For many employees, the COVID-19 pandemic brought about something they dreamed of for years: the possibility to eschew long commutes, business attire and (finally!) work from their home.
Companies were forced to embrace the work-from-home switch and many are now starting to like the cost savings and the possibility to hire employees from a wider, non-localized pool of applicants.
But for IT security teams, the switch meant even more work and struggling finding new ways to keep their organization and their employees secure from an increasing number and frequency of cyber threats.
The pressure to deliver security is on
A recent LogMeIn report has also revealed that the transition to remote work for the majority of businesses has impacted the day-to-day work of IT professionals.
Aside from the expected technical tasks and an increased number of web meetings, over half of them have been forced to spend more time managing IT security threats and developing new security protocols. In fact, the percentage of IT professionals who are now spending 5 to 8 hours per day on IT security rose from 35 in 2019 to 47 in 2020.
“In terms of defensive tactics, the first two months of the pandemic shifted the previous network-centric thinking to endpoint and remote access. Many firms lacking endpoint detection and response or endpoint protection (next-gen AV) sought to roll out these services across their distributed organization. They also focused on IAM and VPN or SDP services,” Mark Sangster, VP and Industry Security Strategist at eSentire, told Help Net Security.
“The other shift moved thinking from BYOD to BYOH: Bring Your Office Home. Firms were faced with the challenge of securing connections from home offices made through consumer-grade networking gear provided by employee ISPs. These systems are not as hardened as commercial-grade internet devices and were often misconfigured or left in factory settings with default administrative credentials and wide-open Wi-Fi services. This effort required IT teams to help non-technical employees harden their home routers, better understand password security and embrace the necessity for multi-factor authentication and VPNs.”
Solving the security puzzle
Companies’ tech priorities have shifted as well, with many increasing spending for security.
But the need to implement new technology, the widening attack surface, and the onslaught of ransomware-wielding gangs have forced some companies to accept the limits of what they can do with in-house IT security staff and technology, and to seek additional assistance from outside detection and response experts.
The threat of ransomware is insidious and be particularly destructive, delivering a potentially fatal blow to some (often smaller) organizations.
“Firms need to understand the risks and prepare with proactive defenses (threat hunting), hot-swappable back-ups and fail-over colocation systems. The real trick is catching unauthorized activity quickly, before criminal groups are able to plant ransomware throughout the organization, steal data and then launch a synchronized attack to cripple the organization. This means being able to monitor VPN traffic (connections) and remote administrative activities to detect unauthorized movement,” Sangster explained.
“Criminal groups steal credentials to then access the business using remote tools. This MO is detectable, but it requires proactive hunting and constant monitoring of these services. We have stopped multiple attacks of this nature. In those cases, the ransom attack was either isolated to a single device (and quickly recovered in less than an hour), or it required coordinate defenses to block remote attacks through remote admin tools like Microsoft RDP or PowerShell. In these cases, machine learning flagged suspicious activity for further investigation by security analysts. This quick response meant dwell time was only minutes and prevented the criminal gang ransomware from metastasizing throughout the organization.”
Mark Sangster, VP and Industry Security Strategist at eSentire, is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations. In this interview, he discusses MDR services and the MDR market.
What are the essential building blocks of a robust MDR service?
Managed Detection and Response (MDR) must combine two elements. The first is an aperture that can collect the full spectrum of telemetry. This means not only monitoring the network through traditional logging and perimeter defenses but also collecting security telemetry from endpoints, cloud services and connected IoT devices.
The wider the aperture, the more light, or signal. This creates the need for rapid ingestion of a growing volume of data, while doing so in near real-time, to aid rapid detection.
The second element is the ability to respond beyond simple alerting. This means the ability to disrupt north and south traffic at the TCP/IP, DNS and geo-fencing levels. It can disrupt application layer traffic or at least block specific applications. Encompassing the ability to perform endpoint forensics to determine integrity of accessed data and systems and the ability to quarantine devices from endpoints to industrial IoT devices and other operational systems, such as medical diagnosis and patient-management systems.
What makes an MDR service successful?
MDR services require a hyper-vigilance with the ability to scale and rapidly adapt to secure emerging technology. This includes OT-based systems beyond the typical auspices of IT. It also requires an ecosystem of talent: working with universities to guide curriculum, training programs, certification maintenance and work paths through Security Operations Center (SOC) and into threat intelligence and lab work.
The MDR market is becoming more competitive and the number of providers continues to grow. What is the best approach for choosing an MDR provider?
Like any vendor selection, it is more about determining your requirements than picking vendors based on boasts or comprehensive data sheets. It means testing vendor capabilities and carefully matching them to your requirements. For example, if you don’t have internal forensics capabilities, then a vendor that is good at detection but only provides alerts won’t solve your problem.
Find a vendor that provides full services and matches your internal capabilities.
How do you see the MDR market evolving in the near future? What are organizations looking for?
More and more, companies will move to outsourced SOC-like services. This means MDR firms need to up their game, and a tighter definition must come into play to weed out pretender firms. Too much rests on their capabilities.
MDR vendors also need to focus on emerging tech (5G, IIoT, etc.) and be prepared to defend against larger adversaries, like organized criminal elements and state-sponsored actors who now troll the midmarket space.
It’s time to change the way we think about cybersecurity and risk management. Cybersecurity is no longer an IT problem to solve or a “necessary evil” to cost manage. Rather, cybersecurity has rapidly stormed the boardroom as a result of high-profile and costly data breaches.
Get the following insights from this webinar:
- Recent events have changed our focus from protecting the perimeter
- Risk management is a formula based on the cost of an undesirable outcome times the likelihood of its occurrence
- Embracing cybersecurity as a factor in corporate risk management means firms can adapt quickly
With CASA, eSentire brings its MDR leadership and expertise from over 10 years of threat hunting to Microsoft users.
CASA offers customers a single place within Microsoft Teams to actively manage alerts, engage eSentire experts on demand, and launch automated threat configurations for Microsoft Cloud Application Security, Microsoft 365, Microsoft Defender for Endpoint, Microsoft Azure, and Microsoft Graph Security API.
