.
-
Domains: A domain associated with known malicious activity can be an IOC.
-
IPs: Just like domains, certain IP addresses are known to be linked to malicious activities.
And here are three typical IOAs that are more behavior-based:
-
Unusual account behavior: This could include multiple failed login attempts or sudden changes in user behavior.
-
Network anomalies: Large data transfers at odd hours might indicate a data breach.
-
Changes in system configurations: Unauthorized changes could indicate that an attacker has gained access.
Today’s Proactive Threat Hunting leverages AI-powered intelligence, machine learning, deep learning, big data, vulnerability scans, and EDR reporting. The aim is to separate critical and false alerts and identify potential threats before they fully manifest, significantly reducing the Mean Time to Contain (MTTC) a breach.
In the arms race of cybersecurity, tools, and technologies are the weapons that define success.
Threat Intelligence
In the intricate dance of cybersecurity, threat intelligence plays a pivotal role. It provides the actionable insights needed to identify and respond to potential security threats effectively. By gathering, analyzing, and disseminating information about threat actors and their methodologies, organizations can stay one step ahead in the cybersecurity game.
Tools and Technologies Used in Threat Detection, Threat Intelligence, Investigation, and Response
Let’s face it: the bad guys also have access to advanced AI LLM models. Our only option is to fight fire with fire, using ML and AI-integrated security tools that give us the upper hand.
AI vs AI.
Here are some of the top tools and technologies:
-
IAM: Identity and Access Management, coupled with workload identifiers, helps ensure that only authorized individuals can access specific resources. SIEM: Security Information and Event Management gathers information, logs, flow data, and different sources for intelligence.
-
UBA: User Behavior Analysis helps identify potential threats based on abnormal user behavior.
-
SOAR: Cyber Security Orchestration, Automation, and Response automates threat detection and response processes.
-
NGFW: Unline traditional firewalls, Next-Generation Firewalls offer advanced features like intrusion prevention and application-level inspection.
-
NDR/Network Traffic Analysis: This provides visibility into network behavior, allowing for detecting anomalies that may indicate a persistent threat.
-
CASBs: Cloud Access Security Brokers help monitor and secure cloud-based applications.
-
EDR: Endpoint Detection and Response focuses on detecting, preventing, and responding to threats on endpoints.
-
XDR: Extended Detection and Response provides a holistic view of threat detection and response across various security layers.
All these threat detection tools, amped up with AI, can form a solid first line of defense against cyber threats. And let’s not forget about Vulnerability Management, Security Analytics, and other Endpoint Protection Platforms. The key is to have a comprehensive approach covering all cybersecurity aspects.
Armed with these tools and technologies, defenders can effectively detect, investigate, and respond to cyber threats, keeping your organization’s digital assets safe and secure.
Let’s now examine how leading TDR solutions available as a service, can offer enhanced capabilities to Cybersecurity Architects in their ongoing battle against cyber threats.
Effective Threat Detection and Response Solutions as a Service
You can check out some of our partnered solutions below, but if you have a unique situation and want to talk to an expert beforehand, you can book a free consultation call with him here.
How TDR as a Service Can Help
-
Detailed Reporting: Stay informed with comprehensive reports on your security posture.
-
Improved SOC Performance: Enhance the effectiveness of your SOC (security operation center).
-
Requirement Analysis: Select a partner who understands your business needs and tailors a solution accordingly.
-
Customization: Get a solution that fits your organization like a glove.
-
Regular Updates: Stay abreast of the latest developments in your service.
-
Leapfrog Security: With your service provider's expertise, jump ahead in your cybersecurity journey.
-
Robust Protection: Secure your digital assets with world-class solutions.
For more details, check out our blog post on managed detection and response solutions for enterprises here.
The synergy between SOC and Threat Hunting teams is vital for an effective TDR strategy. But how can these teams collaborate more effectively to achieve the ultimate goal of preemptive cybersecurity? Let's delve into this crucial aspect of cybersecurity team dynamics and uncover the strategies for seamless collaboration.
AI and Threat Detection
Artificial intelligence (AI) is revolutionizing the field of threat detection and response, offering unprecedented capabilities to identify and counteract cyber threats. By harnessing the power of AI, organizations can enhance their security measures and respond to threats with greater speed and accuracy.
The Role of Security Services in TDR: To Plan, Protect, and Pre-empt
In-house security teams are often the first line of defense. However, maintaining ROI becomes a challenge with the skill gap in the market and compliance requirements. Working with a trusted service provider can help you in multiple ways.
-
Establishing a Robust Framework: Look at your company’s cyber security standards and essential tasks, and define the skills, team requirements, and headcount. Make sure you integrate best practices from your industry and tech partners.
-
Adhering to Standards and Defining Tasks: Align with security standards (e.g., ISO 27000, NIST) and define key tasks.
-
Threat Intelligence Gathering with Different Solutions: Consider what technologies you’re using, possible attack channels, embedded systems, IoT, APIs, and integration partners.
-
Proactive Threat Response and Continuous Monitoring: With the main framework in place, services can continuously monitor network and system activities to detect signs of malicious activity or breaches, emphasizing the importance of a proactive approach in addressing potential threats.
Bridging the Gap: SOC and Threat Hunting Teams Collaboration
Two teams often stand out – the SOC and the Threat Hunting teams. While they might operate independently, their success in protecting a corporation hinges on their ability to work together seamlessly. But how can we align the goals of both teams for a unified approach to threat detection and response?
Communication Protocols and Information Sharing
For SOCs and threat-hunting teams, real-time information sharing is crucial. Whether through integrated platforms, regular meetings, or automated alerts, ensuring that both teams are on the same page is vital.
Leveraging SOC Data for Proactive Threat Hunting
SOCs gather a wealth of data that can be invaluable for proactive threat hunting. From EDR reports to network logs, this data can provide insights into potential threats before they materialize. The key here is not just to collect data but to analyze and use it effectively.
Coordinated Response Strategies
Once a threat is detected, the response must be swift and decisive. By developing coordinated response strategies, SOCs and threat-hunting teams can mitigate damage and prevent further breaches. This requires clear protocols, defined roles, and effective communication.
Tool and Resource Optimization
Both teams have a plethora of tools at their disposal. The potential of these tools is realized when they are comprehensively understood and skillfully optimized, thereby amplifying the teams' prowess in threat detection and response.
Continuous Improvement through Feedback Loops
Cybersecurity is not a one-and-done deal. It requires continuous improvement, and feedback loops play a crucial role in this. Regular discussions, reviews, and adjustments can help refine processes and strategies for better threat detection and response.
The rising importance of Threat Detection and Response as a service cannot be understated. With a customized plan from us, you can keep your company safe from threats, increase cybersecurity ROI, and adhere to all standards.
Future of Threat Detection and Response
The future of threat detection and response is poised to be shaped by rapid advancements in technology and evolving cybersecurity strategies. As cyber threats continue to grow in complexity, organizations must adapt and innovate to stay protected.
Conclusion
We've explored the intricate world of Threat Detection and Response and its critical role in cybersecurity architectures. We've delved into the different types of threat detection, emphasizing the importance of proactive threat hunting and the sophisticated tools and technologies that make TDR more effective.
Understanding the nuances of TDR – from configuration detection to threat behavior detection and the mechanics of proactive threat hunting – is essential in today's cybersecurity landscape.
Get The Right Cybersecurity Solution For Your Business
As you move forward enhancing your cybersecurity posture, connect with CyVent to explore our range of solutions and services.
We have a team of experts who can help you understand your requirements and find you the best solution.
Our experts will eliminate any confusion and guide you to the right cybersecurity solution for your unique system.
Click here to book a call and speak with one of our experts.
Calculating ROI for Your Cybersecurity Project: How to Choose the Right Security Tools
CISOs, IT Managers, and Board members face a balancing act as they look to build out strong security programs, and calculating ROI is a large part of that challenge. What tools are truly worth the investment versus the costs of a damaging cyber attack? The potential repercussions of a data breach are alarming — By some estimates, cybercrime damages will reach $10 trillion by 2025, up from $4 trillion in 2021.
A thorough cybersecurity strategy is a critical way to address business risk and promote business health and longevity. The risks at stake, in addition to regulatory scrutiny and compliance concerns such as GDPR, are motivating Boards to take a closer look at security policies, and they're turning to CISOs and IT Managers for insight. The challenge for security leaders is selecting the best tools from a sea of offerings and then working with the Board and senior executives to deploy them within the organization.
By calculating cybersecurity ROI, CISOs and IT Managers can quantify the value of a new security project to Board members, demonstrate the financial impact of the security budget and how it aligns with the business's overall strategic goals, and foster more rapid decision-making.
Calculating ROI for Cybersecurity
At a basic level, one way of calculating a company's cybersecurity ROI involves taking the average cost of an incident and multiplying that number by how many incidents a business might experience in a given time frame. With an approximation of potential expenses, companies can then assess whether the price of the solution and the reduction in incidents it will bring is worth the investment.
Of course, many more factors come into play, which is why calculating cybersecurity ROI is notoriously challenging. The equation also has to represent issues at stake beyond dollars and cents, including potential loss of intellectual property, loss of reputation, and business disruption. There are numerous formulas for calculating cybersecurity ROI, and much research has been done on the subject. How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard and Richard Seiersen is a good example and a highly recommended resource for an in-depth exploration of this topic.
The bottom line is that breaches are expensive. Calculating cybersecurity ROI starts a conversation about whether investing money upfront to prevent a major disruption outweighs the probability of a significant breach and its ensuing costs.
Identifying Cybersecurity Metrics
False Alerts-Positive Alerts
Let's reframe the perception of false-positive alerts. Rather than dismissing them as mere nuisances, consider this: what if these false positives are draining your resources like slow, incremental financial leaks? According to the Ponemon Institute, false positives cost enterprises an average of over $1.3 million in lost revenue annually. If you are not tracking this metric, you are essentially ignoring a significant six-to-seven-figure problem.
Critical Alerts
Critical alerts for security breaches or potential vulnerabilities are often easy to prioritize but hard to cost-justify, frequently falling into the "priceless" category. However, are they truly priceless? According to IBM, identifying and containing a data breach takes an average of 277 days. What cost opportunities are being missed during this timeframe?
