The ‘cyber kill chain for intrusion detection’ is a wonderfully succinct concept that models intrusions in a network, from reconnaissance through to culminating in a system of attack. Hackers leave digital footprints every step of the way (if you know what you are looking for), and so visibility into every corner of your infrastructure is key to overall threat protection and compliance assurance.
Making sure you can see all routes in terms of data transactions into and out of your infrastructure, whether on-premise or cloud, is the priority. Logging every transaction, at user, server, network and application level, will provide a goldmine of data that can be used to pinpoint even the most advanced persistent threats that might be targeted against your organisation, says Richard Cassidy of Alert Logic
As every stage of the ‘kill chain’ being exploited will leave a digital footprint we need to ensure that we implement technologies that allow us to scan and capture that data across our network, spanning from host based security tools, right through to gateway inspection systems and authentication and encryption tools.
But implementing technology doesn’t complete the picture. You may have the latest logging, host scanning, ids, ips, nac, siem, firewall, content filter and system/file monitoring tools at your disposal; tools that when you purchased them were sold on their immense capacity to do x,y and z; but you were probably left with the tools to configure and implement them yourself (or invested a great deal of capital into professional services to do it for you) and then resource-up to be able to maintain and manage those tools through updating signatures, correlation rules, advanced analytics, understanding behavioural analysis – the list goes on. You must review the thousands of logs and events generated and then correlate the data and combine it with contextual intelligence so that true security threats (rather than false positives) can be prioritised for further investigation and remediation.
You must also understand your policies and mitigation procedures when threat data or compliance breaches are found; are they agile enough? How quickly can change control be approved for serious incidents? What if key approvers are offline? Can multiple incidents be handled effectively? We only need to take a look at the fact that Heartbleed is still a risk within many organisations today, with systems still un-patched or exploitable; organisations are simply struggling to keep up with the rate of threats and it’s uncovered key concerns related to antiquated response procedures and poorly implemented best practice security operations, when developing new workloads and applications. Let’s not forget the importance of almost parrot fashion education to users on the risks of cyber-threats, what to be vigilant for and how to respond to unusual or suspicious activity, emails or communications. Incredibly weak user passwords are still one of the top vectors of successful attacks to date and there is no sign of a decrease anytime soon!
The age of ‘as-a-service’ has come about due to the many cost and efficiency savings for putting DevTest and production workloads into hosted or public cloud environments, and with budgets being squeezed and resources stretched, managed security services are rapidly becoming a key component of many organisations’ cyber security strategy.
Understanding the organisational key threat vectors, and review existing security and compliance technologies to understand if they work to mitigate against them in the shortest time frame possible. Looking at how we can lean on services that bring context to the multitude of threats we face is not a bad idea at all, saving a great deal of operational expenditure. Reviewing our internal tools, policies and best practices approach to security and compliance, looking at their effectiveness against the threats faced, will serve to quickly close any gaps already open across the organisation.
Ultimately we live in the age of shared responsibility and as such we need to learn to share responsibility, whilst focusing on the parts that can be achieved best within the organisation. More often than not new hardware or software by itself is not the answer to security and compliance challenges; it is effective people and processes around how the data that hardware and software creates, that will define those organisations that recover from a breach and those that don’t.
EMEA, Alert Logic
The author is Richard Cassidy, technical director EMEA, Alert Logic