CASA, delivered on the eSentire Atlas Extended Detection and Response (XDR) platform, aggregates and enriches alerts to prioritize what matters and provides customers with the information needed to make security decisions, all within their existing Microsoft Teams app. The entire deployment process takes less than five minutes with the Microsoft products you already have.
Clicking “Ask eSentire” in Teams allows customers to ask eSentire security specialists questions about high-risk alerts. These specialists can then assist in further investigation, and provide recommendations for remediation and threat containment.
The Atlas XDR platform natively integrates endpoint, network, log, asset, and vulnerability data into a cohesive security operations system that supports nearly 1,000 MDR customers today.
Microsoft customers can benefit from the visibility and learnings eSentire has from stopping threats from its global customer base across 60 different countries with over $6 trillion in assets under protection. Atlas XDR platform now supports the entire Microsoft 365 security suite alongside the company’s existing detection and response products.
“CASA simplifies the daily operational life for security teams by providing alert consolidation, expert advice, and automated configuration. We are excited to make this capability broadly available in the market to users looking to leverage the Microsoft security ecosystem,” said Dustin Hillard, CTO for eSentire.
Today’s networks have more sophisticated automated defenses than ever, yet cybercriminals are taking full advantage of business disruptions and distractions in 2020. Adversaries are exploiting user behavior and leveraging trusted operating system tools to pursue “actions on objective” and evade detection. When used in combination, these techniques are effective at bypassing automated defenses to gain initial access.
Get new insights and defensive guidance from this Threat Intelligence Spotlight: Hunting Evasive Malware that draws on data from the 650-plus organizations that eSentire protects and VMware Carbon Black’s extensive endpoint protection install base.
Key insights of the report include:
- Endpoint protection is more important today than ever before: the global pandemic has dramatically altered the security perimeter by forcing work-from-home models and accelerating the adoption of cloud services, weakening organizations’ security postures
- Many malware campaigns employ User Exploitation and LOLBins (living-off-the-land binaries) to bypass automated defenses
- In the first half of 2020, Zloader, Valak, SocGholish and More_eggs were observed successfully employing User Exploitation and LOLBin abuse to gain initial access
- To increase open rates, threat actors have introduced messaging to target remote workers and take advantage of current events such as COVID-19 and global equal rights movements
Dustin Rigg Hillard, CTO at eSentire, is responsible for leading product development and technology innovation. His vision is rooted in simplifying and accelerating the adoption of machine learning for new use cases.
In this interview Dustin talks about modern digital threats, the challenges cybersecurity teams face, cloud-native security platforms, and more.
What types of challenges do in-house cybersecurity teams face today?
The main challenges that in-house cybersecurity teams have to deal with today are largely due to ongoing security gaps. As a result, overwhelmed security teams don’t have the visibility, scalability or expertise to adapt to an evolving digital ecosystem.
Organizations are moving toward the adoption of modern and transformative IT initiatives that are outpacing the ability of their security teams to adapt. For security teams, this means constant change, disruptions with unknown consequences, increased risk, more data to decipher, more noise, more competing priorities, and a growing, disparate, and diverse IT ecosystem to protect. The challenge for cybersecurity teams is finding effective ways to deliver and maintain security at the speed of digital transformation, ensuring that every new technology, digital process, customer and partner interaction and innovation is protected.
Cybercrime is being conducted at scale, and threat actors are constantly changing techniques. What are the most significant threats at the moment?
Threat actors, showing their usual agility, have shifted efforts to target remote workers and take advantage of current events. We are seeing attackers exploiting user behavior by misleading users into opening and executing a malicious file, going to a malicious site or handing over information, typically using lures which create urgency (e.g., by masquerading as payment and invoice notifications) or leverage current crises and events.
What are the main benefits of cloud-native security platforms?
A cloud-native platform offers important advantages over legacy approaches—advantages that provide real, important benefits for cybersecurity providers and the clients who depend on them.
- A cloud-native architecture is more easily extensible, which means more features, sooner, to enable analysts and protect clients
- A cloud-native platform offers higher performance because the microservices inside it can maximally utilize the cloud’s vast compute, storage and network resources; this performance is necessary to ingest and process the vast streams of data which need to be processed to keep up with real-time threats
- A cloud-native platform can effortlessly scale to handle increased workloads without degradation to performance or client experience
Security platforms usually deliver a variety of metrics, but how does an analyst know which ones are meaningful?
The most important metrics are:
- How platform delivers security outcomes
- How many threats were stopped with active response?
- How many potentially malicious connections were blocked?
- How many malware executions were halted?
- How quickly was a threat contained after initial detection?
Modern security platforms help simplify data analytics by delivering capabilities that amplify threat detection, response and mitigation activities; deliver risk-management insights; and help organizations stay ahead of potential threats.
Cloud-native security platforms can output a wide range of data insights including information about threat actors, indicators of compromise, attack patterns, attacker motivations and capabilities, signatures, CVEs, tactics, and vulnerabilities.
How can security teams take advantage of the myriad of security tools that have been building in the organization’s IT ecosystem for many years?
Cloud-native security platforms ingest data from a wide variety of sources such as security devices, applications, databases, cloud systems, SaaS platforms, IoT devices, network traffic and endpoints. Modern security platforms can correlate and analyze data from all available sources, providing a complete picture of the organization’s environment and security posture for effective decision-making.
Integrated cloud-native security platforms can overcome limitations of traditional security products
To close security gaps caused by rapidly changing digital ecosystems, organizations must adopt an integrated cloud-native security platform that incorporates artificial intelligence, automation, intelligence, threat detection and data analytics capabilities, according to 451 Research.
Cloud-native security platforms are essential
The report clearly defines how to create a scalable, adaptable, and agile security posture built for today’s diverse and disparate IT ecosystems. And it warns that legacy approaches and MSSPs cannot keep up with the speed of digital transformation.
