Patch me if you can: Cyberattack Series
The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.
This post was authored by Ann Johnson, Vice-President, Enterprise Cybersecurity Group
Headlines highlighting how vulnerable we are to cyber threats are now all too commonplace. The statistics on security events and successful network breaches continue a trend that favors attackers. These bad actors are getting faster at network compromise and data theft while their dwell times inside networks have increased to over 200 days according to most of the major annual cybersecurity reports. The result of these voluminous and persistent threats has been hundreds of millions of dollars in lost business alone without counting the long term costs of diminished customer and citizen confidence.
Still organizations may face even greater risks as they try to fend off sophisticated attackers against a backdrop of an ever expanding network footprint. The new network now includes myriads of personal devices, virtualized workloads, and sensors that represent rapidly increasing points of connectivity as well potential compromise.
When considering these trends, it is clear that the traditional means of protecting organizations are not as effective as they once were. Static access controls like firewalls and intrusion prevention systems placed at network ingress and egress points are being easily evaded by attackers because the communications paths in and out of networks are too complex and dynamic. Also broad use of personal devices inside corporate networks has dissolved what used to be a hardened network boundary. We no longer conduct business within a perimeter of highly controlled, corporate-issued end user devices that gain access only under the strictest of authentication and authorization controls. Instead, the modern enterprise enables dynamic communities of employees, contractors, business partners and customers as well as their data and applications, all connected by an agile digital fabric that is optimized for sharing and collaboration.
In today’s networks then, we have to consider that identity is the new perimeter to be protected. Identity in this case does not mean only the device and its physical location but also the data, applications and user information it contains. Given that 60% of all breaches still originate at an endpoint compromised through a phishing scam or social engineering attack, it is no wonder that a risk mitigation strategy with identity at its center, is top of mind for many business and technology leaders.
In fact, cyber security is a boardroom level agenda item today. Business leaders want to ensure that they have in place the investments necessary to protect intellectual property and customer data, keeping their businesses out of the headlines that damage reputation and affect profitability. CIOs and CISOs feel caught between seemingly opposing goals of enabling digital transformation while protecting data and intellectual property at all times. These are concerns they share with their teams in IT and operations who feel equally burdened to balance performance and accessibility with rightful and appropriate resource use. Cybersecurity as we have all come to understand, can be either a critical barrier or key enabler to an organization’s ability to be productive. Current top of mind concerns for protecting the modern enterprise coalesce around 5 key areas: infrastructure, SaaS, devices, identity and response.
Going to the cloud does not mean relinquishing security control or accepting a security posture that is less secure for cloud-hosted workloads relative to premised ones. In fact, the selection of cloud provider can mean having access to the very latest in security technologies, even more granular control and faster response than is possible with security in traditional networks. As a first step, security stakeholders need to understand how sensitive and compliance intense their cloud-hosted workloads and data are. They should then opt for access controls that limit use to only that which is business appropriate and emulate those access policies already in place for premised workloads. Enrolling in cloud workload access monitoring will also ensure that any events which are a deviation from desired security policies can be flagged as indicators of possible compromise. Cloud users should also be familiar with the security technologies offered by their provider whether native or through partnership. This gives cloud users options for implementing the kind of multi-tiered security architecture required to ensure least privilege access, inspect content and respond to potential threats.
Key takeaways
2. SaaS – Whether a business is hosting critical workloads in the public cloud or not, its employees are surely using applications there. The convenience and ubiquity of these applications means broad user adoption for the ease of information sharing and collaboration they enable. As a result, important, security and compliance intense data maybe making its way to the public cloud without security stakeholder knowledge. The question from businesses then is: “How do I protect my corporate data?”
Organizations want to make sure their employees are as productive as they can be. To that end many are allowing them to bring their own devices and even their own applications into the network. This agility comes with some added security risk. Fortunately, there are ways to mitigate it. Ultimately the goal is to derive all of the benefits these SaaS applications offer without violating company use and compliance policies for data sharing and storage. Additionally, firms must ensure that employees’ use of SaaS apps does not unwittingly enable data exfiltration by bad actors. Limiting risk comes down to enacting a few of the basics that ensure safe use. For starters, there’s a need to identify which SaaS applications are in use in the network and whether they are in line with company policy or on a safe list. Granular access rights management will limit the use of even the safe apps to those persons who have a business need for them. Where possible, policies should be in place that require data to be encrypted when at rest, especially if it is being stored in the cloud. Having the ability to periodically update the safe lists of apps and monitor all use, can potentially alert security administrators when those applications which are unsanctioned appear among an organization’s communications. With these types of facilities in place stakeholders maybe be promptly alerted to unsanctioned application use. At times, unwanted application use will be detected. This is the time to block those applications, modify or deprecate privileges allowing access to them and as a further precaution remotely wipe or delete data stored through use of those applications.
