CS Oct 2021
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
advanced threat protection<br />
cloud providers, enterprise email security<br />
gateways, network intrusion detection and<br />
endpoint security agents. It also relieves<br />
users from the expectation that they will<br />
reliably spot and avoid advanced threats like<br />
spear phishing and business email<br />
compromise."<br />
EVOLUTION OF TECHNOLOGIES<br />
The advanced threat protection category is,<br />
of course, nothing particularly new, points<br />
out James Preston, security architect for<br />
ANSecurity, but rather "an evolution of<br />
technologies including anti-virus along with<br />
intrusion prevention and detection systems -<br />
packaged under a new heading". However,<br />
no matter what it's called, technology alone<br />
cannot protect against every type of threat,<br />
he cautions.<br />
"ATP solutions generally don't understand<br />
where your organisation has weaknesses.<br />
From a threat actors' point of view, there<br />
is always a stage where they will try to<br />
reconnoitre a target looking for weaknesses.<br />
This could be a long-forgotten VPN server,<br />
an unpatched application or badly designed<br />
user sign-in process. In fact, this<br />
reconnaissance phase is often the deciding<br />
factor for a cyber threat actor to expand real<br />
effort to break in - or find a more open<br />
victim. Most ATP solutions don't emulate<br />
this reconnaissance process, so enterprises<br />
need to initially focus on finding and fixing<br />
structural weaknesses to make themselves<br />
less attractive targets."<br />
A great place to start is by using a cyber<br />
security framework such as the MITRE<br />
ATT&CK framework - with free tools like the<br />
ATT&CK navigator, Preston advises. "These<br />
allow you to map out the likely avenues for<br />
exploit and then work out where you have<br />
adequate protections and best practice<br />
processes - versus areas where you are<br />
lacking. This is a task you can do internally<br />
or, if you have limited resources, through a<br />
trusted expert third-party. Either way, it will<br />
give you a better starting position to fix any<br />
issues than just deploying lots of vendor<br />
solutions in an ad-hoc fashion."<br />
Integration is also key. "It's unlikely that any<br />
enterprise will have a complete stack of<br />
cyber security products from a single<br />
vendor. And, as such, disparate security<br />
solutions often work in little silos, without<br />
sharing the valuable security information to<br />
make early breach detection easier. So, it's<br />
essential that organisations must also<br />
establish what is integrated - and, in some<br />
cases, this might require a dedicated<br />
integration layer like a SIEM or SOAR<br />
platform. This might not always mean<br />
spending more budget as, in some cases,<br />
a SIEM can allow you to reduce the number<br />
of overlapping security tools and focus on<br />
better utilising a smaller set of<br />
technologies."<br />
One of the biggest security issues now,<br />
he adds, is how fast cyber criminals can<br />
escalate a slight breach into a full-blown<br />
extortion attempt of theft of sensitive data.<br />
"Sometimes, the tell-tale signs are spotted<br />
by cyber security systems, but the decision<br />
to quarantine PCs, servers or network<br />
functions requires manual action. This<br />
approval delay can mean the difference<br />
between successful defence or a painful<br />
breach. As such, enterprises are going to<br />
need to start trusting automated response<br />
a bit more - even if it means that the<br />
occasional false alarm impacts the business."<br />
Yes, this is a big step, he concedes -<br />
and there will be a bedding in period as<br />
these systems start to understand the<br />
environment and learn from mistakes.<br />
"However, to deal with the next generation<br />
of advanced threats, APT systems must be<br />
given the freedom to start mitigation faster<br />
than a typical human operator."<br />
'BIG PICTURE' VIEW<br />
Patrick Wragg, cyber incident response<br />
manager with Integrity360, points to how<br />
traditional basic threat prevention strategies<br />
James Preston, ANSecurity: technology alone<br />
cannot protect against every type of threat.<br />
Mike Fleck, Cyren: there is clearly a gap in<br />
advanced threat protection capabilities<br />
between email server and end user device.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Oct</strong>ober <strong>2021</strong> computing security<br />
15