- Massive change is occurring. Over 97 percent of organizations reported they are underway with, or expecting, digital transformation progress in the next 24 months, and over 41 percent are allocating more than 50 percent of their IT budgets to projects that grow and transform the business.
- Security platforms enable automation and orchestration capabilities across the entire IT stack, streamlining and optimizing security operations, improving productivity, enabling higher utilization of assets, increasing the ROI of security investments and helping address interoperability challenges created by isolated, multi-vendor point products.
- Threat-driven and outcome-based security platforms address the full attack continuum, compared with legacy approaches that generally focus on defensive blocking of a single vector.
- Modern security platforms leverage AI and ML to solve some of the most prevalent challenges for security teams, including expertise shortages, alert fatigue, fraud detection, behavioral analysis, risk scoring, correlating threat intelligence, detecting advanced persistent threats, and finding patterns in increasing volumes of data.
- Modern security platforms are positioned to deliver real-time, high-definition visibility with an unobstructed view of the entire IT ecosystem, providing insights into the company’s assets, attack surface, risks and potential threats and enabling rapid response and threat containment.
451 Senior Analyst Aaron Sherrill noted, “The impact of an ever-evolving IT ecosystem combined with an ever-evolving threat landscape can be overwhelming to even the largest, most well-funded security teams, including those at traditional MSSPs.
“Unfortunately, a web of disparate and siloed security tools, a growing expertise gap and an overwhelming volume of security events and alerts continue to plague internal and service provider security teams of every size.
“The consequences of these challenges are vast, preventing security teams from gaining visibility, scaling effectively, responding rapidly and adapting quickly. Today’s threat and business landscape demands new approaches and new technologies.”
How to deliver effective cybersecurity today
“Delivering effective cybersecurity today requires being able to consume a growing stream of telemetry and events from a wide range of signal sources,” said Dustin Hillard, CTO, eSentire.
“It requires being able to process that data to identify attacks while avoiding false positives and negatives. It requires equipping a team of expert analysts and threat hunters with the tools they need to investigate incidents and research advanced, evasive attacks.
“Most importantly, it requires the ability to continuously upgrade detection and defenses. These requirements demand changing the technology foundations upon which cybersecurity solutions are built—moving from traditional security products and legacy MSSP services to modern cloud-native platforms.”
Sherrill further noted, “Cloud-native security platforms optimize the efficiency and effectiveness of security operations by hiding complexity and bringing together disparate data, tools, processes, workflows and policies into a unified experience.
“Infused with automation and orchestration, artificial intelligence and machine learning, big data analytics, multi-vector threat detection, threat intelligence, and machine and human collaboration, cloud-native security platforms can provide the vehicle for scalable, adaptable and agile threat detection, hunting, and response. And when combined with managed detection and response services, organizations are able to quickly bridge expertise and resource gaps and attain a more comprehensive and impactful approach to cybersecurity.”
It’s a fact that a majority of us are working from home right now. It’s also a fact that threat actors are hard at work looking for gaps and vulnerabilities as the number of endpoints you must secure just grew exponentially.
Join Wes Hutcherson, Director of Product Marketing, and Mark Sangster, VP and Industry Security Strategist, as they explore risks associated with remote workers and the security strategies, controls and services you can quickly deploy to reduce risk.
In this on-demand webinar, you will learn:
- How to identify coronavirus-themed campaigns and prevent them from entering your firm.
- Simple tools and controls to secure your remote work force.
- The role endpoint protection plays in defending your business.
Outsourcing your endpoint protection can deliver positive returns by improving operational efficiency and minimizing risk, but it’s not always easy to prove the business case.
This guide delivers specific guidance on how to calculate savings in the context of your organization’s risk while accounting for size and industry. Specifically, you’ll get insights on:
- Financial risk
- Operational savings
- Example scenarios
After reading, you will be able to demonstrate to your leadership and budget authorities the value of outsourcing endpoint protection.
In this webinar, Mark Sangster discusses how the COVID-19 crisis is affecting businesses and individuals and the need to stay vigilant.
Emerging threats from bad actors who are taking advantage of the COVID-19 crisis are inevitable. Distributed workforces are leaving gaps in our defenses and opening the door to significant loss, well beyond the immediate future.
Key insights from this webinar include:
- With more employees working remotely, learn why protecting your endpoints should be the top priority.
- Understand how to effectively monitor your environments 24×7 and the transition to a more distributed workforce.
- Be sure you are meeting your obligations to protect client information in the face of diminished staff capacity.
I was saddened to learn that two people who attended RSAC 2020 in San Francisco had subsequently tested positive for COVID-19. This virulent disease has impacted our lives with restricted travel and cancelled public events. eSentire included.
On the surface, COVID-19 reminds us that what we don’t know can hurt us. Until a vaccination is developed and distributed, we can do little more than wash our hands, avoid those infected and stay away from major public gatherings…effectively hoping that preventative actions like this will keep us safe.
In the world of cybersecurity, we’ve seen that prevention is a broken model. When a network virus spreads without symptoms or other known indicators of compromise, it evades oblivious AV systems and firewall rules and the digital corollary is only detected once it’s too late and criminal symptoms manifest. By then, the infection has metastasized into business-disrupting or financially punishing events.
Even worse, criminal elements take advantage when we are disabled, distressed or otherwise distracted, kick you when you are down and strike when you can least afford it. Reports of multiple campaigns using fears of COVID-19 to lure victims into clicking. In one, safety guidelines are offered in a CoronaVirusSafetyMeasures_pdf which deploys a remote access tool (RAT) and malware, and an erroneous Microsoft Office document purportedly from the Ukranian Ministry of Health deploys keylogging and other malware. Checkpoint reported that over 4,000 coronavirus-related domains have been registered in 2020, of which 8 percent were malicious or at least suspicious.
Learning from Hurricane Sandy
Hurricane Sandy was the most deadly storm of the 2012 Atlantic hurricane season. The storm killed 233 people in eight countries, affected 24 US states, caused major flooding in Manhattan streets and subway tunnels and was responsible for $64 billion in damage.