Cost Efficiencies: Moving from False to Critical Alerts
Conducting a cost-benefit analysis around alerts is rudimentary. Have you considered how much it costs to resolve false-positive alerts, both in the money saved in terms of labor hours and opportunity cost? Conversely, how cost-effective are your incident response measures for critical alerts? Understanding this data is a fundamental aspect of any meaningful ROI conversation.
Where to Find ROI Calculator for Cybersecurity
Evaluating metrics to calculate cybersecurity ROI is important, but so is finding a calculator that doesn't generate generic numbers or require a degree in divination to interpret in any actionable way. There are calculators specifically designed for the C-suite, considering the uniqueness of your industry, security posture, and amount of critical/false-positive alerts.
Look for the CyVent Cybersecurity ROI Calculator developed by CyVent's leadership team that incorporates False-Positive and Critical Alerts. A properly calibrated ROI calculator can offer you data points that are quantitative and highly qualitative in value, providing actionable insights for enterprise board-level strategy discussions.
The Benefits of Calculating Cybersecurity ROI
Implementing a cybersecurity protocol and calculating its ROI has been proven to have substantial benefits.
According to a recent study conducted by IBM, it is projected that the average cost of cyberattacks will soar to an astonishing $4.88 million in 2024, reflecting a significant 10% increase over the previous year.
Moreover, an alarming 51% of organizations are actively planning to fortify their security investments in response to breaches. These investments will encompass a range of measures, including comprehensive incident response (IR) planning and testing, robust employee training, and the implementation of advanced threat detection and response tools.
These figures underscore the importance of investing in cybersecurity measures. Combining ROI calculations with risk assessment and management helps businesses understand the comprehensive value these security measures bring in preventing colossal damages.
Understanding the Value of Cyber Tools
Organizations often find themselves inundated with many cyber tools and solutions. With vendors constantly pitching new offerings to address emerging threats, it becomes crucial for CISOs and IT Managers to evaluate and justify the value of these investments. Calculating cybersecurity ROI provides a systematic approach to determining the worth of a particular tool or solution in the context of an organization's unique security environment.
Evaluating and Prioritizing Security Solutions for Risk Management
With numerous options available, CISOs and IT Managers face the challenge of deciding which security solutions to invest in. By calculating ROI, executives can objectively compare different options and have the proper security control. A comprehensive ROI analysis considers factors such as the total cost of implementation, anticipated risk reduction, and the impact on operational efficiency. This evaluation process enables CISOs, IT Managers, and security teams to prioritize security solutions based on their expected return on investment.
Achieving Peace of Mind and Problem Resolution
One of the key goals of calculating cybersecurity ROI is to provide CISOs and other security leaders with peace of mind and problem-resolution. By understanding the potential value of a security solution, CISOs can make informed decisions about which problems it will solve and the level of peace of mind it will provide. Effective cybersecurity investments mitigate the risk of cyber threats or data breaches and contribute to operational stability, data protection, and regulatory compliance.
Communicating Cyber Risk to the Board
For CISOs and security leaders, effective communication with the Board is crucial. Security executives hold increasing responsibility for cybersecurity decisions, considering the regulatory, reputational, and business risks involved. Calculating cybersecurity spending enables executives to articulate the reality of cyber risk and provide the Board with the necessary information to make informed decisions. By presenting ROI figures, CISOs, and Security leaders can highlight the financial risk and strategic implications of various cybersecurity investments, strengthening their ability to advocate for effective security measures with an appropriate, in-house security team and budget.
Aligning Cybersecurity with Overall Business Strategy
To gain board support and secure adequate resources, CISOs must align cybersecurity with the overall business strategy. Calculating ROI allows security leaders to demonstrate how the cybersecurity budget contributes to the organization's increased efficiency in protecting data, preventing cyberattacks, and complying with the latest regulations. By quantifying the potential return on investment, CISOs can showcase the value that effective cybersecurity measures bring regarding brand reputation, customer trust, and operational resilience. This alignment enhances the Board's understanding of cybersecurity as integral to the organization's strategic objectives.
Embracing Security Tools with Proven ROI
The Importance of a Layered Security Approach
Understanding the Attack Surface
You are likely familiar with the concept of a layered security approach. However, it's crucial to consider that not all layers are equally effective. It's not just about having multiple layers; it's about having intelligent layers that actively learn from each other. Each layer must adapt and communicate in real-time to ensure effectiveness with the ever-expanding attack surface.
Recent Advancements in Cybersecurity Technology
As technology evolves, so do the threats. Enter AI-powered threat detection, behavioral analytics, and predictive modeling. These technologies are not mere buzzwords. They have demonstrated remarkable ROI by significantly reducing both breach instances and dwell time, the duration that threat actors have unauthorized access to your system.
The Power of Cybersecurity Artificial Intelligence
AI for Incident Reduction
Have you ever considered that AI could be your cybersecurity cost-saver? Predictive analytics and machine learning can significantly improve risk management and decrease the number of security incidents. Remember, every incident you prevent translates to saved dollars and, potentially, a protected reputation.
AI vs. AI: Staying Ahead of Attackers
This is not a scenario from science fiction; it is the reality of cybersecurity today. We are moving towards a world where it's AI against AI. If threat actors leverage AI to create more intelligent attacks, your AI-driven solutions must be even smarter, faster, and continuously adaptable.
The Efficiency of Automation
Streamlining Incident Management
Automation is not about replacing human expertise; it's about enhancing it. Incident management becomes effortless when mundane tasks are automated, allowing your IT teams to focus on complex issues that require human intuition.
Boosting Productivity in IT Teams
Imagine what your skilled IT teams can achieve when freed from routine tasks. Automation brings impressive ROI through cost avoidance, significantly reducing the time spent on incident responses and enabling your team to concentrate on strategy and innovation.
Reach out to our team
The cybersecurity landscape is genuinely complex. At CyVent, our mission is to support CISOs and security teams as they select and sort through the different offerings on the market. Calculating cybersecurity ROI helps prepare for the current environment where the fight is already AI vs. AI, and companies that do not have the appropriate AI talent and tools may be at a disadvantage.
We're just an email or a phone call away, eager to hear your thoughts and arm you with the tools to preempt more and remediate less.
Contact our team today for personalized cybersecurity advisory services.
Ever been tempted to download the beta version of your favorite app, ready to test out all the cool new features before everyone else?
STOP!!
The FBI has some news that might make you think twice.
Cybercriminals have come up with a brand new trick to lure us into their lair. They’re hiding malicious code in fake beta versions of popular apps, turning unsuspecting people’s mobiles into their personal piggy banks.
Now, don't get us wrong, we love innovation as much as the next team of tech enthusiasts. But whilst beta versions have a certain allure, they haven't gone through the rigorous security checks that apps in the official app stores must pass.
Criminals send fake emails pretending to be the developers of popular apps, offering early access to new beta versions.
But of course, they’re fake, too. Once installed, they can do all sorts of bad things, including accessing data from your finance apps and even taking over your mobile.
If your staff downloads them onto company devices, could your business be compromised?
There’s a moral to our story. And it's a simple one: Patience is a virtue.
Hold off on downloading beta versions of apps. Wait until they're stable and officially released in app stores. Good things come to those who wait, and that includes secure apps.
If you have downloaded beta versions in the past, keep an eye out for red flags like faster battery drain, poor performance, persistent pop-up ads, and apps asking for unnecessary permissions.
In this digital age, we must be as smart and savvy as the technology we use. So, before you hit download, take a moment to think: is this app worth the risk?
Train your staff to think the same way. And if you do give them business mobiles, consider a Mobile Device Management solution to control what they can do with them.
If you're concerned about the security of your mobile devices and need expert guidance, Book a strategy call with CyVent today.
We'll help you safeguard your business information and provide tailored cybersecurity solutions for your unique needs.
You’ve checked your pockets, your bag, under pillows … and then it hits you. You left your work phone on the table at the coffee shop.
You panic.
It's not the device itself that’s got you worried, but all the sensitive business information stored on it. If that mobile ends up in the wrong hands, you’re facing a nightmare.
But that worry could be over. Microsoft and Samsung are joining forces to make your work mobiles safer. This month, they’re launching a groundbreaking solution to help protect anyone who uses a Samsung Galaxy device in the workplace.
How?
With something called on-device attestation. It lets companies see if mobile devices have been compromised, even at their deepest components. Think of it as a security guard for your cell phone.
Samsung brings its software and hardware innovations to the table, whilst Microsoft provides its endpoint management expertize.
And whilst other device attestation tools require a network connection and access to cloud services, this solution works reliably regardless of network connectivity or device ownership model.
This solution will be released alongside Microsoft Intune (previously known as Windows Intune), a unified endpoint management service for both corporate devices and BYOD (Bring Your Own Device). And it will be available to select Samsung Galaxy smartphones and tablets, especially those "Secured by Knox".
So, whether you're working from the office, a busy coffee shop, or a remote cabin in the woods, you can rest assured your device is safe.
In business, your mobile is more than just a communication device. It's a vault of sensitive (and valuable) information. And with Microsoft and Samsung on the case, that vault just got a lot safer.
If you're concerned about the security of your mobile devices and need expert guidance, Book a strategy call with CyVent today.
We'll help you safeguard your business information and provide tailored cybersecurity solutions for your unique needs.
You're no stranger to the endless threats lurking in your email inbox. But have you ever considered that an email that seems to be from Microsoft could end up being your worst nightmare?
Microsoft, the tech giant we all know and trust, has become the most imitated brand when it comes to phishing attacks. That's where cybercriminals send you an email that contains a malicious link or file. They're trying to steal your data.
And while Microsoft isn't to blame for this, you and your employees need to be on high alert for anything that seems suspicious.
During the second quarter of 2023, Microsoft soared to the top spot of brands imitated by criminals, accounting for a whopping 29% of brand phishing attempts.
This places it well ahead of Google in second place (at 19.5%) and Apple in third place (at 5.2%). Together, these three tech titans account for more than half of the observed brand imitator attacks.
But what does this mean for your business?
Despite an apparent surge in fake emails targeting millions of Windows and Microsoft 365 customers worldwide, careful observation can help protect you from identity theft and fraud attacks.
While the most imitated brands change from quarter to quarter, usually cyber criminals are less likely to change their tactics.
They use legitimate-looking logos, colors, and fonts. Phishing scams frequently use domains or URLs that are similar to the real deal. But a careful scan of these and the content of any messages will often expose typos and errors – the tell-tale signs of a phishing attack.
