Boost security by detecting active compromises

A huge surge in large-scale ransomware attacks, such as the recent WannaCry, Petya and variations thereof, coupled with massive data breaches such as Verizon, Deloitte and closer to home, Hetzner, is highlighting in no uncertain terms how crucial security solutions are to businesses of every type. “However, prevention technologies are no longer strong enough weapons in the fight against cybercrime,” says Simon Campbell-Young, Dales Director at Credence Security.

 

“The increasing frequency and growing sophistication of threats is ensuring that traditional security tools are simply not enough to prevent the worst consequences of data breaches. We are seeing a burgeoning flood of threats – malware, ransomware, APTs and others drowning today’s enterprises, and it is becoming critical that any security efforts include solutions that detect any active compromise within the IT environment.”

 

He says this is why adding forensics to the security mix is so important. “A vigorous security programme needs to focus on incident detection and response. Organisations have to face the reality that it is only a matter of time before they suffer a security incident. The days of thinking ‘it’s not going to happen to me’, are over.”

 

According to him, the importance of incident response planning and forensics should not be underestimated.  “In any size or type of business, if a security event should happen, those whose job it is to respond and investigate must be prepared to follow a structured, effective and informed process.”

 

He says companies should spend some time considering how well an IT environment’s configuration and security controls would support a forensics exercise, should the worst happen, and the organisation fall victim a breach. “This understanding will have a significant impact on the cost and disruption experienced in the event that a breach does occur. Being prepared could be the difference between a company remaining open, and closing its doors. Permanently.”

 

Physical and digital forensics have the same key aim – to prove exactly what happened during the event in question, and to attribute actions to a specific person, allowing for a response that is effective and appropriate.  Doing this means relying on getting data and being able to analyse it quickly, Campbell-Young says.

 

He adds that this cannot happen without gaining visibility.“It’s impossible to protect what you can’t see and what you don’t know about. Yes, total network visibility, both internal and external, isn’t easy to achieve and is an onerous task. However, it’s far less onerous than dealing with the fallout in the wake of a breach. Less costly too, believe me. Understand which systems and technologies your business employs, as well as the type of data that you are collecting and storing. This will help you to grow the intelligence you need to shape your response plan.”

 

Next, implement centralised logging, even though this too takes a lot of time and effort. “It’s worth it. Centralised logging is a vital link in the incident detection chain. Log analysis and endpoint monitoring solutions are key to any security posture, as they unite the crucial security event sources to make deep and thorough analysis a possibility,” Campbell-Young says.

 

Also, he says to monitor the whole attack surface. “There are myriad services and tools that have been introduced to the company’s network, and all these sources – devices, the cloud, applications – need to be data sources to be used for forensics and incident detection. The more data you have, the better you will be able to pinpoint any anomalous and suspicious activity on the network, and the better your chances of detecting a breach before it does any real damage, will be.”