In the past, computer networks were often compared to candy with a hard, crunchy outside and a soft, chewy center. This refers to a perimeter-based security model, where a firewall or some other form of perimeter protection (the hard shell) is put in place to protect the trusted internal systems (the soft, chewy center) from the untrusted Internet.
This used to be the model. The reality is that networks no longer have a perimeter. Organizations span multiple geographic locations, often leverage multiple operating systems, provide remote access to employees and trusted vendors, host customer portals and websites, and maintain customer and business information. We have a mobile workforce with laptops, tablets, and smartphones. We also have myriad specialized devices and applications across many areas, including manufacturing, research, energy, government, health care, finance, and environmental control (HVAC). And now there’s the new kid on the block, the “Internet of things” (IoT), with its connected devices. (Yes, your breakroom coffee pot just might be online.) These are all connected to the organization’s network in one shape or form, and all require a level of protection against attacks. No matter how large or small your organization is, defending it against determined attackers and malicious insiders can be complex.
As critical servers and services become better protected, insiders and outside attackers are focusing on easier targets: the soft, chewy center. Often that’s the end users themselves. Humans are typically the weakest link in any cybersecurity protection plan, and we can see this in the continual rise — and success — of phishing attacks, which often lead to credentials harvesting, the installation of malware, or the installation of ransomware.
Consider these two real-life examples:
- It’s very early in the business day, the help desk is not open yet, and IT staff have not arrived. A targeted phishing email purporting to be from an internal C-suite staff member is sent to the entire organization. The link in the email takes recipients to an authentication page for Office 365, which the attackers are using to capture usernames and passwords. A lot of the early-arrival staff click on the Web link in the phishing email.
- An organization just terminated a member of its IT staff. The IT staff person became surprisingly combative during the termination process. The organization is now concerned about what this former staff member might have been doing on the network, including the access that person might have had to client data.
The question is, do these organizations have the tools in place to answer questions like:
- How many people clicked the Web link in the phishing email?
- How many people not only clicked the Web link, but also entered their credentials?
- Does clicking the Web link do anything else (e.g., download multistage malware, enable unauthorized remote control, or exfiltrate organizational data)?
- Did the IT staff person set up unauthorized remote access?
- Did the IT staff person access information they were not granted rights to (e.g., PHI)?
- Did the IT staff person exfiltrate data in any way (e.g., via Dropbox or USB)?
- Did the IT staff person modify any systems in an unauthorized way?
The answer is that organizations typically have a few tools at their disposal that help answer the questions above, but not a tool that provides the deepest level of information. Most often missing is a managed detection and response solution that leverages agents installed on endpoints to provide a comprehensive view into the activity occurring on endpoints within the network (e.g., servers, workstations, laptops, and point-of-sale systems).
With the right managed detection and response solution, organizations can centrally:
- Identify malicious software that is running but hidden from the operating system and user (e.g., Rootkits).
- Automatically prevent execution of currently unknown malware (i.e., zero day).
- Examine the contents of memory on any managed device. A significant amount of malware executes only in memory and never writes any information to disk, blocking the ability for traditional A/V program detection.
- Search across the entire network to quickly identify suspicious files and processes. Searches can be done with keywords, file names, malware signatures, hash signatures, or malware-identification rules.
- Block exfiltration of organizational data to online sharing sites, USB drives, or printers (i.e., data loss prevention).
- Identify which end-user activity, such as files opened or Internet sites visited, might have led to an issue.
- Proactively block the execution of unauthorized programs, allowing only authorized programs (i.e., whitelisting).
- Examine activity across the organization’s network.
- Prevent a potentially infected endpoint from communicating on the network until an examination has occurred.
- Prevent or limit the impact of phishing attacks.
- Identify sensitive organizational data stored in locations it should not be and enforce the organization’s data classification and retention policies.
- Remediate the fallout from any attacks across the entire network.
A well-thought-out implementation of managed detection and response — along with existing tools like firewalls, log and patch management, antivirus protection, and written policies — will help organizations protect the soft, chewy center of increasingly complex networks.
If you want to learn more about how your business can better protect itself through managed detection and response, contact Wipfli.