One of the latest attacks claims there has been unusual Microsoft account sign-in activity on your account, directing you to a malicious link. These links are designed to steal everything from login credentials to payment details.
And while tech firms continue to be popular scam subjects, many cybercriminals have turned to financial services like online banking, gift cards, and online shopping orders. Wells Fargo and Amazon both rounded up the top five during Q2 2023, accounting for 4.2% and 4% of brand phishing attempts, respectively.
What can you do to protect your business?
The answer is more straightforward than you might think. The best course of action when it comes to phishing is to slow down, observe, and analyze. Check for discrepancies in URLs, domains, and message text.Safeguarding your business against phishing threats is of paramount importance. To fortify your defenses and stay informed, we encourage you to explore our free recorded webinar on cyber insurance. This insightful resource provides valuable insights and strategies to protect your organization from cyber threats and meet insurance requirements.
Don't wait for the next phishing attempt - take proactive steps to enhance your cybersecurity posture.
Our phones are a goldmine of private information. Just think of all the financial details, personal messages, banking apps, photos and contact information that live behind that little glass screen.
And if your team use phones for work, they’ll often have access straight into company systems – email, contact lists, network access, file systems. So if they’re not kept as secure as any other device in your workplace, they can become a gaping hole in your cyber security.
Criminals know this, of course, which is why they target us through our phones just as much as they do through our networks and servers.
But cyber crime isn’t the only concern. Just losing your phone, or having it stolen, can put your data at huge risk.
So, whether you issue company smartphones, or your employees use their own, you should make sure everyone implements some simple security steps to protect your data and avoid disaster.
- Start with making sure your people set up a PIN and a biometric login (like a fingerprint or face scan) to open the device.
- Only install apps from trusted sources to make sure you’re using genuine software.
- And enable Multi-Factor Authentication on all apps that store even a small amount of sensitive data.
- Be careful about where you connect to Wi-Fi. If you work remotely or often connect to public networks, consider using a VPN – a Virtual Private Network – to add another layer of security. You never know who’s monitoring traffic on a public network.
- Finally, ALWAYS make sure your phone is running the latest version of its operating software, and keep all apps up to date.
Smartphones have changed so much about the way we live – at home, and at work – but it’s too easy to take them for granted. And that could be a costly mistake.
If you need help to keep your smartphones safe, just get in touch.
Published with permission from Your Tech Updates.
The Ultimate Pentesting Guide: The #1 Way To Expose Your Cybersecurity Weaknesses
You invest in cybersecurity tools, train your employees, and establish habits that protect your business data from hackers. But is that enough? Will your company survive when it faces a cyberattack? The penetration test has the answer.
The penetration test, also known as Pentest, is a training method that simulates an invasion of the company's systems. It ensures that the company covers all gaps before it's too late.
According to the 2020 Penetration Testing Report, only 3% of companies believe that penetration testing is not important to their security posture.
In this article, we'll walk you through everything you need to know when performing pen testing, including:
-
Why Having a Pentest Is Important For Your Company?
-
5 Excellent Reasons For You To Schedule a Pen Test For Your Company Right Now
-
The 4 Most Common Types of Pen testing
-
Who Should Run The Penetration Test?
-
What Is The Difference Between a Penetration Test And a Vulnerability Scan?
-
What Happens After the Pentest?
What is Penetration Testing?
Penetration testing, often referred to as pen testing or ethical hacking, is a proactive approach to cybersecurity. It involves simulating cyber attacks on a computer system, network, or web application to evaluate its security. The primary goal of penetration testing is to uncover security weaknesses and vulnerabilities that could be exploited by malicious actors to gain unauthorized access to sensitive data or disrupt system functionality. By identifying these vulnerabilities, organizations can strengthen their security posture and prevent potential breaches before they occur.
Why Having a Pentest Is Important For Your Company?
The National Institute of Standards and Technology (NIST) defines the Penetration Test as: “A method of testing where testers target individual binary components or the application as a whole to determine whether intra or intercomponent vulnerabilities can be exploited to compromise the application, its data, or its environmental resources.”
In simple terms, the pentest highlights the company’s cybersecurity weaknesses and uncovers security vulnerabilities that need to be corrected.
According to The State of Pen testing 2022, these are the 5 most frequently discovered vulnerability categories found in 2021: 1. Server Security Misconfigurations: 38% 2. Cross-Site Scripting (XSS): 13% 3. Broken Access Control: 11% 4. Sensitive Data Exposure: 10% 5. Authentication and Sessions: 8%
In this way, pen testing allows the security team and also the IT team to have clarity on the weaknesses of the infrastructure. As a result, professionals can act quickly to address vulnerabilities, according to priorities.
In addition to helping with the structural issue, this type of method also allows testing the company’s ability to inform the team of the existence of a threat and also to score the team’s response to the incident.
5 Excellent Reasons For You To Schedule a Pen Test For Your Company Right Now
1. Exposes Your Company's System And Infrastructure Vulnerabilities
Through penetration testing, hackers identify vulnerabilities in the infrastructure and also in the system settings. A penetration tester simulates cyber attacks to identify these vulnerabilities and assess the security measures in place. This includes not only technical issues but also user habits, which could be creating breaches for intruders to enter.
2. Test The Effectiveness Of Your Cybersecurity Features
Often, the company is confident that its cybersecurity investments are enough. However, this is not always true. The penetration test evaluates security barriers and acts as a black hat hacker would.
Plus, it helps you test whether your Incident Response Plan measures up to combat a real threat.
In this blog post, we have gathered 6 important elements to check before finalizing your Incident Response Plan.
3. Helps You Build Really Effective Employee Training
Pentest puts your company's employees in a risky situation. Pentest assesses employee response to social engineering, including phishing and business email compromise attacks.
According to the Cost of a Data Breach Report 2022, the most common initial attack vectors were compromised credentials at 19% of breaches, followed by phishing at 16% of breaches. The average cost of data breach with a phishing initial attack vector is USD 4.91 million. Testing your employees' responses helps directors identify which behaviors should be improved and which processes need to be polished for the result to be positive.
Going through this experience also sensitizes employees, improving engagement in training.
4. Helps Your Company Improve Compliance And Earn Certifications
Cybersecurity is increasingly an important criterion for closing deals. The positive result of a penetration test can be part of your compliance program and also the achievement of important certifications, such as the ISO 27001 standard and the PCI regulations.
5. Offers An Action Plan To Improve Your Cybersecurity
After carrying out a penetration test, the company receives a complete report with all the vulnerabilities found, all the errors that must be corrected, and the elements that can be improved, in the hardware and the software. All this is accompanied by an in-depth and specialized analysis, with recommendations that will effectively improve the company's barriers against cyberattacks.
A consistent pentest considers ALL vulnerabilities. As Window Snyder states, “One single vulnerability is all an attacker needs”.
The Penetration Testing Process
The penetration testing process is methodical and involves several critical phases:
-
Reconnaissance: This initial phase involves gathering as much information as possible about the target system. Penetration testers collect data such as IP addresses, domain names, and network topology to understand the target’s structure and potential entry points.
-
Scanning: In this phase, testers use tools like Nmap and Nessus to identify open ports, services, and vulnerabilities within the target system. This step helps in mapping out the attack surface.
-
Gaining Access: Here, testers exploit the identified vulnerabilities to gain unauthorized access to the target system. This phase demonstrates how an attacker could breach the system and what data or functionalities they could compromise.
-
Maintaining Access: Once access is gained, testers attempt to maintain their presence within the system to gather more information or escalate their privileges. This phase simulates how attackers might persist in a compromised environment.
-
Covering Tracks: Finally, testers cover their tracks to avoid detection. This step is crucial for understanding how attackers might hide their activities and evade security measures.
The 4 Most Common Types of Pen testing
There are different types of penetration tests that can be performed. Below, we list 4 main ones:
1. External Pen Test
In this type of test, ethical hackers, together with an experienced cybersecurity team, are hired by the company to perform the penetration test focusing on the website and network servers that are external to the company.
2. Internal Pen Test
This test involves exercises that start from the company's internal network. It starts from the access of an internal person to the company, such as an employee, to simulate an internal threat.
3. Blind Pen Test Or Closed-Box Pen Test
In this test, the hacker performing the exercise does not receive any information about the company other than his name. To carry out the invasion, the professional seeks data from open sources. However, the company is aware of the pen testing.
4. Double-Blind Pen Test
This test is a more advanced version of the Blind Pen Test. In this case, in addition to the hacker not having any information about the organization, almost no one in the company knows that the test is being carried out. In this way, the exercise really assesses the internal capabilities to respond to a threat.
Penetration Testing Tools and Techniques
Penetration testers employ a variety of tools and techniques to simulate cyber attacks effectively. Some of the most commonly used tools include:
-
Nmap: A powerful network scanning tool that helps identify open ports and services on a target system.
-
Metasploit: A comprehensive penetration testing framework that allows testers to exploit vulnerabilities and gain access to target systems.
-
Burp Suite: A versatile web application security testing tool used to identify vulnerabilities such as SQL injection and cross-site scripting (XSS) in web applications.
-
Social Engineering Toolkit (SET): A tool designed to simulate social engineering attacks, including phishing and spear phishing, to test human vulnerabilities.
Best Practices for Penetration Testing
To ensure penetration testing is effective and yields valuable insights, organizations should adhere to best practices, including:
-
Conducting Regular Penetration Tests: Regular testing helps identify and address vulnerabilities before they can be exploited by attackers.
-
Using a Variety of Testing Methods: Combining manual and automated testing methods ensures a comprehensive assessment of all potential vulnerabilities.
-
Testing for Social Engineering: Including social engineering penetration testing helps identify weaknesses in human behavior that could be exploited by attackers.
-
Providing Training and Awareness: Educating employees about cybersecurity threats and best practices helps prevent social engineering attacks and improves the overall security posture.
Penetration Testing for Cloud and Application Security
Penetration testing is crucial for ensuring the security of cloud-based systems and applications. This specialized form of testing involves simulating cyber attacks to identify vulnerabilities and weaknesses specific to cloud environments and applications. Key techniques include:
-
Cloud Security Testing: Assessing cloud-based systems and applications for vulnerabilities that could be exploited by attackers.