These facts are easily traceable through the concentric rings of headlines and insurance records. What’s harder to spot is the cyber rot that accompanies events such as this.
Our security operations team studied traffic analytics for a three-month period around Hurricane Sandy. Data showed a 30 to 40 percent drop in network traffic across our client base located in New York City for the two weeks during and after the hurricane. However, the level of threats remained constant throughout. In fact, the week following the hurricane, attacks spiked by 30 percent!
Criminals knew the disaster and chaos caused by the storm. Employees couldn’t get to work, blocked by flooded subway lines. And massive power outages ensured office buildings in Lower Manhattan were vacant. All that data just sitting there without the usual contingent of IT security supervisors … the world’s bank vault was open and the guards were stuck at home.
Hurricane Sandy became the instant bar by which business continuity (BCP) and disaster recovery (DR) plans were measured. As the American Bar Association’s Cybersecurity Handbook puts it: “If a client’s disaster recovery plans cannot pass the ‘Hurricane Sandy test,’ such plans might also fail if cyber incidents caused prolonged disruptions.”
And most plans failed. Most of the client data for major financial institutions resided in data centers located in New Jersey, a quick ferry ride across the Hudson river. Turns out, category 2 hurricanes don’t follow state lines, and operations were crippled, and data was exposed during the clean up. In hindsight, it’s an obvious flaw in any BCP/DR plan. But that just goes to highlight a filter we bring to the table: hindsight bias. Given the outcome, we exaggerate our ability to predict and avoid the same fate. Where was the “I told you so” gang, months before the storm season when business continuity plans were being drafted?
Protecting your data from exposure
With the uncertainty of COVID-19, most companies have deployed employee travel restrictions. It’s a smart response to reduce the risk of exposure. Now consider the risk of your data being exposed. As the Hurricane Sandy SOC data shows us, attacks go up when the storm is at its worst.
Consider the knock-on implications of your employees working remotely. How will you meet your obligations to protect client information in the face of diminished staff capacity? What mechanisms and protocols do you have in place to maintain consistent security practices during this shortage? Can you still monitor your environment 24/7? And if you find an anomaly or threat, can you take action with a diminished security team?
What can you do about it
Run a COVID-19 incident simulation: One CSO I work closely with is using this event to run a tabletop simulation based on COVID-19. He’s putting his executives and IT teams through a lunch-time drill that simulates the decision making required when an employee tests positive for infection. It’s a smart approach.
Review your BCP/DR plans: It’s time to review your plans and determine if they cover an infection contingency. If they don’t, update them ASAP. Like the way the ABA characterized BCP plans nearly ten years ago, insurers will ask whether your BCP/DR plans now pass the “Coronavirus 2019 test”.
Review remote access protocols: Criminals know your employees are working from home. That’s go-time for phishing lures designed to harvest VPN credentials! This could be a good time to reset passwords, require multi-factor authentication, and restrict access to critical information, not required for everyday duties.
Protect your endpoints: As more employees work remotely, it’s critical to expand your umbrella of protection to include those distributed laptops, tablets and phones. And this goes well beyond basic antivirus services. Consider endpoint protection platforms (EPPs) and endpoint detection and response (EDR) solutions. eSentire has a few flavors to offer.
Inform your employees: Remind employees that criminals will attempt to take advantage of the chaos created by COVID-19 through fraudulent invoicing, fake donation sites on social media, and likely attempt to collect VPN credentials. Forewarned is forearmed. Remind your employees to remain vigilant and follow security protocols.
Don’t forget your supply chain: Have you spoken to critical vendors to identify risks in your supply chain? Perhaps you have strong protocols for COVID-19, but your vendors haven’t quite got there. As I reported last year when we surveyed 650 executives, we found nearly half had suffered a material business disrupting breach as a result of vendor actions (or inactions).
Be hyper vigilant and expect attacks: Adversaries are looking for a weakness and ready to strike when you are down. It’s even more critical to monitor your environment 24/7 and be able to respond to a threat. In these situations, it’s often best to ensure your detection and response eggs are not in one basket. Outsourcing MDR reduces your coverage risks and improves your odds of catching attacks during contingency plan activation. eSentire MDR provides full-spectrum visibility across network, endpoint, logs and cloud environments. We offer incident response and containment within minutes.
Ignorance isn’t bliss, it’s negligence
As I explain in my upcoming book, No Safe Harbor, ignorance isn’t bliss, it’s negligence. Data breaches, lawsuits, insurance claims and so on converge to create a line in the sand when it comes to expectation and accountability. Once we identify a risk, there is no plausible denial. We are obligated to manage this risk and be consistent in our approach. Even when the risk comes as a result of a global viral epidemic.
Ship’s captains aren’t responsible for the ocean’s weather, but they are accountable for keeping their ship, crew and cargo safe from harm. Similarly, you won’t get a pass because the coronavirus ate your BCP homework.
As corporate leaders, you are the ship’s captain. Can you navigate this storm? Can you keep your employees safe and manage the associated cyber risks with travel restrictions and a workforce working from home on-mass? If a data breach occurs during COVID-19, you won’t get a pass.
Missing employees or inability to provide 24/7 protection won’t provide an escape and influence insurance companies to cover an otherwise denied claim. And the inevitable finger pointing will begin. Cue the CSO: the Chief Scapegoat Officer. While we haven’t hit this inevitable stage, we will.
The 80/20 rule, which was first introduced as Pareto’s principle in 1941 by American engineer Joseph Juran, suggests that 20 percent of your activities (in life, business, athletics, etc.) will account for 80 percent of your results. Simply put: work smarter, not harder.
How can we apply Pareto’s principle to cloud security? Within your security activities, what is the key 20 percent that will produce 80 percent of your results when it comes to reducing risk?
One effort that absolutely falls into the 20 percent bucket is reducing threat actor dwell time. Just like a small kitchen fire is far less damaging than a full house fire, the faster you can identify and respond to an incident the more likely it is you escape it without serious damage. If a threat is swiftly and effectively addressed following detection, then subsequent cost factors such as lost business and reputational damage are drastically reduced if not eliminated completely. The 80/20 rule at work!
