Over the last few years, we have discovered how hard information security has become, as the attackers have so many attack vectors into an organization. Some even have more resources and capabilities than many organizations that are being attacked. The attackers always have more time at their disposal and better focus than any organization, which leads to the current state, where the organizations are “under attack all the time.” Successful information security is about hard work, lots of hard work. The days are gone when technology would save the day and let you sleep well at night. So, where is an organization to start? What should the focus be on? What is going to make a difference? The best answer is one of everything, plus many more people, but this is neither practical nor fiscally responsible for any organization. So, let us develop a few tenants for security.
Every organization is different and therefore needs a different security program. There is never “one size fits all”; security programs will always be custom-tailored or at least altered to fit the organization. Security has three simple areas: people, processes, and technology. Most of the organization's efforts are spent addressing new technology, when we should be addressing all areas equally. Just as we can have older or legacy technology, the same can be said for processes that are no longer needed or should be changed or areas where there is a need for a new process.
"Creating a plan for what the organization should do when the attacker is found, is much more important than the tools that give you the visibility on the end point"
The first step in better security is to have a plan; doing things ad hoc style in security just makes a mess of your organization and its capabilities. So, let us focus on an area that is often overlooked that will most likely bring the “biggest bang for the buck” to your organization. The attackers want to access and control your endpoints. This is where your credentials, information, and trust are stored. The protection is almost impossible today, so adding enhanced visibility is a requirement for any security program today.
Why do they target the endpoints, not the servers or the network? The cybercrime war is being carried out on the endpoints. It is the easiest attack vector into an organization, as many times you are attacking the end user, and may be doing so from outside the organization; therefore usually outside many protections that are in place at the organization. So, adding visibility to these targets is highly important for a successful cyber security program. At the basic level, we are just figuring out what that device is doing 24 hours a day, what happens at the hotel, coffee shop, or home. This allows for an easier effort in searching for the cybercriminals on your devices, and in many cases, it shortens the time of how quickly you can respond to the issue, which minimizes the damages.
Many times when you find an endpoint that has been compromised by an attacker, the next step is to figure out how it happened and whether anything was taken and make the move to another endpoint. In many cases, the attacker has taken the information and erased his/her tracks or hidden the malware; these forces you to use a slower forensics view of what happened that can also be very expensive and very time-consuming.
Having the ability to look for traffic to an IP address, a running process, or an executable on all endpoints in your environment is the new requirement for a cyber security program. These are simple and efficient abilities, but many organizations struggle with this activity due to disparate sources of information and security technologies that are not designed for this capability. These gives the cybercriminals a huge advantage over the organization and usually result in a much longer and widespread compromise, resulting in more damage.
The battle is not won by technology alone, so once you can gain visibility, you have only solved part of the problem. You now need a plan to respond to what you have found. This can be a chaotic and time-consuming process; in some cases, an unplanned response process could do more damage than solving the issue by destroying evidence, alerting the attacker, or even forcing the attacker to take more destructive actions. Creating a plan for what the organization should do when the attacker is found, is much more important than the tools that give you the visibility on the end point.
We have moved from the “You may be attacked” to the “You have been attacked” cyber security strategy. Looking across your endpoints is a great way to have visibility on these devices, giving you the visibility you need to find the attackers lurking in your environment. A clear response plan is required as without it; you will be overrun with alerts, alarms, and the need to work very quickly, which will result in ignorance, long delays, or more damages. Visibility at the endpoint is the key for detecting and defeating the attackers.