-
Web Application Security Testing: Evaluating web applications for common vulnerabilities such as SQL injection and cross-site scripting (XSS).
-
API Security Testing: Testing APIs for weaknesses in authentication and authorization mechanisms that could be exploited.
-
Container Security Testing: Assessing containerized applications, such as those using Docker and Kubernetes, for vulnerabilities that could compromise the container environment.
By following these practices and leveraging specialized tools and techniques, organizations can significantly enhance their cybersecurity defenses and protect their sensitive data from potential breaches.
Who Should Run The Penetration Test?
When the company has an internal cybersecurity team, it is common for the internal penetration tester to carry out periodic tests to identify the effectiveness of security policies. However, the ideal way to carry out this procedure is by an external team, which does not know the internal processes of the company.
Find out more about the Penetration Test here
The team is usually composed of “ethical hackers”. Experienced professionals, who think like cybercriminals and are able to look for blind spots in company cybersecurity.
Despite its importance, a recent survey revealed that 88% of businesses review security risks on their own, rather than using a vulnerability management solution.
What Is The Difference Between a Penetration Test And a Vulnerability Scan?
Vulnerability scanning is widely used to verify the security level of an institution. It scans your systems and IT infrastructure thoroughly, identifying any known security vulnerabilities and reporting their level of criticality.
Pentest does a similar job. However, through a team of ethical hackers, it is possible to put these vulnerabilities to the test and identify how far a hacker can go within the current context.
These two features must be used together to ensure that the company has good cybersecurity backing.
How Often Should Penetration Tests Be Performed?
As seen above, vulnerability scanning is a complementary test to pen testing. It has the advantage that it can be automated, which allows it to be carried out more frequently. Scanning can be done daily or weekly, for example.
The penetration test, on the other hand, needs more preparation time, as it involves hiring a specialized team.
There is no ideal frequency for performing the penetration test. This will depend on the characteristics of the company, its size, and its available budget. The ideal is to get the support of a specialized security consultant, who will assess the business and identify the ideal frequency.
In addition to periodic tests, it is recommended to carry out a new process every time there is a considerable change in the company. For example change of physical address, hiring new employees, software change, relevant software, and infrastructure upgrades.
Regulations and certifications related to the company's sector must also be taken into account. Some organizations must follow specific standards for performing security tests.
An interesting aspect of the penetration test is that it doesn't have to be done on a large scale. It is possible to perform focused tests more frequently, in areas that the company deems to be more critical. While broad and comprehensive testing is performed annually, testing focused on priority areas can be done every quarter, for example.
Retaking the test is also important. After testing and fixing the most critical vulnerabilities, it is common to carry out a new exercise to ensure that the changes were sufficient. This test is usually more agile and quick. There are tools that help in its conduct, identifying the most critical points pointed out in the previous report.
What Happens After the Pentest?
What happens after the penetration test is more important than the test itself. The professionals involved in the test prepare a report with all the findings and also an action plan that includes the next priority steps. The company needs to take the findings and recommendations seriously.
The security and development team need to work together to fix the vulnerabilities.
The State of Pen testing 2022 reveals that the median number of days teams needed to fix vulnerabilities is 14, but there are situations where they take 31 days or longer. However, the study also reveals that teams are struggling to fix and prevent the same vulnerabilities for at least the past 5 years in a row.
The most critical changes should be prioritized, but low-risk vulnerabilities should not be overlooked.
Employee training should also be updated according to perceived vulnerabilities in relation to the human risk factor.
Conclusion
Performing penetration tests within the company offers fundamental self-knowledge for the organization. With reporting data, security and development professionals can identify the highest-priority vulnerabilities.
In this article, we have highlighted the importance of pen testing, the 4 main types of penetration tests, who should perform the exercise, the difference between pen testing and vulnerability scan and also what should be done after the penetration test.
Need help testing your cybersecurity?
Do you need help running a penetration test in your company? CyVent and 24by7 offer Penetration Testing Services.
Our experts are on hand to help you with:
-
In-depth penetration testing, including black box, gray box, and white box tests
-
Verification of overall security posture, including assessments of your network, wireless network, and cloud environment
-
Assessment of employee response to social engineering, including phishing and business email compromise attacks
-
Identification of potential vulnerabilities to ensure compliance and reduce operational and reputational risks
If you want more information, book a call on https://www.cyvent.com/assess-company-cyber-threats/
6 Steps To Creating An Outstanding Cybersecurity Incident Response Plan [Free Templates]
Incident Response Plan is the #1 defense strategy to prevent a major crisis when it comes to cybersecurity. After all, as Jamie Ward famously says, “Cyberattack is not a matter of ‘if’, but ‘when’”.
In this article, we'll walk you through the critical elements for the security team when creating a new plan or updating existing plans. Including:
- Why having a Cybersecurity Incident Response Plan is important
- 4 Examples of the best Cybersecurity Incident Response Plans
- The 6 Key 'Must Haves' in every Incident Response Plan
- The post-incident response plan
Why Having A Cybersecurity Incident Response Plan Is Important
The National Institute of Standards and Technology (NIST) defines Cybersecurity Incident Response Plan (CIRP) as: “The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attack against an organization’s information system(s).”
Having a CIRP cannot be underestimated by companies. Research shows that companies that prepare to deal with the effects of a cyberattack efficiently have a considerably lower average loss.
According to The Cost of Data Breach Report 2022, the average cost of a breach for businesses with incident response (IR) capabilities is 58% lower than those without IR capabilities. Breaches at organizations with IR capabilities cost an average of $3.26 million in 2026, compared to $5.92 million from organizations with no IR capabilities.
So why do businesses with incident response plans have lower breach costs? Having a complete and up-to-date CIRP implies constantly passing on information to employees and offering training. This helps to create an organizational culture that favors the recognition and prevention of cyber threats.
Another aspect is that by directing efforts to prevent attacks, it is possible to have more clarity on the cybersecurity gaps that are being left. That means you can correct them before they are found by criminals. All this allows an incident to be corrected much more quickly and efficiently.
However, not all companies have a plan. According to a survey by shred-it, 63% of C-level executives and 67% of small businesses in the U.S. do not have an incident response plan.
Another problem is that many plans are not done completely and consistently. For example, many security leads just focus on the most critical incidents. Yet, any fragility or risk to an endpoint must be defended vigorously to prevent a loophole allowing criminals from accessing valuable information.
A consistent cybersecurity plan considers ALL vulnerabilities. As Window Snyder states, “One single vulnerability is all an attacker needs”.
4 Examples of The Best Incident Response Plans
Here are four of the best examples we’ve pulled together that you can use as a blueprint to guide your planning for possible attacks.
Michigan Government Incident Response Plan
Computer Security Incident Handling Guide - NIST
Incident Response and Management: NASA Information Security Incident Management
Cyber Incident Response Plan - Government of Victoria, Australia
The 6 Key 'Must Haves' In Every Incident Response Plan
When it comes to creating a robust cybersecurity incident response plan, there are six key aspects that need to be included:
1. Prioritize Incident Levels
Prioritizing the incident level of an attack is critical to quickly identify the risk of the attack. This involves understanding which systems are critical to the functioning of your business and understanding the different types of user risk interactions. As seen in the Human Factor Report 2022 diagram below.
2. Complete Visibility of All Your Company's Systems And Resources
Clarity is a key aspect of the incident response plan. Knowing all the assets and resources that the company has is important when defending them. In addition, having complete visibility into the company's up-to-date data is critical to knowing where to act and in what way. Therefore, access to detailed and real-time data on the functioning of the company's systems is essential. With this, an attack can be identified more quickly.
3. Define Incident Response Plan Responsibilities
Establish those responsible for each stage of the plan, providing their level of authority and the list of responsibilities. This step is important because it allows people to act faster.
Create a full-time team to handle incident response or train staff to be on call. Professionals must have sufficient authority and responsibility to make the necessary decisions quickly.
Quick response to incidents is crucial on holidays and weekends because there is often a reduction in company protection. We know that Ramsonware is detonated every day of the week, as seen in the data below from RiskRecon.
4. Security Partners
Asking for help is no shame. On the contrary. Having reliable suppliers can prevent huge damage to the company. Therefore, it is important that these partners are mapped and that the team responsible for cybersecurity has easy access to the list. These contacts may include government security officials, privacy regulatory authorities, audit committees, press offices, etc.
5. Easy Access to CIRP
Another key point is to ensure that all employees and people relevant to the company have access to the CIRP. There's no point in putting together an incredible and complete plan if no one knows it exists. It is also important to consider a backup so that the document is accessible even if the internal servers are compromised.
6. Constant Training
Employees must be trained and have clarity on the steps that must be followed in the event of a threat, as well as their responsibility in attack situations. Training is best delivered little and often, just as software and systems must be updated periodically to stay ahead of the latest threats.
The Importance of Simulated Attacks
One of the best ways to equip employees with the skills to respond to attacks is with simulated attacks. They are designed to test everything that was established in the plan and delivered in training.
One of the most effective training programs is the Red Team Exercises, which simulate the conditions of an attack to identify vulnerabilities in your company's system. This type of exercise is critical to testing an incident response plan before it is done by a real hacker.
Why You Need A Post-incident Response Plan
A post-incident response plan helps the company to be more protected from the next attack.
This involves documenting everything to form history and feed a repository that will help the company to be more prepared for future attacks. Including the actions that were taken, the protocols that were made, and the measures that effectively eradicated the incident.
There are several CIRP frameworks. The National Institute of Standards and Technology (NIST) is one of the most recognized and includes four steps:
- Preparation
- Detection & Analysis
- Containment Eradication & Recovery
- Post-Incident Activity
The unique part about the NIST approach is it foresees a non-linear action. That is, the plan must always be revisited and updated according to new information, new threats, and new skills of the team.
Likewise, after an attack, the plan must be updated. This can be taken a stage further by exchanging incident breach experiences with other companies can help your organization to be more prepared.
Here are some questions that can help when it comes to updating the plan after an attack:
- What attack was carried out and at what exact moment did it take place?
- What was the cybercriminal's entry point?
- Who perceived the threat and at what time?
- What was the first act after the incident was detected?
- How was the team informed about the problem? What was the team's reaction?
- What steps were taken to combat the problem? Who led this process?
- What were the positives and negatives of the responsible team approach? What is the lesson in preparing for the next incident?
