Cyber attackers are taking advantage of this situation by employing new, sophisticated tactics to infiltrate networks unnoticed – and once inside, they are remaining there on average for months before being detected. As a result, visibility improvement is becoming a priority for many security teams, with more than half of respondents in Fidelis Cybersecurity’s State of Threat Detection 2019 Survey naming it as a leading security issue*.
‘Visibility’ is a term that gets used quite a lot, so it is important to understand what visibility really means to security teams. Having ‘full’ visibility accounts for all devices within the enterprise and all communications flowing across the enterprise – particularly sensitive data.Visibility means having complete oversight of your infrastructure, applications, endpoints, cloud services and IoT. And it isn’t a snapshot in time, but continuous. So, what is preventing security teams from having visibility over their organisation’s assets and having actionable insight?
Overwhelmed security teams
One of the biggest obstacles impacting visibility is overwhelmed security teams, and this is the result of years of bolting on additional security tools. As the volume and complexity of threats facing organisations has increased, organisations have traditionally responded by adding cybersecurity tools to their security infrastructures, often from a multitude of vendors, and many of which are never used to their full potential or are duplicative to existing capabilities. These disparate solutions are often siloed from one another, leading to a critical lack of interoperability within the security stack. As a result, organizations often wind up with underutilized, duplicative or siloed solutions that add complexity within the stack but do not meaningfully improve security posture.
Inevitably, a crowded and overly-complex security infrastructure leads security analysts down a path of workflows that are near-impossible to manage – and this makes it incredibly difficult to properly assess the alerts coming their way. What is worse, if the security solutions used are not highly automated, this issue is only reinforced, with low fidelity investigations and missed attack signals as a result. In short, visibility is extremely limited.
As if an overcrowded security stack, widespread alert fatigue and lack of automation are not enough, the cybersecurity industry is also facing a skills gap. The National Cyber Security Strategy (NCSS) recently found that more than half of all businesses and charities (54 percent) have a basic technical cyber security skills gap – and given the nature of cyber threats to a digital economy, such a gap is not sustainable.
Many jobs remain open and firms lack the resources to properly train their current staff to be able to manage the latest products they have invested in. While optimising the security stack itself is key to visibility, even the most high-tech solutions rely on security teams sitting on the right level of expertise to manage, monitor and optimise them.
Deep visibility and automation
According to Fidelis Cybersecurity’s State of Threat Detection 2019 research, automation and visibility challenges are the two leading challenges facing security teams seeking to distinguish between legitimate and malicious behaviour. This means longer dwell time for attackers, as well as an increased risk of data and reputation loss. This is made worse by the fact that modern attacks often employ tailored and automated activity at each step of the threat lifecycle, optimising the threat for the exact task it must perform at that phase of its life. Deep visibility into all phases of the threat lifecycle across the environment – not just a silo within the environment - is critical to preventing, detecting and responding to cyber-attacks.
Automated detection, threat hunting capabilities and the ability to respond to, investigate, or automatically quarantine and remediate threats before data is stolen is a must. Real-time techniques to prevent attacks are also key, such as signature detection to quarantine known-bad files at the endpoint, behaviour analysis to kill a process at the endpoint, network session disruption upon detection of files and network behaviours, and email quarantine.
Metadata as a liberator
When broken down, visibility relies on security analytics based on granular metadata. The main role of security analytics is to provide context and information that will help security teams to not only react to current threats, but proactively prevent future ones as well. This functions best when metadata across multiple layers (network, cloud, endpoint) is used, namely information that is indexable, ready to query, and faster to analyse, due to its structure. It gives access to data across multiple axis for cross-session relations, multi-faceted related attributes, and behavioural event sequences and frequency. It also opens the door to detailed retrospective analysis of specific security events based on new threat intelligence.
While useful on its own, metadata is most effective when used to inform strategy for other emerging technologies, such as deception. With the information gleaned from analysis of metadata, attacker movement throughout the network, and attacker targets/priorities, organisations gain an information advantage against their attackers, allowing them to set traps where they know attackers are likely to be moving. A level of proactivity is enabled that is practically impossible when all the security team has at its disposal is a large set of jammed together legacy tools.
Tactics such as threat hunting also become more viable, as incident responders can address attacks and investigate events in a quicker, more efficient, manner. If integrated within a streamlined, single-pane, security solution, metadata also helps mitigate against some of the hardships related to the skills gap. Alert investigation and resolution is made speedier, and solutions collect and store rich metadata that can be easily searched for deeper investigation and hunting efforts.
Catching cybercriminals off-guard
In summary, it is becoming increasingly difficult for enterprises to collect and profile all activity across both the digital attack surface of the organisation, as well as firewalled corporate networks and endpoints. However, advanced persistent threats are not going anywhere, and fighting them will require reactive security capabilities to be more predictive and proactive.
Ideally, response capabilities should be automated in order to respond in cyber relevant time and be fuelled by continuous collection and analysis of metadata able to provide the real-time visibility necessary to catch malicious actors off-guard.