The idea that the enterprise perimeter can be secured in the increasingly hybrid world of IT is a fallacy that should be accepted and we all just move to zero trust model. However, rebuilding multiple decades of systems, infrastructures, applications, and processes to get to this intrinsically better position is not an overnight task.
Available time and budget are finite, and many organisations want to understand what they can do now to triage a bad situation and build a foundation for a better longer-term approach. Perhaps the biggest challenge is the lack of human resources in the form of skilled Infosec experts that can help make these fundamental changes.
Security industrial revolution
A fundamental concept within every business is the desire to reduce the time it takes to carry out a task. Whether it’s looking up a customer record to process an order or an industrial application within a factory assembly line – reducing the number of steps a task takes and carrying out each step more quickly than previously is an overarching goal. In many ways, cyber security has a similar broad goal but with an additional factor of a potential adversary that is actively trying to find weaknesses within complex processes to exploit.
As the level of complexity around cyber security has risen--due to the accelerated adoption of Cloud and SaaS applications, coupled with employee’s ability to now work from anywhere--the natural response is to deploy more tools that can carry out some of the common security tasks more efficiently. And in some cases, as the only means able to inspect huge amounts of data for malware, phishing attempts, and other forms of attacks.
However, it’s not just the defenders that are ‘tooling up’ to protect systems. Attackers are also deploying their own automated systems including sophisticated techniques such as utilising ‘fileless’ malware to use legitimate programs to infect a computer and smarter malware that can autonomously roam within networks looking for exploits – assisted by Botnets, designed to distract defenders with waves of DDoS attacks.
The last few decades have largely been a case of cat and mouse, attack, and parry – and along the way, the proliferation of tools, on both sides, has grown.
Although recent standards such as OAuth and SAML have made it easier for security systems to communicate, most vendors would rather the customer buy the entire stack from their respective portfolios – meaning that integration is still rather limited.
And without different security systems sharing information about what is happening within an enterprise environment, there is a danger that infosec teams will overlook small yet seemingly unconnected incidents that when looked at in aggregate indicate a breach. Like detectives working on an investigation but not sharing the forensic evidence, witness statements or CCTV footage – and each trying to work out if there has even been a crime.
Trust and openness
However, the last few years has seen a couple of emerging trends that are starting to push the balance in favour of the cyber defenders. One of the most significant is the rise of zero trust which favours the mantra of ‘Never trust, always verify’. In basic terms, zero trust verifies every connection between a user and system via a validation method - whether that request comes from within or external to the corporate network permitter. However, zero trust alone does not help with the more insidious attacks that originate from disgruntled insiders, new zero-day vulnerabilities or more stealthy approaches that may well have compromised key security elements such as VPN or firewalls.
In response, a new category of security technology is emerging under the category of Extended Detection & Response. XDR takes its heritage from Security Information Event Management (SIEM) systems that have been around since the late 1990’s but adds in more intelligence and automation. Where a SIEM tends to be a passive collator of information, Open XDR is instead actively analysing and responding to issues by directly communicating and triggering the actions of many different security tools. The ‘Open’ pre-fix refers to XDR systems that can integrate with your existing security tooling across a wider range of vendors. This includes SIEM, EDR, NDR, third party Apps, Multi-Cloud Environments, etc. -using open API’s rather than single stack solutions that assume all security tools stem from a single supplier. Open XDR systems enable you to get increased value and seamless integration across your existing toolsets and remove the need for rip and replace of current technologies to embrace the benefits of XDR.
Less tools, more brains
However, unlike the proliferation of security tools that has been inching forward over the last decade; XDR also aims to allow for tool reduction by getting more value out of a fewer number of tools. In addition, XDR can potentially allow a faster response to an issue. For example, imagine a malicious or compromised insider that has valid credentials to access an environment. The attacker is on the network moving laterally to identify a target and because of some anomalous activity, trigger an alert. With every access request to a resource undergoing thorough real time evaluation dynamically within the zero-trust environment before the access is permitted; the ability to both identify each stage of a potential threat’s traversal and the ability to subsequently block it utilising automation increases not only accuracy, but also the speed of containment.
Deploying an Open XDR platform can be a complex process. And as such, organisations have instead chosen to deploy managed service-based solutions that reduce deployment times and help support in-house infosec teams with additional third-party expertise.
Although XDR can help, for organisations struggling with the here and now, there are a couple of potential activities to consider. The first step should be to conduct a security audit and although there are many frameworks, the Center for Internet Security (CIS) Top 20 Critical Security Controls is a well-rounded starting point to kick start the process. Another useful initial step is to conduct a basic risk and threat assessment. There
are some that are “open-source” and those that are proprietary; however, they all try to answer the following questions. ·
· What needs to be protected?
· Who/What are the threats and vulnerabilities?
· What are the implications if they were damaged or lost?
· What is the value to the organisation?
· What can be done to minimise exposure to the loss or damage?
Risk assessment is a core component of standards such as ISO 27001 but even outside of gaining compliance, carrying out a basic threat and risk assessment can help to focus staff and resources on protecting against the most potentially damaging attacks.
These two steps in concert can help to triage a bad situation and build a foundation for a better longer-term strategy. This may well involve a shift towards a zero trust approach to security, but this groundwork will also highlight just how many overlapping tools are in use, and also offer a way to consolidate and gain more value through the use of Open XDR systems.
What is clear is that there is no single magic bullet that will solve all the security issues. A combination of more visibility into the environment and user behaviour combined with a more connected security posture that includes methods of automatically detecting and reacting to threats offers a viable path for the here and now.