- How can we prepare ourselves not to leave gaps and not suffer from this type of vulnerability in the future?
- Can any tool or system help us detect this type of vulnerability and respond more quickly to this type of attack in the future?
- What aspects, learned from this incident, can we include in staff training so that staff is better prepared?
Conclusion
Research shows that having a Cybersecurity Incident Response Plan (CIRP) significantly reduces the cost of a cyberattack on a company. However, many companies don’t have a robust plan in place or fail to update them consistently. To be effective, a CIRP must be constantly revisited and updated.
In this article, we have highlighted the importance of having an incident response plan, best practice examples of incident response plans, the 6 key 'must haves' in every Incident Response Plan, and why you need a post-incident response plan.
Need help creating your CIRP?
Need help creating a cybersecurity incident response plan? CyVent has access to the leading IR solutions. We rigorously curate our approved partners and monitor all stages of implementation. We also carry out training and tests that will raise the level of your company's response and make it more prepared to face threats.
CyVent experts are on hand to help you create the plan, train your employees, and choose the right tools to protect your business.
If you want more information, book a call on https://www.cyvent.com/assess-company-cyber-threats/
How To Build An Effective Endpoint Security Policy And Prevent Cyberattacks
Endpoint protection is one of the central elements of any cybersecurity strategy. Many experts consider endpoints to be one of the weakest security link within an enterprise, giving hackers easy access to an organization's data. In fact, 51% of IT professionals consider their organizations ineffective at surfacing threats because their endpoint security solutions are not effective at detecting advanced attacks. So we’ve pulled together everything you need to know to ensure you can build an effective endpoint security policy.
In this article, you will discover:
- Why do Endpoints matter?
- The Top 3 Endpoint challenges
- The 6 critical elements you need for an effective Endpoint strategy
Why do Endpoints Matter?
An endpoint is any physical device that connects a user to a network. Examples of endpoints include computers, tablets, smartphones, smartwatches, servers, printers, and scanners, among others.
Many companies overlook the breadth of endpoints. It is common to see companies install endpoint protection systems on their corporate computers, but they may omit the many other devices, including IoT.
With the increase in remote work, the number of endpoints has grown and made it more difficult for managers to track them. According to the report Take A Proactive Approach To Endpoint Security, 76% of IT security decision-makers indicated their firm’s use of endpoint devices increased since the beginning of the COVID-19 pandemic. The same report indicates that 66% of respondents believe securing modern business environments requires a proactive approach to endpoint resilience.
To make matters worse, there are still other data indicating that many companies do not provide the devices to their employees, making it even more difficult to control the endpoints. According to SailPoint, in 2020 1 in 3 U.S. employees (33%) stated that they use their own computer and smartphone to enable remote work, while only 17% use a computer and smartphone owned by their employer.
An endpoint policy will establish security parameters that all devices connected to the company's network must follow. In addition, it offers managers a centralized console where they can access the corporate network to monitor, investigate and act on incidents.
3 Critical Endpoint Security Challenges:
1. New Devices, New Threats
With the evolution of technologies, new gadgets are often invented and popularized. The problem is that most of the time manufacturers are not concerned with security devices. Often the protection of these devices is weak and they become an easy target for hackers.
2. Endpoint Repairs Policy
Repairs are also an area that deserves attention from the company. When going to repair, gadgets can often be accessed by malicious agents, or become vulnerable to hacker attacks. A policy for managing items in need of repair is also important.
3. Limited Access
The company needs to have a strict policy regarding endpoints that have access to business data. Only gadgets that have been verified and configured with the security policies of the business can have access to the system. Otherwise, the endpoint security policy is at risk.
Endpoint Security Needs To Be Aligned With the Company's Global Cybersecurity Strategy
Endpoint security must be combined with other cybersecurity strategies, such as network security. It's important to remember that endpoint security is not the same thing as antivirus.
Antivirus is one component of an endpoint security strategy, which is made up of many other elements. Antivirus has the mission to protect the endpoint itself, be it a computer or a smartphone. Whereas Endpoint Security's mission is to protect the entire network, which is interconnected. To combat threats, you need to invest in a holistic approach to security.
The 6 Critical Elements You Need For An Effective Endpoint Strategy
1. Keep Operating Systems Up To Date
Keeping device systems up to date is a simple task, but it makes a difference for a security policy. Updates fix system weaknesses and flaws that can lead to major vulnerabilities. This is true even for non-traditional endpoints, such as smart devices and sensors.
2. Use The Principle of Least Privilege
Restricting server access is also a good alternative to protecting the network that connects the endpoints. Employees should have access to basic servers, accessing servers with more important information only when necessary.
3. Using a Virtual Private Network (VPN)
In addition to controlling access, managers can limit access to important information through a private network or VPN, ensuring information privacy.
4. Attention To All Existing Threats
No matter the type of threat: malware, phishing, social engineering… The Endpoint Security policy must protect all potential threats that could interfere with the internal network. Therefore, the security policy must provide for constant updating, to always be aware of new threats.
5. Controlled Tests
Sending controlled tests allows you to identify the extent to which your company is susceptible to attacks. In addition, fictitious attacks give clues to where the biggest vulnerabilities are and which aspects of cybersecurity the company should strengthen.
6. Qualified And Constant Training of Employees
Keeping employees trained and on the lookout is critical to ensuring a functional end-to-end cybersecurity strategy. Attacks by criminals are increasingly sophisticated. Users need to know the importance of following Endpoint Security and not connecting personal devices to corporate networks.
Conclusion
Endpoints remain a weak point for most companies, especially with the increase in remote work. This makes it even more difficult for IT professionals to control the behavior of their employees.
This article has highlighted the key challenges related to endpoints, including the emergence of new devices, the device repair policy, and user access control. To effectively combat all risks, the endpoint security policy must be aligned with the company's other cybersecurity strategies to cover all potential risks.
Although endpoint control is essential for an effective cybersecurity policy, more than half of organizations lack in-house expertise and resources around endpoint protection. If this is the case for your business, CyVent experts are on hand to assist in the diagnosis, strategy, and implementation of an endpoint security policy for your business.
If you want more information, book a call on https://www.cyvent.com/assess-company-cyber-threats/
In recent days, the world has been on alert because of a new zero-day threat that allows Remote Code Execution (RCE).
Vulnerability CVE-2021-44228 in the Apache Log4j library has been assigned a CVSS severity level 10 of 10. It enables unauthenticated remote code execution and leaves vulnerable numerous Java applications that use this library to log error messages around the planet.
Apache Log4j is part of the Apache Logging Project, a very popular library among Java developers for its ease of error logging. That's why many companies use it, including Red Hat, Apple iCloud, Amazon, Tesla and Twitter.
The easiest way to avoid the vulnerability is upgrading the log4j version to the updated version. The Apache Log4j Security Vulnerabilities page provides an analysis of different scenarios and possible workarounds.
From that, we make some additional recommendations :
1.
Knowing your risk appetite and acting on this information in a timely manner is critical to ensure that your cyber protection resources are commensurate with your level of exposure and risk appetite.
Would you like some help with that? CyVent is currently offering a free report that provides a summary of your organization's security risk rating using RiskRecon’s cyber risk assessment technology.
It’s a quick and hassle-free report that’s part of one of the top third-party risk management platforms to manage your supply chain connections. No need to fill out questionnaires, invest staff time, or provide access. Request yours: https://resources.cyvent.com/en/free-risk-report
2.
Make sure your systems are monitored 24/7. Even small businesses are constantly under attack. If you don’t have a dedicated in-house cyber security team, our team of experts and partners is quick and talented. CyVent offers a comprehensive managed security service that covers endpoints, network, emails and training that is truly SaaS, without long term commitments or pre-payments. As soon as a new threat or vulnerability is identified, the service can take action to keep your company safe.
See more: https://resources.cyvent.com/corvid-cyber-defense
3.
Have an audit methodology for your systems. In a case like this, it is necessary to perform a complete scan of practically every system in a company. Having a methodology for documenting and correcting the findings is very helpful. This involves having a systems review order, including markings for cases where a Log4j was found, and also a log of all attempted attacks.
4.
It is a fact that there are very few tools to pre-empt zero-day vulnerabilities. What can really make a difference is rigorous process, thorough preparation, a well-trained employee population, an up-to-date security stack and a dedicated team committed to the safety of the company.
We are glad to know that all of our partners have done an exemplary job in handling this crisis with thorough follow-up and constant updates to help our customers get around the problem.
“Who is that in the trenches by your side?
– And does it matter?
– More than the war itself.”
Ernest Hemingway
________
How to Select a Managed Security Services Provider for Your Business?
Understanding that data is the new oil, security measures are not just a good idea, but a must have to keep organizations and sensitive information safe. Managed Security Services Providers (MSSP) offer remote monitoring and management of IT security functions delivered via shared services from remote security operations centers.
Does your organization consider hiring and working with a MSSP?
Hiring a MSSP can bring great benefits to your organization, since it offers trained staff to deal with the daily-basis security issues. You may want to hire a MSSP for numerous reasons such as:
- restricted IT budgets
- not having an IT Security team
- avoiding the herculean job of staying on top of the new and extreme sophisticated cyber threats.
How to evaluate and choose a MSSP?
Cyber Security is hard work, and choosing a MSSP is a delicate balance. Below you can find 5 points that will help you and make this important decision easier.
1. Are they qualified?
This is a crucial point. You must evaluate the qualifications of the MSSP and their technical team. Make sure that the MSSP has plenty of experience in your work field and certifications.
2. What should they offer?
Hiring a MSSP who offers a multi-layer security system is paramount. Make sure they offer the following protections:- Identify vulnerabilities consistently by routinely scanning the footprint in order to identify potential security gaps and fix them;
- Network security with next-gen firewalls, threat prevention and detection (IPS/IDS);
- Endpoint protection with the most advanced AI Driven capabilities;
- Security Operations Center (SOC) working around the clock - 24/7/365;
- Block malicious and phishing emails;
- Training users regularly to identify phishing and raising the awareness of Cybersecurity in your organization.
3. How do they handle your data?
It is important to understand where your sensitive data is stored. How do they handle it? Be assured the MSSP takes data protection seriously and that they understand the data regulations involved. The ideal MSSP provider will safely store your data and make sure it can not be commingled with the data of other companies to whom they provide services.