Key takeaways
3. Devices – Smartphones, tablets, self- sourced laptops, these are the new network perimeter and at times its weakest links. Whether owned by the organization or not, they most certainly contain business valuable data that is at high risk. Because mobile devices often connect from public networks and may not have the most up to date protections, these endpoints are popular targets for the installation of botnets or malware. Use of personally sourced devices is a new and seemingly permanent reality prompting organizations to broadly ask “How do I keep company information secure?”
Many years ago, risk from mobile devices was ameliorated by installed agents and thick clients that provided security controls right on the device itself in a centralized way. Today, with employee self-sourced devices, the installation of such clients is not always feasible. Still today’s security administrators have to accommodate a heterogeneous end-user device environment comprised of various form factors and OSes while applying consistent and organizationally sanctioned controls to all of them. A cloud-based approach can provide a lot of flexibility and control here. From the cloud, endpoint connectivity to network resources can be centrally managed through security policies that restrict where devices can go based on their security posture, installed protections or location-based access rights. Command of devices from a central location ensures not only consistent policy enforcement but automation so that when anomalous device behaviors or connection patterns are detected, centralized command can restrict access, quarantine the affected device and even wipe it clean so that the threat is fully contained.
Key takeaways
4. Identity – Despite all of the investments organizations make in security and threat mitigation, identity will be compromised. The latest data tells us that way too many of us click on links and attachments that we should not. From that point on, the bad actor has gained a foothold in the network and may set about moving laterally, looking for sensitive information to steal while impersonating the legitimate user. This common scenario is what makes many businesses ask: “How can I ensure identity protection?”
All of the major cybersecurity reports and indices point to this as the most common component of a data breach – the stolen identity. A security strategy for any organization or business needs to have this as a central tenet. The protection and management of credentials that give resource access to customers, employees, partners and administrators is foundational to sound security practice. Implementing multi-factor authentication broadly for all applications and services is a good starting point. It should nevertheless be complemented by facilities for monitoring authentication and authorization events not only for users but also and especially for privileged users and administrators. This type of monitoring offers the best opportunity to identify attempts by attackers trying to move laterally through privilege escalation. Once flagged as suspicious and anomalous, optional automated response can ensure that access requirements are elevated on the fly and privilege escalation requests are verified as legitimate.
Key takeaways
5. Response – Each year organizations are subjected to tens of thousands of security events making the business of protecting critical assets continuous. Given that threat dwell times are 200 plus days, bad actors have ample opportunity to move “low and slow” throughout networks after the initial compromise. Naturally security administrators and stakeholders are left to ask: “How can I better respond to ongoing threats?”
The potency and frequency of today’s cyber threats requires a security strategy build on the assumption of compromise. A network or device may not be breached today but remains at risk so the process of protecting, detecting and responding to a breach is a continuous one. The data that is being exchanged by end points and shuttled among data centers and hybrid clouds contains a lot of information about the security state of those endpoints and resources. The key to unlocking that intelligence is analytics and specifically the type of analytics that is made possible through machine learning. Having the ability to monitor large amounts of traffic and information in a continuous fashion and unearth anomalous behavior is and will be key to shortening the time to detection of a breach or compromise. Behavioral analytics not only tell us what is out of the norm or unwarranted behavior but also informs of good and desired connectivity. By understanding both anomalous and appropriate traffic patterns, organizations can fine-tune access controls that are just right for enabling business yet limiting risk. Further, with continuous analytics the process of determining the right access controls for the environment at a given time can be as dynamic and responsive as users’ access needs.
Key takeaways
In summary, security threats maybe common to businesses and organizations of all types but the way they are addressed can vary greatly. In the modern enterprise driven by mobility and cloud, architecting for security represents an opportunity for unprecedented agility. With a strategy build on identity as the new perimeter and access to continuous processes to protect, detect and respond to threats, a business can be as secure as it is productive. Watch the On-demand webinar – Top 5 Security threats – with Julia White and myself to hear more about our approach to cybersecurity or visit us at Microsoft Secure to learn more about Security.