By Jason Dover, VP of Product Strategy at Progress
With the growing complexity and sophistication of modern security threats, organizations must make suitable investments and develop comprehensive strategies to keep their digital assets secure. This is not a new challenge, but the frequency of attacks is certainly on the rise.
The 2022 IBM Cost of a Data Breach Report showed that 83% of the groups studied have had more than one data breach. The report also estimates the average cost of data breaches to have risen to $4.35M. Interestingly, compromised credentials still are the most common factor, making up about 19% of all breaches based on the study.
With an increased remote workforce, BYOD has become the norm, and the ever-growing use of cloud-based services has increased the attack surface that SecOps must guard. The aforementioned report also noted that remote work-sourced breaches cost more than $600K, with an average of around ~$5MM per occurrence.
Considering this, most businesses do have a level investment allocated into security mechanisms for their ecosystem. This may range from the use of VPNs, firewalls, endpoint protection and other similar technologies. However, an often-underused tool is the network itself.
Anatomy of an Attack
For threat actors to successfully pull off a breach, they must carry out reconnaissance to identify exploitable vectors. They must gain persistent access to the environment where target assets and data exist, followed by some sort of privilege escalation to enable malicious behavior to be executed along with lateral movement from the initial entry point.
Sophisticated attacks may also have a level of defense evasion built in that allows true intent to be obfuscated. If all goes well (from the attackers’ perspective), the payload or program that they’ve brought into the environment can be executed to destroy information, achieve command and control of systems or hold critical data hostage.
For security operations teams responsible for protecting their organization’s environments, staying ahead of threat actors comes down to early detection. Successful breaches are built upon a series of small wins over days, weeks or sometimes months. While investment is required to instrument a framework that can identify these leading indicators, organizations that automate preemptive protective action can save millions in losses in the long run.
A Multi-Layered Security Approach
One specific technology that is gaining traction in the fight against cyber-attacks is network detection and response (NDR). NDR solutions extract data, metadata and insights from the network using methods such as flow analysis and packet capture. The solution then analyzes the network traffic using a number of mechanisms including machine learning, baseline comparison, signatures and variety of other methods to detect suspicious activity.
While in the past, these solutions were predominantly deployed by the most mature security operations teams, several vendors in the industry have made NDR more accessible for organizations of all sizes. They’ve done this by focusing on ease of use and using innovative methods to drive down total cost of ownership.
The concept behind NDR is that it closes off the last battleground of threat detection for operations teams. Security solutions such as firewalls and IPS are powerful tools in addressing threats that can be detected in vertical traffic (i.e., north-south) that traverses the perimeter. Endpoint protection provides another layer of protection by protecting devices in the environment, identifying compromise and automating quarantine. NDR completes the security stack by adding in analysis of network communications.
The reason why this approach is such an important part of a well-architected security model is that the network is the ultimate source of truth. NDR can detect the anomalous behavior that takes place when attackers carry out reconnaissance and scan a network to find and identify its weak points. Additionally, even if methods are used to hide the intent of an attack, such as scrubbing logs on a compromised endpoint before they can be shipped to a log analysis system, there is no way to hide actual communications over the network.
Key Security Principles
In addition to the right tools and technologies, organizations should establish a consistent set of principles that guide the architecture and security posture. Broadly speaking, these can be summarized in four key areas:
- Focus on what matters – Data
Threat actors are typically trying to gain access to information that exists in the environment in order to cause damage. While this requires compromising systems, stealing credentials and many other mechanisms, they’re often a means to an end, as opposed to the prize. When architecting a security model, security teams should do this from the vantage point of the data that these vehicles can eventually compromise. Since every operations budget has limitations, security posture improvement initiatives should start with areas of the environment that can be a springboard to the organization’s most critical data.
- Ensure resilience
There is no single security technology or solution that is infallible. Because of this, organizations should adopt a multi-layer security model that allows for failure of one component without compromising the entire environment. As an example, the use of VPN doesn’t negate the need for having additional pre-authentication methods for key applications, just as having a next-gen firewall at the network perimeter doesn’t make it any less important to also apply firewalls within the data center to prevent unauthorized lateral movement.
- Assume Threat Actor Access
Approaching network security from the perspective that threat actors WILL gain access gives security operators an edge by focusing them on ensuring any mechanism used can be detected, contained and remediated. The number of external entities that employees engage with and external services that are logically co-located with internal infrastructure means that there is a very high likelihood that at some point, an exploit (even if minor) will occur. Incorporating this thinking into the operations of the security team puts them onto the offensive against adversaries as opposed to strictly playing defense.
- Prevent, Detect, Respond
Most organizations get a passing grade for having standard security threat prevention mechanisms in place in their environment. Both detection and response capabilities often show room for improvement. By going beyond capture and analysis of logs from network devices to analyzing network traffic with the addition of enriched metadata, organizations that extrapolate anomalies can identify many security threats earlier in their lifecycle. Investing in integration across the security stack – so that detection is directly linked to automated remediation – will further enable organizations to shorten their average time to resolution for security incidents and reduce their risk profile.
Early Detection – The Key to Winning Against Threat Actors
Early detection is critical in the battle against threat actors, and the network should not be underestimated in its ability to provide early indicators that can help security operators stay one step ahead. To do this, organizations need the right tools, and NDR and NDR should be considered for anyone looking to improve their approach to security.
Remember that, as a cyber threat progresses through its journey and takes the various steps it needs to successfully carry out an exploit, it only takes a win at one of those steps to set attackers back to zero. Security teams equipped with the right tools will go a long way in making sure their success in the ongoing efforts required to protect critical data and assets.