A focus area to reduce threat actor dwell time is cloud security misconfigurations that accidentally expose data to the internet at large. Exposed data was the most cited cloud security incident (27 percent) and the biggest overall concern of leaders (64 percent) in Cybersecurity Insider’s 2019 Cloud Security Report. Garner estimates that up to 95 percent of cloud breaches occur due to human error such as configuration mistakes. Fifty-one percent of companies publicly exposed at least one cloud storage service in 2018, according to RedLock’s Cloud Security Trends report.
This presents a challenge because traditional security technologies like IDS/IPS or endpoint protection products are not designed to account for cloud workloads and whether or not they are configured properly. The 2019 Cloud Security report also found 66 percent claimed their traditional security solutions didn’t work or were limited in the cloud. Major IaaS providers like Amazon Web Services (AWS) do offer native tools to monitor for misconfigurations, but it is still your responsibility to keep track of your cloud assets and integrate these tools into your security stack, which are both challenges in their own right.
Regardless, the principle of reducing dwell time still applies. More accurately, it’s about reducing the time that sensitive data is exposed to the internet. To accomplish this, organizations need to be able to execute on three fundamental steps:
- Have visibility of all cloud assets and services.
- Ensure 24x7x365 monitoring of assets for misconfigurations, policy violations and vulnerabilities.
- Tie the monitoring of assets to swift remediation of identified risks.
If you can’t execute these steps, you’re more likely to end up in good company with others who have experienced cloud security breaches. Only 37 percent claim confidence in their cloud security posture and 41 percent admit a lack of expertise and training in their staff, according to Cybersecurity Insider’s 2019 Cloud Security Report. Capital One, Dow Jones, FedEx and Tesla are some of the most notable companies that have experienced breaches due to exposed cloud services.
So, how to make the 80/20 rule work for you in this context?
Managed Detection and Response (MDR) services have emerged as one of the most effective options to help organizations reduce threat dwell time. MDR often represents a turnkey solution to bolster detection of and response to advanced threats that traditional security solutions miss.
As part of its industry-leading MDR platform, eSentire recently announced its esCLOUD portfolio of services to help organizations hunt and neutralize threats to IaaS and Software as a Service (SaaS) investments. It includes esCLOUD for IaaS, a service that monitors your AWS, Azure or Google Cloud Platform assets, responds and remediates exposed services on your behalf 24x7x365. A welcome addition to our MDR platform and to the 20 percent of security efforts that should drive 80 percent of your results in risk reduction.
To learn more, check out https://www.esentire.com/capabilities/managed-detection-and-response/cloud/escloud.
Here are a few photos from the event, featured vendors include: Tenable, Ping Identity, PKWARE, eSentire, Deloitte, Securonix, and Futurex.
Eliminate guesswork and get in-depth insights and practical recommendations for navigating the ever-changing cybercrime landscape. This data-laden, incident-rich report delivers insider information on the players, their motivations, tactics and targets so you can make informed security strategy decisions.
Key insights include:
- Decade-old, state-funded espionage campaigns are still actively collecting from unwittingly compromised organizations.
- Organized cybercrime is reaching new heights of social organization and role differentiation to bypass initial access controls.
- Cloud phishing campaigns abuse inter-cloud infrastructure trust.
- Credentials obtained from phishing are a stealthy initial access vector that require sophisticated analysis to detect.
Read the report to learn what attacks are targeting mid-sized organizations and the security strategies you need to safeguard your business.
Nearly 33.4 billion records were exposed in breaches due to cloud misconfigurations in 2018 and 2019, amounting to nearly $5 trillion in costs to enterprises globally, according to DivvyCloud research.
Companies failing to adopt a holistic approach to security
Year over year from 2018 to 2019, the number of records exposed by cloud misconfigurations rose by 80%, as did the total cost to companies associated with those lost records. Unfortunately, experts expect this upward trend to persist, as companies continue to adopt cloud services rapidly but fail to implement proper cloud security measures.
“The rush to adopt cloud services has created new opportunities for attackers – and attackers are evolving faster than companies can protect themselves. The fact that we have seen a 42% increase from 2018 to 2019 in cloud-related breaches attributed to misconfiguration issues proves that attackers are leveraging the opportunity to exploit cloud environments that are not sufficiently hardened. This trend is expected to continue as more organizations move to the cloud,” Charles “C.J.” Spallitta, Chief Product Officer at eSentire, told Help Net Security.
“Additionally, common misconfiguration errors that occur in cloud components expand and advance the attacker workflow. Real-time threat monitoring in cloud assets is critical, given the unprecedented rate of scale and nature of cloud services. Organizations should seek-out security services that distill the noise from on-premise and cloud-based security tools while providing broad visibility to enable rapid response when threats are found,” Spallitta concluded.
Key report findings
- 81 breaches in 2018; 115 in 2019 – a 42% increase
- Tech companies had the most data breaches at 41%, followed by healthcare at 20%, and government at 10%; hospitality, finance, retail, education, and business services all came in at under 10% each
- 68% of the affected companies were founded prior to 2010, while only 6.6% were founded in 2015 or later
- 73 (nearly 42%) of known affected companies experienced a merger or acquisition (M&A) transaction between 2015 and 2019, which indicates cloud security is an area of risk for companies involved in merging disparate IT environments
- Elasticsearch misconfigurations accounted for 20% of all breaches, but these incidents accounted for 44% of all records exposed
- The number of breaches caused by Elasticsearch misconfigurations nearly tripled from 2018 to 2019
- S3 bucket misconfigurations accounted for 16% of all breaches, however, there were 45% fewer misconfigured S3 servers in 2019 compared to 2018
- MongoDB misconfigurations accounted for 12% of all incidents, and the number of misconfigured MongoDB instances nearly doubled YoY
eSentire announced the availability of esCLOUD. This comprehensive portfolio extends eSentire’s industry-leading MDR capabilities and elite threat hunting expertise for on-premises to modern cloud environments.