4. Can they provide a leading-edge cybersecurity service?
Security threats are becoming more complex and sophisticated and MSSP providers should upgrade their footprint to provide leading-edge protection. At CyVent, we are pleased in offering Haven, from Corvid Cyberdefense.
5. What are their references?
As a matter of fact, Corvid Cyberdefense team is a Military-grade cyber security company with the best professionals in its field and they service the U.S. Department of Defense (DoD).
See more and schedule some time to speak with one of our experts: https://www.cyvent.com/products
The rapid increase in digital third-party relationships contributes to escalated cyber risk. With service outsourcing, companies need to grant access to the system to partners or organization’s supply-chain, which puts confidential business information, financial transactions and sensitive employee and customer data at risk.
The problem is not new , Target is just one of countless examples. In 2013, Target’s security breach occurred from e-mails sent to Fazio Mechanical, one of the companies affiliated with Target, that lead to the leak of 70 million customer data and 40 million bank information. Year after year, companies are exposed to more risks from their business relationships, weakened by poor safety standards of other companies.
According to the Ninth Annual Cost of Cybercrime Study (Accenture, 2019),
61% of organizations have experienced an IoT security incident and 67% observed an increase in security breaches in the last five years. Another shocking fact is that over half of all companies have experienced a third-party breach yet only 16% are able to mitigate those risks (Ponemon Institute. Data Risk in the Third-Party Ecosystem. 2018).
This type of threat is not always malicious. Most of the time, it is caused by negligent behavior. According to a recent report conducted by the Ponemon Institute, negligent behavior is the most costly to companies annually, even though its cost per incident is lower. On the other hand, criminal behavior is less frequent, although it costs approximately 3x more per incident.
The problem involves the entire company, since relations with third parties are present in services that involve logistics, sales, customer support, marketing, among many others. In addition, each company has a partner management model. Thus, the solution needs to be adaptable to different realities.
How to manage your business relationships securely?
In order to avoid commercial relations problems with third parties, the company needs to adopt strict security standards, which involve the choice of its partners and their cyber security management. Compliance and security standards must also be extended to third-party companies.
The Ponemon Institute's “Data Risk in the Third-Party Ecosystem” analyzed companies that were successful in avoiding the third-party data breach and named best practices to reduce incidence of third-party data breaches:
* Evaluation of the security and privacy practices of all third parties
* An inventory of all third parties with whom you share information
* Frequent review of third-party management policies and programs
* Third party notification when data is shared with Nth parties
* Oversight by the board of directors
To meet these protocols effectively, we need to have the support of technology. There are currently several tools on the market that offer risk analysis and protection from third parties. The challenge, however, is to find the most complete and adapted tool to the needs of your company.
At CyVent, we are confident to appoint RiskRecon, a Mastercard company. It’s the only solution that automatically provides risk prioritization and continuous monitoring.
Why choose RiskRecon?
We are thrilled to be RiskRecon partners. RiskRecon automatically collects security information from vendors, partners and your own enterprise to help you understand how well each organization manages their digital footprint.
It provides risk-prioritized ratings based on issue severity and the system value at risk. The platform data is independently certified to be 99.1% accurate. The accuracy is achieved by a combination of patent-pending machine learning automation and analyst quality control.
The system evaluates over 40 security criteria across 9 domains. The impact of all vulnerabilities is analyzed to produce a cyber risk score.
There’s a direct correlation between RiskRecon scores and actual data breaches. Based on a sample of 46,000 Companies, entities with a score of “C” experience a 3x higher frequency of breaches than those with a score of “A”.
All assessment details are visible to you and your vendors, and RiskRecon provides a report that includes a summary of your organization's current cybersecurity posture at no additional fee. In addition, the platform automatically produces action plans to highlight only issues that exceed your company’s risk policy.
With all this information, you can easily keep your business secure from businesses that aren’t. It allows you to select new vendors faster, prioritize your third-party assessments based on RiskRecon-rated vendor performance, focus your vendor assessments on areas where you know they violate your risk requirements, improve your M&A analysis and more.
See more and schedule some time to speak with one of our experts: https://www.cyvent.com/en-us/prevent-your-company-from-third-party-risk-with-riskrecon
Artificial Intelligence and Information Security: Fact vs Fiction
Machine learning, deep learning, generative adversarial networks and other AI technologies have burst onto the cybersecurity scene over the last year. Software vendors and MSSPs are scrambling to bring their particular flavor of AI cyber security to market and claim their stake as industry leaders.
While AI has quickly become table stakes for an effective security posture, some of it can also seem to be overhyped in some respects. In this post, we’ll aim to cut through the superlatives and provide a few thoughts on the role of artificial intelligence in cyber security.
Artificial Intelligence in Cyber Security Does Not Replace Traditional Tools
By claiming that AI will replace traditional tools while lowering labor costs and probably making coffee at the same time, some advertising has put AI on a pedestal that it may not have achieved yet.
Here are some things that AI cyber security definitely will not replace. Security teams will still need to keep around:
- Employee training and a security-sensitive culture
- Smart policies and processes
- Qualified architects, managers, engineers, and analysts
- Rock-solid, layered infrastructure with effective controls around it
If you find yourself saying, “Wait, that’s 95% of my security program,” you’re right. Artificial intelligence in cyber security is a complement to a well-run cyber framework, not a replacement for it.
Must-Ask Questions When Evaluating AI Cyber Security Tools
We all have seen that technology can be promoted with grand promises backed by sometimes disappointing results. To avoid a dud in your AI implementation, you may want to sit down with your security team and your vendor rep to go over a few questions:
- How do your AI algorithms actually work? How mature is the technology? What are its blind spots?
- How well does it avoid false positives and false negatives?
- How do you measure the incremental benefits and the expected ROI?
- How will it protect us from insider threats?
- What’s your definition of ‘real-time’?
- Which attack vectors, file type, operating systems do you cover?
- How frequently does it need to be updated?
- How does it handle APT’s, zero-days and zero-hours?
- What outside support are we going to need to implement and maintain this?
- How much additional training will we need to use this effectively?
- Does it produce usable reports that actually mean something?
- What results have your other clients seen from it?
- Does it outperform what I already have, or will it be just another software bloating up my network?
Pitfalls to Avoid When Implementing an AI Cyber Security Solution
Adding software to your organization’s toolkit is rarely a trivial matter, and even less so when you’re dealing with AI. Here are some potential mistakes when deploying an AI cyber security tool:
- Expecting a “set-and-forget” solution that will replace the whole security program: See the first section of this post.
- Thinking that an in-house developed solution will be best-in-show without exploring other available options.
- Expecting that the AI tool won’t require any customization or integration.
- And possibly the most delicate one: Thinking it’ll all work out on automatic pilot without specialized AI expertise on your team or assistance from AI safety experts.
The fact of the matter is that it is no longer viable to delay implementation of robust AI cyber security tools. Bad actors have already started using AI.
A talented cybersecurity team and company-wide awareness trainings go a long way. Artificial intelligence in cyber security simply brings a needed support structure that can assist your teams to prevent attacks and accelerate mitigation if needed. As businesses undergo the digital transformation, it is imperative they also leverage new developments in cyber capabilities and include them in their thinking from the very beginning of their process. Cyber security cannot be an after-thought.
CyVent is a Certified Partner of global leaders in augmented intelligence applied to cybersecurity. Our cutting edge, AI-driven solutions help organizations transition from the classic remediation approach to security to a more pre-emptive posture, which ultimately increases prevention, decreases times-to-resolution and automates cybersecurity operations.
It’s no surprise to anyone that digital threats are evolving and becoming more complex than ever before. As attackers take their game to the next level, an organization’s cybersecurity program should grow and become smarter along with them. The latest step forward in digital defense comes in the form of machine learning and Artificial Intelligence algorithms that combine the reliability of traditional signatures with the power of Big Data analytics.
Legacy Tools No Longer the Answer to Growing Threats
With the ever-increasing sophistication of today’s security threats, traditional layers of defense like SIEMs, IDS/IPS, and antimalware applications are no longer sufficient. While these tools are certainly effective at thwarting routine port scans or spam emails, the smart security administrator needs to add another layer of security to be truly protected from advanced attacks. Signature-based defenses can’t scale fast enough or stay up to date with critical threats like zero-day attacks or a targeted phishing campaign, and reactive security programs are an open invitation for a data breach. While a business can add more resources to its SOC, or invest in the most engaging security awareness program, an organization’s defense is only as strong as the tools used in that defense. The reality is that security programs built on tools from as recent as 3-4 years ago are already outdated in the face of today’s threats.
Combining Traditional Defenses With Modern Data Analytics
What is the answer to the increasing complexity of these attacks? By pairing the usefulness of legacy solutions with a boost from Big Data, machine learning allows administrators to identify and prevent new or anomalous threats while controlling attacks from traditional threat vectors. Beginning with a baseline of signature files and a sample of normal activity from the network, new security devices can implement machine learning to automatically detect and shut down advanced threats that would otherwise slip past legacy perimeters.
An important component of these AI-driven devices is the ability to aggregate and analyze data from all the environments they are installed in, across multiple customers and industries. For clients who choose to opt-in to the program, smart devices can share their anonymized data in a pool of information from other clients, greatly increasing the samples that algorithms can be based upon. By analyzing data from such a large pool, these devices can leverage predictive analysis to protect an organization from threats that are new to their market but have been seen before in other industries.
In summary, security professionals should be aware that traditional lines of defense are no longer sufficient against today’s evolving threats. Machine intelligence and Big Data are changing the cybersecurity game by combining legacy methods with modern analysis and behavior models and should be seriously considered while building a well-rounded security program.
If you would like to learn more about machine learning in cybersecurity, click here to download "The Enterprise Immune System: Proven Mathematics and Machine Learning for Cyber Defense"...
PHOTO CREDIT: UNSPLASH | JASH CHHABRIA
Responding to Cybersecurity Threats: How to Assess Your Tools and Cyber Strategy
Cybersecurity is in crisis. Cybersecurity threats are becoming increasingly sophisticated and pervasive. Bad actors have access to all the latest technology and tools, including artificial intelligence, for free or very little cost. They have endless time and resources to send out millions of cyberattacks – and need only a single successful attack to reap a windfall. It’s asymmetric warfare, and the attackers’ tools just keep improving.
