Nowadays news about threats and attacks to information systems are continuous, so one realizes how exposed we are. Every day it is more difficult to generate confidence in our information systems and their surveillance and protection must be a permanent task.
We always go after "the bad guys", we are reactive. In the context of current threats and their continuous evolution, we must take a proactive stance, we must go after the attacker.
We must provide companies with tools and solutions that facilitate the "hunt", that provide knowledge about weaknesses and context about threats, we will give value to what we already know when it comes to mitigating attacks and we will automate responses to these attacks.
In addition, we must bear in mind that attacks or threats do not necessarily come only from outside the company, but from the employees, another link in the chain, and not always the weakest, on the contrary, it is another line of defense that must be prepared, cared for and made aware of.
The devices from which employees access should be protected and even bastioned (configured) correctly. And workers carrying their private devices could be using non-corporate applications in the cloud or with private credentials and moving company information over the Internet without any control.
I don't want to leave out information leaks from disgruntled employees, or for unclear purposes.
There is a whole set of resources at our disposal to defend ourselves (Monitoring, Threat Intelligence, Threat Hunting, SOAR, Machine Learning, UEBA, Deception...) but, a priori, it is not so easy.
Large companies, taking into account the amount of information handled by their huge IT teams, the number of customers they have, the services they provide, their reputation, etc., they have the resources and, above all, their management is aware of the implications and current challenges in cybersecurity.
However, in the field of SMEs, with fewer resources and, mainly, directed to their "core" business, they generally do not pay attention to their cybersecurity until they become aware of its importance and, generally, it is not "by hook or crook".
In SMEs we find companies that have neither the resources nor the necessary knowledge to address the protection of their data and information systems with guarantees.
Threats affecting SMEs
According to a survey by CEPYME (Spanish Confederation of Small and Medium Enterprises) 33% of the sample has experienced a ransomware attack and 75% of organizations infected with ransomware were running up-to-date endpoint protection, i.e. had their antivirus up to date.
The four most common threats affecting SMBs are:
- Disgruntled employees:
The biggest security risk for any organization; they know where their company's valuable data is stored and how to access it. - Careless employees:
Another big risk by sharing passwords, not keeping them safe or by opening malicious emails that can inject malware into the company. These are some examples of what to avoid. These are not malicious attacks, but they represent a critical point for the company's security. - Infrastructure is not updated:
Bad guys' activity is daily, and very productive and goes focused on any point of the company's infrastructure, whether hardware or software. It is of vital importance to keep the systems updated and practically in real time, since manufacturers are continually releasing patches to plug security holes.
Even in internally developed applications, it is necessary to acquire a culture of Secure Development and Continuous Vulnerability Analysis to solve and mitigate any security problem. - The security perimeter:
Of the company has changed because more and more users/employees use their personal devices to connect to company systems, or work directly from outside the company (from home or from any point with an Internet connection). It is key to know what precautions to take when creating a secure IT infrastructure for a remote workforce.
SMEs face the same security challenges as larger organizations (ransomware, intrusion prevention, spam, phishing, etc.), yet they do not have the resources to invest in a robust infrastructure.
Mitigating threats
Getting down to business, what are the steps to follow to mitigate cybersecurity threats?
- Awareness:
It is basic to know what cybersecurity is and how it can affect us, covering all possible attack vectors, involving users/employees in the problem and teaching them how to detect and deal with it. - Gathering information:
Systems, both software and hardware, rely on and move information. It is necessary to take advantage of this characteristic to have a complete telemetry of the information systems to search for threats, correlate events, learn how and where they come from and, of course, propose actions to mitigate the effects of an attack. - Prevention:
Taking measures to prevent incidents due to attacks from occurring frequently, either by reinforcing access control to data or applications, backup plans, endpoint protection, etc. - Detection:
Thanks to the continuous monitoring of systems, and with the analysis of telemetry collected in real time, any suspicious activity can be detected. - Correction:
Addressing what allowed the attack to occur, preventing it from happening again.
Although these are phases focused on prevention and detection, traditionally used in the field of cybersecurity, they must be complemented with new ways of dealing with risks, according to the new threats.
Want to know more?
Adaptive Security
In today's digital world, predicting new threats and automating cybersecurity responses and practices, to free up specialists' time to analyze and resolve the most complex incidents, is key to staying ahead of an expanding universe of threats and risks.
In addition, relying only on perimeter defenses of prevention and detection, and rules-based security such as antivirus and firewalls, becomes less effective as organizations increasingly use cloud-based systems and open application programming interfaces (APIs) to create modern enterprise ecosystems. IT simply doesn't control the boundaries of an organization's information technology like it used to.
Therefore, the current incident response mentality of many organizations, which consider security incidents as one-time events, must change to a continuous response posture.
It must be assumed that the organization will be compromised, that the hacker's ability to penetrate systems is never fully countered.
Continuous monitoring of systems and behavior is the only way to reliably detect threats before it is too late. This is Adaptive Security, a model defined by Gartner Adaptive Security Architecture.
This continuous approach, however, generates a huge volume and variety of data at a great rate. Advanced analytics will be the foundation of next-generation security protection, and Gartner predicts that by 2020, 40% of large organizations will have established a "security data warehouse" to support this function.
Machine Learning
The correct treatment of data together with Machine Learning techniques, which basically consist of automating, by means of different algorithms, the identification of patterns or trends hidden in the data, make it possible to foresee and identify attacks more effectively and quickly.
Through these Machine Learning processes, it is possible to improve the monitoring and correlation of events in SIEMs (Security Information and Event Management), tools capable of capturing practically all types of data and events in our information systems and, through correlation, monitor and alert to any type of incident, generating alerts and/or actions to mitigate the problem.
If user behavior analysis tools (UBA) are also added, as well as where they access from, what they access, when and how, all the technologies and tools described above together form an effective firewall against cybersecurity attacks.
CSVD and SOAR tools
At this point, investments in equipment, knowledge and human resources can be prohibitive for SMEs, and the solution comes from managed security providers or MSPs.
The benefits of having an MSP provider are: high quality service, the most secure solutions, no need to invest in new infrastructure, leveraging the potential of the cloud, and protecting the entire network from endpoints to the cloud and, of course, their level of expertise in the field.
A3Sec has extensive experience in data processing, localization and management, allowing you to gain full visibility into your operations. Technologies such as Machine Learning, UBA and action automation (SOAR), which allows us to approach our clients' cybersecurity in a proactive way, ensuring fast and effective decision making in the face of incidents or threats, which will minimize the impact of the client's risks.
From our Digital Security and Surveillance Center (CSVD) we are able to monitor our clients' IT infrastructure, from vulnerability management and tracking, as well as security event management, brand surveillance and fraud management, completing the defense with prevention, detection and response systems, as well as SOAR orchestration tools.
Want to learn more about the application of SOAR in your company?
Download the user manual