Technical preview of esCLOUD will begin at the end of February with general availability at the end of March. The esCLOUD portfolio will include support for Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP) and Microsoft Office 365 with support for Google G Suite, Salesforce, ServiceNow, Dropbox and Box to follow this year.
Cloud platforms accelerate the use of new technologies and services, enabling IT to move at the speed of business. This has created yet another level of security complexity and risk as cloud extends the attack surface beyond traditional security controls. Cloud adoption is resulting in significant volumes of business-critical data moving to the cloud, but often without the protections that were in place in traditional enterprise environments.
Rapid development and deployment in the cloud means that simple configuration errors can lead to the exposure of large volumes of sensitive data. esCLOUD constantly monitors customer cloud environments to detect improper configurations and vulnerabilities that could lead to data loss and compromise. Automated policy enforcement, combined with response and remediation from eSentire’s expert security analysts, ensures that customers can operate in the cloud with confidence.
esCLOUD for IaaS
For customers who have a cloud-native or hybrid cloud network infrastructure, esCLOUD for IaaS will provide real-time detection, response and containment capabilities for threats, misconfiguration, network anomalies and adherence to compliance standards.
esCLOUD for SaaS
esCLOUD for SaaS expands the use of esLOG+ to ingest logs from SaaS environments. eSentire’s proprietary investigative logic alerts the security analysts in the eSentire SOC when threats are found.
C.J. Spallitta, Chief Product Officer, eSentire, said: “esCLOUD, backed by our elite threat hunters in our 24×7 Security Operations Centers, gives our customers peace of mind that their increasing adoption of cloud service has the critical visibility and rapid response to threats that will keep their business secure.”
Michael Guenzler, SVP, Chief Information Security Officer, Venerable, said: “Cloud is essential to meet the demands needed to grow our business. We will build upon our existing relationship with eSentire and the robust cybersecurity capabilities they provide to continue to mitigate threats across our growing cloud footprint.”
RSA Archer SaaS: An integrated approach to managing risk
RSA Archer SaaS can help reduce the time and resources dedicated to on-premise platform upgrades, patches, and maintenance activities, as well as enable customers to focus on maturing and expanding their integrated risk management programs.
Farsight Security enhances its Security Information Exchange data-sharing platform
Farsight Security announced enhancements to its Security Information Exchange data-sharing platform to help security professionals measurably improve the prevention, detection and response of the latest cyberattacks.
Tufin SecureCloud: Providing unified security policy management for the hybrid cloud
Tufin SecureCloud is a security policy automation service for enterprises needing to gain visibility and control of the security posture of their cloud-native and hybrid cloud environments.
ZeroFOX launches AI-powered Advanced Email Protection for Google and Microsoft platforms
The ZeroFOX Advanced Email Protection suite includes capabilities that address Business Email Compromise Protection for Google’s G Suite and Microsoft’s Office 365 platforms, which identifies impersonation-based attacks targeting employees.
Devo Security Operations: Transforming the SOC and scaling security analyst effectiveness
Devo Security Operations is the first security operations solution to combine critical security capabilities together with auto enrichment, threat intelligence community collaboration, a central evidence locker, and a streamlined analyst workflow.
esCLOUD extends managed detection and response to cloud platforms
esCLOUD constantly monitors customer cloud environments to detect improper configurations and vulnerabilities that could lead to data loss and compromise. Automated policy enforcement, combined with response and remediation from eSentire’s expert security analysts, ensures that customers can operate in the cloud with confidence.
Recently released, eSentire’s 2019 Threat Intelligence Report: Perspectives from 2019 and Predictions for 2020 provides visuals, data and written analysis, as well as practical recommendations for readers seeking to understand and better respond to the cybersecurity threat landscape. By shining a light on cybercrime—including the players, their motivations, their tactics and their targets—we hope to bring data and insights to conversations often dominated by opinion and guesswork.
Nation states: Most nationally sponsored cybersecurity incidents take the form of espionage through data exfiltration. Such activities regularly target military systems, businesses, infrastructure and organizations that store or process valuable information and often exhibit “low and slow” collection over a period of months or years.
Organized cybercrime: While nation state activity is significant, financially motivated organized cybercrime is responsible for the vast majority of cyberattacks. Taking a coarse view of cybercrime activity, we can broadly distinguish between two approaches:
- Relying on highly automated commodity malware, typically within opportunistic, untargeted campaigns
- Investing manual effort to infiltrate and compromise high-value targets
In particular, 2019 saw a surge in “hands-on-keyboard” ransomware, with many high-profile cases of downtime, disruption and—owing to a bug in the Ryuk decryptor – destruction.
Phishing: Phishing continues to be an effective, low-effort means of acquiring credentials that can be sold or put to use to gain initial system access. In 2019, phishing victims showed particular vulnerability to lures relating to email services, Microsoft Office 365 and financial services. Like other malicious activities, phishing continues to evolve as users become more resilient and defenses improve. In 2019, phishers employed several new tactics to obfuscate confirmation and identification, including CAPTCHA, RECAPTCHA, email validation and HTML page obfuscation. Additionally, phishers are increasingly leveraging trusted cloud hosting services and proxies – including LinkedIn, Mailchimp, SendGrid, Mailgun, Google, Microsoft and link shortening services—to bypass filtering solutions.
Initial access: In 2019, as in other years, threat actors employed several tactics to gain a beachhead in victim systems:
- Valid Accounts: Using legitimate credentials to access systems for malicious purposes
- Business Email Compromise (BEC): Including account takeover and account impersonation
- External Remote Services: Leveraging brute-force attacks and exploits to enter a system through an externally facing service (Remote Desktop Protocol is a frequent means of entry)
- Drive-By Compromise: Using web browser exploits and other tactics to gain system access through a user’s innocent and otherwise innocuous activity
While we offer specific defensive measures throughout the report for each threat, we also provide general recommendations. To read eSentire’s set of recommendations and the full report, visit here.
eSentire Threat Intelligence used data gathered from over 2,000 proprietary network and host-based detection sensors distributed globally across multiple industries. Raw data was normalized and aggregated using automated machine-based processing methods. Processed data was reviewed by a visual data analyst applying quantitative analysis methods. Quantitative intelligence analysis results were further processed by a qualitative intelligence analyst resulting in a written analytical product.