In response, dozens of new cybersecurity providers seem to enter the market every day. Artificial intelligence, new tools and easy access to information mean that innovation keeps accelerating daily. With cybersecurity threats regularly making headlines, and pressure on companies to secure their data (and customers’ data) growing, new cybersecurity providers barely need to advertise to gain customers’ attention. For the same reasons, venture capitalists are eager to fund cybersecurity firms. The traditional big players in the market are rushing to upgrade their outdated packages. It’s a noisy marketplace, and companies trying to protect their data and systems are confused about how best to do so.
How Companies Are Addressing Cybersecurity Threats
Companies have responded to the crowded cybersecurity marketplace in different ways. Some just bury their heads in the sand, deciding to deal with incursions when they occur, or to hope that they’re too small to be worth targeting with a cyberattack. Others are spending way too much money on cybersecurity, experimenting with every new product that hits the market.
Many companies believe that they already have all the tools they need to combat cybersecurity threats, but haven’t properly patched their existing systems, which need regular updates to combat ever-changing cyber threats. On top of that, many companies experience dozens of little attacks every day, from all sides, and it’s hard to know where to put resources.
But burying your head in the sand or sticking with old tools that don’t counteract today’s cybersecurity threats is simply not an option. And throwing money at whatever strikes a chord isn’t an effective strategy, either.
What Is an Effective Strategy for Managing Cybersecurity Threats?
Resolving the cybersecurity crisis starts with an honest cyber vulnerability assessment, either by your internal experts or by outside experts.
Ultimately, this cyber vulnerability assessment should give you a map of where your company is in terms of cybersecurity. Next, you’ll need a map of where you’re going. Your experts should prepare a plan that:
- Closes your cybersecurity gaps over time
- Analyzes the financial risks of not closing gaps and prioritizes closing the gaps that put the company at the most risk
- Includes a company cybersecurity policy that every employee is expected to follow (much like a dress code or conduct policy)
This cyber vulnerability assessment and plan give you a framework for cybersecurity decisions. Armed with an understanding of your risk profile, your budget, your weaknesses and the consequences of various breaches, your experts should be able to recommend cybersecurity investments that will provide the best ROI for your company. The key is to remain true to this framework, even as new cybersecurity threats rear their ugly heads. Certainly, you want to maintain some flexibility, with strategies adjusting as truly required. But stick with what you know to be important to your business, and let that lead your investment decisions.
Wondering about your ability to respond to cybersecurity threats? Schedule a free, confidential assessment today.
To thwart cyber attacks, the traditional approach has been to focus on the perimeter to repel intruders. But over time the perimeter has become a sieve. Today’s hackers easily break through it or find ways around it. In fact, a new study by RiskIQ estimates the cost cybercrime at $856,000 per minute. AI cybersecurity solutions directly address these challenges, which is why many now view the technology as the future of cybersecurity.
Going Beyond the Perimeter Is the Future of Cybersecurity
Focusing on defending the perimeter has been akin to wearing a Hazmat suit in a hostile environment: Any small perforation, and you were doomed to unexpected consequences at the hands of hackers who had the time and intellect to play games with your critical assets.
Not only are perimeters fragile and the gap in available talent huge, but most IT teams are often so stretched for resources that they can’t keep up with the updates necessary to protect against the myriad attacks that can penetrate a company’s external defenses. WannaCry was just an example of that.
Over the years, computing speed has grown exponentially –multiplying more than 3,000x since 1991 – to the point where even a $5 Raspberry Pi can now run deep learning algorithms. So it’s not a surprise that, in recent years, focus has shifted to using AI cybersecurity to complement traditional defenses in many ways and neutralize stealthy, unknown threats that may have already breached the perimeter before any irreparable damage to network or data is done.
Applying Artificial Intelligence in Cybersecurity
In AI cybersecurity programs, which are now being embedded in companies’ networks, endpoints and data are evolving into immune systems that allow internal defenses to shorten the dwell-time and pre-empt the devastation that can follow a breach.
While there is no need to abandon the perimeter, today’s smart CISOs are squarely focused on increasing their AI-driven pre-emption capabilities and boosting their own auto-immune systems. Artificial intelligence in cybersecurity is by no means perfect yet, but cybercriminals are already using automation and machine learning 24x7x365. In the never-ending cat-and-mouse game, AI is slated to continue gaining ground to build predictive capabilities and strengthen defenses for the foreseeable future.
To learn more about how AI is impacting the future of cybersecurity, download this white paper from Darktrace: Machine Learning in Cybersecurity.
ICS Cybersecurity: Using AI in Operational Technology Security
Updated on May 7, 2019
Recent headlines have been abuzz with ICS experts warning of grid vulnerability to hacking. Digital threat actors have become exceptionally skilled at infiltrating every type of computer network. Industrial Control Systems (ICS) are no different: While ICS networks were generally thought to be more secure due to not communicating outside of the corporate network or on the internet, attackers have managed to compromise them and steal valuable production data.
Some of the most effective tools for ICS cybersecurity are the emerging technologies in Machine Learning and Artificial Intelligence. By combining real-time data monitoring with orchestration and automated response, AI/ML solutions are proving their value when compared to legacy systems and human-intervention driven response times.
A Real-World Example of Using AI for ICS Network Security
At the 2017 Black Hat Europe conference, security research firm CyberX demonstrated how data exfiltration was possible from a supposedly air-gapped ICS network. By delivering a payload of specific ladder logic code into Programmable Logic Controllers, the attack was programmed to send out copies of data through encoded radio signals which can be received by AM radios and analyzed by special-purpose software. As the communication channel is outside the TCP/IP stack, there is no encryption to safeguard the data once it’s captured.
How does AI respond to this threat? In this case, Machine Learning can be used to craft an algorithm which establishes a “normal” state and monitors traffic and configurations to compare against that state. This baseline can include network traffic, equipment settings, and even the source code of PLCs. With its continuous heartbeat checks, the algorithm can detect when the system deviates from the baseline and immediately alert security staff of the change.
Another real-world example involving operational technology security comes very recently from the ransomware attack on Norsk Hyrdo, one of the world’s largest aluminum producers based in Norway. The ransomware infected multiple systems across the organization in a number of locations.The company’s production environments were forced to stop production or change to manual systems. The ransomware supported the changing of administrator passwords, and as the majority of servers were under the same domain, the attack could spread more rapidly than if there had been a combination of network segmentation and separately administered domains. In the case of Norsk, an AI cybersecurity layer would have been able to spot irregularities in system access and lockdown channels before the hackers could manipulate the permissions.
AI and ICS Cybersecurity: Adding Value to Existing Systems
Where does AI fit into your existing ICS network security program? You already have the ICS equipment sectioned off on its own VLAN(s), firewalled, monitored, and protected by IDS/IPS, SIEMs, and other security tools. Where does it make sense to insert AI/ML into the equation?
The biggest advantage of implanting an AI solution for ICS cybersecurity is its real-time response and orchestration. AI tools don’t need to wait for security staff to make a decision. They don’t see a black and white picture of firewall rules which often miss malware traffic flying under the radar, masquerading as “normal” network signals. Machine algorithms can detect abnormal data exchanges and immediately respond to the threat, long before a SOC resource would be alerted. Some AI offerings can even monitor devices that don’t communicate over TCP/IP, creating powerful visibility into non-networked equipment.
A particularly interesting tool to protect industrial control systems is Cyberbit’s ScadaShield, a layered solution to provide full stack ICS network detection, visibility, smart analytics, forensics and response. ScadaShield performs continuous monitoring and detection across the entire attack surface for both IT and OT components and can be combined with SOC automation to trigger workflows that accelerate root cause identification and mitigation.
Large-scale processes operating at critical power generation, electrical transmission, water treatment, and refining sites, as well as major manufacturing plants are more at risk than ever. The good news is that new developments in Artificial Intelligence and Machine Learning have created new ways to protect these systems and improve ICS cybersecurity.
If you haven’t already done so, this is a good time to consider adding an AI/ML solution to your security perimeter to take your prevention and response times to the next level. Click here to contact us if you would like to learn more about artificial intelligence in cyber security.
PHOTO CREDIT: UNSPLASH | RAMÓN SALINERO
Artificial Intelligence and ICS Cybersecurity: Filling Gaps in Operational Technology Security
Recent headlines have been abuzz with ICS experts warning of grid vulnerability to hacking. Digital threat actors have become exceptionally skilled at infiltrating every type of computer network. Industrial Control Systems (ICS) are no different: While ICS networks were generally thought to be more secure due to not communicating outside of the corporate network or on the internet, attackers have managed to compromise them and steal valuable production data.
Some of the most effective tools for ICS cybersecurity are the emerging technologies in Machine Learning and Artificial Intelligence. By combining real-time data monitoring with orchestration and automated response, AI/ML solutions are proving their value when compared to legacy systems and human-intervention driven response times.
A Real-World Example of Using AI for ICS Network Security
At the last Black Hat Europe conference, security research firm CyberX demonstrated how data exfiltration was possible from a supposedly air-gapped ICS network. By delivering a payload of specific ladder logic code into Programmable Logic Controllers, the attack was programmed to send out copies of data through encoded radio signals which can be received by AM radios and analyzed by special-purpose software. As the communication channel is outside the TCP/IP stack, there is no encryption to safeguard the data once it’s captured.
How does AI respond to this threat? In this case, Machine Learning can be used to craft an algorithm which establishes a “normal” state and monitors traffic and configurations to compare against that state. This baseline can include network traffic, equipment settings, and even the source code of PLCs. With its continuous heartbeat checks, the algorithm can detect when the system deviates from the baseline and immediately alert security staff of the change.
Another real-world example involving operational technology security comes very recently from the ransomware attack on Atlanta’s municipal infrastructure, which involved encrypting city files, locking access to online services, and blocking the city from processing court cases and warrants. This is just the latest in a string of attacks on American cities. Previously, hackers gained access to Dallas’s tornado warning system and set off sirens in the middle of the night. In the case of Atlanta, an AI cybersecurity layer would have been able to spot irregularities in system access and lockdown channels before the hackers could manipulate the permissions.
AI and ICS Cybersecurity: Adding Value to Existing Systems
Where does AI fit into your existing ICS network security program? You already have the ICS equipment sectioned off on its own VLAN(s), firewalled, monitored, and protected by IDS/IPS, SIEMs, and other security tools. Where does it make sense to insert AI/ML into the equation?
