CS Oct 2021

More documents

Recommendations

Info

advanced threat protection A SHAPE-SHIFTING WORLD ATTACKERS USE TRUSTED CLOUD SERVICES AND CONSTANTLY CHANGE THEIR TACTICS TO AVOID KNOWN PATTERNS OF BEHAVIOUR. CAN ADVANCED THREAT PROTECTION STILL BE EXPECTED TO KEEP PACE AGAINST SUCH FORCES? Patrick Wragg, Integrity360: the key to advanced threat protection is layers - ensuring your operating systems and applications are up to date; users are educated; and that you have the latest security solutions in place. Advanced threat protection (ATP) refers to a category of security solutions that defends against sophisticated malware or hacking-based attacks, targeting sensitive data. ATP solutions can be available as software or as managed services. They can differ in approaches and components, but most include some combination of endpoint agents, network devices, email gateways, malware protection systems, and a centralised management console to correlate alerts and manage defences. But how do they operate and perform 'in anger', so to speak, and where might there be any weaknesses? At the same time, in a world where the threat levels alter dramatically and rapidly at an alarming rate, where might they need to be adapted to counter future emerging challenges? "Perhaps it's become a cliché, but advanced threat protection requires detection and containment, 'beyond the email gateway'," says Mike Fleck, VP marketing at Cyren. "Cybersecurity and industry professionals have been using this term to describe the need for organisations to have a layered security approach with security controls and incident response capabilities to deal with the advanced threats that slip past the email perimeter and arrive in a user's mailbox. HEART OF THE ORGANISATION "Email is the most common method of delivering threats - advanced and otherwise - because it is one of the few ways to transport an attack straight to the heart of an organisation, through its people. What's more, the most favoured approach to an email attack is phishing [ie, harvesting login information using spoofed web pages of trusted brands]; once attackers have the ability to remotely log in to a corporate network, they can launch convincible fraud campaigns and surveil the environment to find the most sensitive data to steal or the most business-critical servers to infect with ransomware." Security controls beyond the gateway have traditionally focused on data loss prevention, sophisticated malware analysis and endpoint security solutions, he points out. "However, advanced email threats still evade detection and containment largely because attackers use trusted cloud services and constantly change their tactics to avoid known patterns of behaviour. Endpoint security agents can quickly spot a compromised device, but it may be too late. Data loss prevention can detect sensitive data as it leaves the organisation, but only after the initial compromise. There is clearly a gap in advanced threat protection capabilities between the email server and the end user device. This gap is easy to see when you understand the degree to which enterprises rely on employees to identify advanced threats in their mailboxes." A better way is to simply add a layer of automated detection and incident response to the mailboxes, Fleck adds. "As enterprises migrate their email servers to cloud offerings like Office 365, it becomes easier to close this gap by using APIs to connect advanced threat protection clouds to email mailbox clouds. This layer of control complements the detection and containment efforts already underway by 14 computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk
advanced threat protection cloud providers, enterprise email security gateways, network intrusion detection and endpoint security agents. It also relieves users from the expectation that they will reliably spot and avoid advanced threats like spear phishing and business email compromise." EVOLUTION OF TECHNOLOGIES The advanced threat protection category is, of course, nothing particularly new, points out James Preston, security architect for ANSecurity, but rather "an evolution of technologies including anti-virus along with intrusion prevention and detection systems - packaged under a new heading". However, no matter what it's called, technology alone cannot protect against every type of threat, he cautions. "ATP solutions generally don't understand where your organisation has weaknesses. From a threat actors' point of view, there is always a stage where they will try to reconnoitre a target looking for weaknesses. This could be a long-forgotten VPN server, an unpatched application or badly designed user sign-in process. In fact, this reconnaissance phase is often the deciding factor for a cyber threat actor to expand real effort to break in - or find a more open victim. Most ATP solutions don't emulate this reconnaissance process, so enterprises need to initially focus on finding and fixing structural weaknesses to make themselves less attractive targets." A great place to start is by using a cyber security framework such as the MITRE ATT&CK framework - with free tools like the ATT&CK navigator, Preston advises. "These allow you to map out the likely avenues for exploit and then work out where you have adequate protections and best practice processes - versus areas where you are lacking. This is a task you can do internally or, if you have limited resources, through a trusted expert third-party. Either way, it will give you a better starting position to fix any issues than just deploying lots of vendor solutions in an ad-hoc fashion." Integration is also key. "It's unlikely that any enterprise will have a complete stack of cyber security products from a single vendor. And, as such, disparate security solutions often work in little silos, without sharing the valuable security information to make early breach detection easier. So, it's essential that organisations must also establish what is integrated - and, in some cases, this might require a dedicated integration layer like a SIEM or SOAR platform. This might not always mean spending more budget as, in some cases, a SIEM can allow you to reduce the number of overlapping security tools and focus on better utilising a smaller set of technologies." One of the biggest security issues now, he adds, is how fast cyber criminals can escalate a slight breach into a full-blown extortion attempt of theft of sensitive data. "Sometimes, the tell-tale signs are spotted by cyber security systems, but the decision to quarantine PCs, servers or network functions requires manual action. This approval delay can mean the difference between successful defence or a painful breach. As such, enterprises are going to need to start trusting automated response a bit more - even if it means that the occasional false alarm impacts the business." Yes, this is a big step, he concedes - and there will be a bedding in period as these systems start to understand the environment and learn from mistakes. "However, to deal with the next generation of advanced threats, APT systems must be given the freedom to start mitigation faster than a typical human operator." 'BIG PICTURE' VIEW Patrick Wragg, cyber incident response manager with Integrity360, points to how traditional basic threat prevention strategies James Preston, ANSecurity: technology alone cannot protect against every type of threat. Mike Fleck, Cyren: there is clearly a gap in advanced threat protection capabilities between email server and end user device. www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security 15
Page 1 and 2: Computing Security Secure systems,
Page 3 and 4: comment POLICE POINT FINGER AT TECH
Page 6 and 7: product review REDKEY USB With all
Page 8: data management ACHIEVING A SECURE
Page 11 and 12: supply chain threats the Gov.uk web
Page 13: special focus on NI believed they c
Page 17 and 18: cyber threat intelligence ALL THE L
Page 19 and 20: data impact assurance as a EU GDPR
Page 21 and 22: ackup & recovery "Furthermore, this
Page 23 and 24: ansomware SHOULD YOU PAY THE RANSOM
Page 25 and 26: emote working MASSIVE FLAWS IN HOME
Page 27 and 28: product review ZIVVER SECURE EMAIL
Page 29 and 30: ansomware these would be more valua
Page 31 and 32: ansomware and staying on top of the
Page 33 and 34: threat intelligence has not prepare
Page 35: Computing Security Secure systems,

CS Oct 2021

Create successful ePaper yourself

Delete template?

Save as template?