In this interview, Mark Sangster, VP & Industry Security Strategist at eSentire, talks about the most pressing issues CISOs are dealing with in today’s fast-paced threat environment.
How has the cybersecurity threat landscape evolved in the past 5 years? What are some of the most notable threats eSentire is seeing that were not an issue in the past?
The past five years have seen significant progress in both the recognition of cybercrime, but also the increase threat posed by organized cyber cartels and nation states. Past attacks were often rudimentary in strategy, uncoordinated, and opportunistic. Consider ransomware attacks for example. Attacks used generic phishing lures posing as streaming services, banking institutions, or travel agencies. These broad and unrefined nets were cast by smash-and-grab criminals, group or nations. Like bobbing plastic waste on the ocean, it snared all levels of the ecosystem from individuals to banks, laws firms and hospitals. Regardless of the duped party, the ransom payment was fixed rate-transactional fee and did not reflect the wherewithal of the victim.
But from this chaos came order. Organized criminal groups realized that cybercrime was more lucrative and less dangerous than traditional physical crime. And this led to both a systematic approach to extortion, but also targeting of more lucrative targets like law firms fearful of reputational damage or hospital petrified of operational disruption and the impact of patient care. Ransom values moved into the five and six figure range, and lures played upon the social and economic factors that drove the target industry.
At the same time, organized crime and nation states found that their wares offered a revenue channel. So, tools once the domain of advanced nations states appeared in the civil black markets. And now, malware and delivery mechanisms such as Emotet are not commodities. It’s a reflection of the fact that criminal business runs using the MBA best practices of their Fortune 500 prey. Why build and develop a payload delivery mechanism, when a perfectly good one is available on the market. It’s the same buy vs build decision businesses make everyday. It’s the commoditization of cyber tools. Commoditization means growth. Low cost opens market opportunities.
Nation states are recalibrating their radar to expose a wider range of targets. Companies are finding themselves the new form of a collateral damage in trade wars. Governments levee tariffs, trade wars heat up, and nations use cyber vengeance to try and equal the economic impact. It’s not felt in factories or ports of entry. It’s now affecting the heartland. Increase tariffs on steel, and opposing nation states steal funds and IP from industry and manufacturers.
What attack methods are cybercriminal organizations using the most? What type of organization is most at risk?
No one is immune to cyber attacks. But specific industries continue to grace the top steps of cyber crime podiums. While banks were once the simple one step connect the dots to profit (banks are where people keep their money), now criminals see other industries as big game.
While the sophistication of attacks increase, it’s more about understanding their target. They understand that what drives a business, what keeps them up at night, and what buttons to press to elicit the desired response. They use phishing lures and often use the firm’s own tools against them by compromising a trusted vendor, or leveraging embedded tools like remote administrative protocols that provide decentralized access to critical network operations.
Most notable are hospitals and healthcare facilities. They are open to the public, suspectable to attack, and hard to defend. As IoT permeates healthcare in forms of connect medical images, IV and patient monitoring systems, hospitals make easy targets. They are soft. And they are fearful of operational disruption. Downtime impacts patient care. It can mean life or death. And they are willing to pay to avoid protracted shutdowns caused by pervasive ransomware attacks. And patient records are valuable and can be used to defraud insurance carriers. What’s more, criminals know hospitals also pay hefty fines when data breaches occur. It’s salt in the wound. So, hospitals will pay to avoid downtime, lost patient billing, and regulatory privacy fines.
Law firms and other business services (accounting, marketing, consulting, etc.) have unparalleled access to critical information and are now a prime target of criminals. Law firms control financial information, intellectual property and other forms of valuable information. They are protective of their reputation and fear the repercussions of public attack. So they pay ransoms.
Manufacturing firms fall victim to fraudulent billing to the tune of billions. Operational disruption is costly. In one case a firm faced the dilemma of shutting down an infected assembly line to the cost of millions. The board elected to wait for a scheduled maintenance window, and suffer the consequence of the resulting cyber attacks in the meantime.
Education, media and entertainment and others have all seen their share of attacks. Once the water hole is discovered, all the predators circle knowing their prey will gather there.
What advice would you give to a CISO that wants to develop a risk management strategy for the long haul?
Security is no longer about ones and zeros. It’s not an IT problem to solve. It’s a business risk problem to manage. CISOs need a seat at the table, and should be consider step zero in a business objective setting process. Does this geographical market incur risk? Does this client bring undo political attention? Does housing medical information increase our obligations? These are business issues to solve, not IT problem to bandage with another firewall or more user awareness training.
CISOs need to be part of the legal group, and muster their equal share in the risk equation. Security needs to align to business objectives, and develop clear line of sight to the Board of Directions. And CISOs need to speak in dollars and cents, and not ones and zeros. They must frame the risk in terms that business people can understand. That’s the way to garner budget and resources. They know the risks, it’s selling the risk to the Board and executives who must understand their obligations as they relate to cybersecurity. There are enough dead roles and companies out there who’s corpses litter the headlines of cyber breaches.
What’s your prediction when it comes to the number and type of data breaches in 2020?
Attacks will continue to move toward high return, hands-on-keyboard attacks. This means simple security controls designed to stop malware and credential harvesting tools won’t keep pace with these tactics. Firms will need to invest in security experts who can go head to head with their criminal adversaries, and defend the fort.
Grey crime will also continue to develop and grow. Tactics used to sway public thinking and sway elections will be used to move the enterprise value of companies. Positively or negatively impacting a stock value means criminals can plant stories, and watch the social network carry their paper boat away on the current, and then buy or sell stock to ‘front run’ the trade with insider information. It will be much harder to detect than the theft of proprietary information, and much harder to stop.