The biggest advantage of implanting an AI solution for ICS cybersecurity is its real-time response and orchestration. AI tools don’t need to wait for security staff to make a decision. They don’t see a black and white picture of firewall rules which often miss malware traffic flying under the radar, masquerading as “normal” network signals. Machine algorithms can detect abnormal data exchanges and immediately respond to the threat, long before a SOC resource would be alerted. Some AI offerings can even monitor devices that don’t communicate over TCP/IP, creating powerful visibility into non-networked equipment.
A particularly interesting tool to protect industrial control systems is Cyberbit’s ScadaShield, a layered solution to provide full stack ICS networkdetection, visibility, smart analytics, forensics and response. ScadaShield performs continuous monitoring and detection across the entire attack surface for both IT and OT components and can be combined with SOC automation to trigger workflows that accelerate root cause identification and mitigation.
Large-scale processes operating at critical power generation, electrical transmission, water treatment, and refining sites, as well as major manufacturing plants are more at risk than ever. The good news is that new developments in Artificial Intelligence and Machine Learning have created new ways to protect these systems and improve ICS cybersecurity.
If you haven’t already done so, this is a good time to consider adding an AI/ML solution to your security perimeter to take your prevention and response times to the next level. Click here to get in touch with our team today.
PHOTO CREDIT: UNSPLASH | RAMÓN SALINERO
The Role of Artificial Intelligence in Cyber Security: Separating Fact from Fiction
Machine learning and artificial intelligence have exploded onto the cybersecurity scene over the last year. Software vendors and MSSPs are scrambling to bring their particular flavor of AI cyber security to market and claim their stake as industry leaders.
While AI has quickly become table stakes for an effective security posture, some of it can also seem to be overhyped in some respects. In this post, we’ll aim to cut through the superlatives and provide a few thoughts on the role of artificial intelligence in cyber security.
Artificial Intelligence in Cyber Security Does Not Replace Traditional Tools
By claiming that AI will replace traditional tools while lowering labor costs and probably making coffee at the same time, some advertising has put AI on a pedestal that it may not have achieved yet.
Here are some things that AI cyber security definitely will not replace. Security teams will still need to keep around:
- Employee training and a security-sensitive culture
- Smart policies and processes
- Qualified architects, managers, engineers, and analysts
- Rock-solid, layered infrastructure with effective controls around it
If you find yourself saying, “Wait, that’s 95% of my security program,” you’re right. Artificial intelligence in cyber security is a complement to a well-run cyber framework, not a replacement for it.
Must-Ask Questions When Evaluating AI Cyber Security Tools
We all have seen that technology can be promoted with grand promises backed by sometimes disappointing results. To avoid a dud in your AI implementation, you may want to sit down with your security team and your vendor rep to go over a few questions:
- How do your AI algorithms actually work? How mature is the technology? What are its blind spots?
- How well does it avoid false positives and false negatives?
- How do you measure the incremental benefits and the expected ROI?
- What outside support are we going to need to implement and maintain this?
- How much additional training will we need to use this effectively?
- Does it produce usable reports that actually mean something?
- What results have your other clients seen from it?
- Does it outperform what I already have, or will it be just another software bloating up my network?
Pitfalls to Avoid When Implementing an AI Cyber Security Solution
Adding software to your organization’s toolkit is rarely a trivial matter, and even less so when you’re dealing with AI. Here are some potential mistakes when deploying an AI cyber security tool:
- Expecting a “set-and-forget” solution that will replace the whole security program: See the first section of this post.
- Thinking that an in-house developed solution will be best-in-show without exploring other available options.
- Expecting that the AI tool won’t require any customization or integration.
- And possibly the most delicate one: Thinking it’ll all work out on automatic pilot without specialized AI expertise on your team or assistance from AI safety experts.
The fact of the matter is that it is no longer viable to delay implementation of robust AI cyber security tools. Bad actors have already started using AI.
A talented cybersecurity team and company-wide awareness trainings go a long way. Artificial intelligence in cyber security simply brings a needed support structure that can assist your teams to prevent attacks and accelerate mitigation if needed. As businesses undergo the digital transformation, it is imperative they also leverage new developments in cyber capabilities.
CyVent is a Certified Partner of Darktrace, a global leader in machine learning applied to cybersecurity, whose technology can detect and autonomously respond to cyber threats that legacy systems miss. Learn more about Darktrace’s capabilities in this white paper.
Updated on May 7, 2019
It’s no surprise to anyone that digital threats are evolving and becoming more complex than ever before. As attackers take their game to the next level, an organization’s cybersecurity program should grow and become smarter along with them. The latest step forward in digital defense comes in the form of machine learning and Artificial Intelligence algorithms that combine the reliability of traditional signatures with the power of Big Data analytics.
Legacy Tools No Longer the Answer to Growing Threats
With the ever-increasing sophistication of today’s security threats, traditional layers of defense like SIEMs, IDS/IPS, and antimalware applications are no longer sufficient. While these tools are certainly effective at thwarting routine port scans or spam emails, the smart security administrator needs to add another layer of security to be truly protected from advanced attacks. Signature-based defenses can’t scale fast enough or stay up to date with critical threats like zero-day attacks or a targeted phishing campaign, and reactive security programs are an open invitation for a data breach. While a business can add more resources to its SOC, or invest in the most engaging security awareness program, an organization’s defense is only as strong as the tools used in that defense. The reality is that security programs built on tools from as recent as 3-4 years ago are already outdated in the face of today’s threats.
Combining Traditional Defenses With Modern Data Analytics
What is the answer to the increasing complexity of these attacks? By pairing the usefulness of legacy solutions with a boost from Big Data, machine learning allows administrators to identify and prevent new or anomalous threats while controlling attacks from traditional threat vectors. Beginning with a baseline of signature files and a sample of normal activity from the network, new security devices can implement machine learning to automatically detect and shut down advanced threats that would otherwise slip past legacy perimeters.
An important component of these AI-driven devices is the ability to aggregate and analyze data from all the environments they are installed in, across multiple customers and industries. For clients who choose to opt-in to the program, smart devices can share their anonymized data in a pool of information from other clients, greatly increasing the samples that algorithms can be based upon. By analyzing data from such a large pool, these devices can leverage predictive analysis to protect an organization from threats that are new to their market but have been seen before in other industries.
In summary, security professionals should be aware that traditional lines of defense are no longer sufficient against today’s evolving threats. Machine intelligence and Big Data are changing the cybersecurity game by combining legacy methods with modern analysis and behavior models and should be seriously considered while building a well-rounded security program. Click here to learn more about machine learning in cyber security.
PHOTO CREDIT: UNSPLASH | JASH CHHABRIA
Updated on May 7, 2019
Every other day, we hear disclosures about some new security breach that leads to damaged reputations, executive resignations and plummeting stock values. While It is tempting to become a wee-bit sarcastic and ‘normalize’ this state of affairs, the danger of cyber attacks can’t be understated. The gap between time to exfiltration vs time to quarantine is growing in favor of attackers. Thought leaders and Trillion-Dollar loss projections reinforce that information warfare is a serious threat that’s quickly becoming the #1 danger for businesses, governments and even individual liberties.
What is the Role of Cybersecurity?
Throw in a dizzying array of new technologies and new vendors, and it‘s no wonder cyber security executives, CFOs and CEO’s feel growing levels of pressure. What we all need at this time is a change in attitude: The role of cyber security is to enable the business to reach its goals, not to be the goal in and of itself. No business exists for the sake of having an unbreachable security program, if such a thing can even be built. On the contrary, a good security program drives and supports the organization to reach its strategic goals.
In this non-stop ‘spy vs. spy’ game between good guys and bad actors, the solution is not to keep adding one shiny tool after another but rather focusing on a well-thought out strategy that includes multiple prongs: (a) Periodic audits, strong fundamentals, clear policies and well-trained team members (b) adding advanced tools to automate, orchestrate and streamline processes while reducing costs, and (c) including cyber security within the C-level risk management view that balances acceptable exposure levels, qualifies the required investments and takes advantage of available risk transfer options.
What is the role of a trusted Cyber Security Solutions Provider?
Within this quickly changing environment, a trusted partner’s role is to help the clients reduce anxiety, become better risks and increase peace of mind.
A trustworthy partner will sit down and fully understand your needs before talking about any kind of product lineup. If you have security questions, contact us and let’s make a plan that works for you.
PHOTO CREDIT: UNSPLASH | TASKIN ASHIQ
The Importance of a Cyber Security Program Built on Strategy, Not Fear
Every other day, we hear disclosures about some new security breach that leads to damaged reputations, executive resignations and plummeting stock values. While It is tempting to become a wee-bit sarcastic and ‘normalize’ this state of affairs, the danger of cyber attacks can’t be understated. The gap between time to exfiltration vs time to quarantine is growing in favor of attackers. Thought leaders and Trillion-Dollar loss projections reinforce that information warfare is a serious threat that’s quickly becoming the #1 danger for businesses, governments and even individual liberties.
What is the Role of Cybersecurity?
Throw in a dizzying array of new technologies and new vendors, and it‘s no wonder cyber security executives, CFOs and CEO’s feel growing levels of pressure. What we all need at this time is a change in attitude: The role of cyber security is to enable the business to reach its goals, not to be the goal in and of itself. No business exists for the sake of having an unbreachable security program, if such a thing can even be built. On the contrary, a good security program drives and supports the organization to reach its strategic goals.
In this non-stop ‘spy vs. spy’ game between good guys and bad actors, the solution is not to keep adding one shiny tool after another but rather focusing on a well-thought out strategy that includes multiple prongs: (a) Periodic audits, strong fundamentals, clear policies and well-trained team members (b) adding advanced tools to automate, orchestrate and streamline processes while reducing costs, and (c) including cyber security within the C-level risk management view that balances acceptable exposure levels, qualifies the required investments and takes advantage of available risk transfer options.
What is the role of a trusted Cyber Security Solutions Provider?
Within this quickly changing environment, a trusted partner’s role is to help the clients reduce anxiety, become better risks and increase peace of mind.
A trustworthy partner will sit down and fully understand your needs before talking about any kind of product lineup. If you have security questions, contact us and let’s make a plan that works for you.