The complexity of targeted crime, constantly changing technology, and the way humans interact creates a petri dish that will accelerate the growth of cybercrime. This concoction can be abused in infinite ways. For more information on cybercrime – including the players, their motivations, their tactics and their targets – check out our latest threat intelligence report.
The vast majority of nationally sponsored cybersecurity incidents take the form of espionage through data exfiltration, with frequent employment of remote access tool Plug-X, according to the annual threat report by eSentire.
Emotet is the leader
The report found that Emotet accounted for almost 20% of confirmed malware incidents, reinforcing its role in the black market as the preferred delivery tool. Emotet was the most observed threat both on networks and on endpoints, achieving this dominance despite a midyear hiatus when the command and control servers were dormant.
As the organized cybercrime ecosystem continued to mature in 2019, Emotet remains the dark market leader for delivery-as-a-service. But commodity malware, which is easily available and readily automated, is just part of the 2019 threat story.
Abusing trust when it comes to cyberspace
The report also examines the increase in abusing trust when it comes to cyberspace: from phishing campaigns using trusted cloud services to host kits and pages to Emotet harvesting emails to later reply to threads and reuse subjects and from impersonation attacks to compromising managed service providers (MSPs), threat actors are employing an ever-evolving range of strategies and tactics to bypass defenses.
There is a need for zero trust as cyber criminals increasingly hone their micro-social engineering skills to exploit the trust circle and supply chains of their target victims.
As outlined in the report, targeted phishing campaigns rode trusted cloud services to host malware kits and fraudulent sites, and Emotet based credential harvesting to parasitize legitimate email accounts and hijack threads, reuse active subjects and impersonate trusted sources.
MSPs also topped the criminal hit list to circumvent security controls and back-door into targets by posing as trusted vendors.
Hands-on keyboard attacks are rising: Threat actors are increasingly turning to these types of attacks (particularly ransomware), which require manual effort and high-value targeting. The recent Travelex attack alleges such engagement.
Automated “drive-by downloads” and “commodity malware” continue to pose a threat, but these are becoming less attractive as more companies boost their cybersecurity efforts.
Dominating ransomware families: A significant number of successful ransomware attacks against enterprises – including governments, managed service providers and large businesses – can be attributed to just six ransomware families.
Healthcare and construction industries are most vulnerable to phishing attacks: While the healthcare and hospital industry as a whole has improved its resilience against commodity malware attacks, it continues to be the most vulnerable, followed closely by construction.
Cloud services gaining traction for phishing campaigns: Cloud services like Google and Microsoft Azure are being used to host malicious pages and trusted proxies to redirect users. The phishing lures observed most frequently are email services, Microsoft Office 365 and financial services.
Keegan Keplinger, Research Lead, eSentire, said: “A recurring conclusion of the report’s case studies is that simplistic approaches to security can leave dangerous gaps in an organization’s defenses.
“Anecdotally, we have found several cases of surprisingly large organizations with valuable data and critical infrastructure with little more than an anti-virus program running on their endpoints prior to our engagement.
“Even complete network coverage can miss something as straightforward as an attacker returning to an organization with successfully phished credentials. These organizations appear to underestimate the sophistication of modern cybercriminals, as well as the value the data holds to them.
“Having the strategic insight about what attackers are capable of, what kind of tools they are using, and how valuable your data and infrastructure can be is fundamental to understanding the lengths you have to go to protect them.”
How are enterprises coping with the security challenges brought on by digital transformation initiatives?
451 Research has polled IT decision makers at 400 larger companies about the current state of cybersecurity in their organizations, the security initiatives they have planned, the challenges they face, and how they are accommodating emerging technologies and digital transformation initiatives.
The survey, performed on behalf of eSentire, revealed several interesting things, including some unexpected contradictions.
For example: 97 percent of the respondents believe their sensitive information is well-protected and 92 percent believe their organization has the tools and expertise to protect an increasingly diverse and disparate infrastructure, despite 56 percent saying their organizations had experienced a significant security incident, cyberattack, or data breach in the past 12 months.
“SMEs are reporting higher levels of confidence compared to that of their larger peers that often have more resources, staff, tools and specialized expertise. This high level of confidence, or overconfidence, is not backed by risk assessment data and seems to stem from comparison to the organizations’ abilities and cybersecurity posture of the past and not in light of the present or future,” infosec analyst Aaron Sherrill pointed out.
“Considering the increasing volume and sophistication of malicious attacks, the increase in regulatory requirements, the rapid adoption of new technologies and the ever-increasing complexity of a rapidly expanding hybrid IT ecosystem organizations should remain skeptical about their cybersecurity posture.”
Companies are opting for hybrid IT environments
Previous 451 Research surveys revealed that, nowadays, most organizations have dedicated security budgets and that 87 percent of organizations are increasing security budgets by an average of 22 percent for the coming year.
Personnel costs amount to over one-third of those budgets and the wedge continue to expand. Money allocated for the purchase of security tools amounts to 43 percent of security budgets, but that percentage is trending down as there is an increasing shift toward managed services and personnel costs.
Most companies (57%) are also shifting their primary workload environments from on-premises resources and infrastructure to a hybrid IT environment that leverages both on-premises systems and off-premises cloud/hosted resources in an integrated fashion. 19% are shifting to a completely off-premises public cloud environment composed of IaaS, PaaS and/or SaaS.
The overwhelming majority of organizations have at least five dedicated security professionals on staff and most employ more:
But while the majority (87%) say that they have enough information security personnel on staff to support their organization, most are also looking to add specialized security experts to their teams as they are facing an expertise or skills gap in several key areas (network security, IoT security, risk analysis, threat detection and hunting, etc.)
“The greatest skills gaps for many security teams is around public cloud security expertise. This gap is increasing the probability that workloads will be improperly deployed and secured, especially as cloud platforms continue to introduce new capabilities and features at record speed,” Sherrill noted.
He also pointed out that while data security, governance and privacy are the top pains for most organizations, hybrid or multi-cloud security and securing emerging technologies are quickly becoming the most pressing challenges for many organizations.
“Digital transformation and the distribution of the workforce not only scatters resources and assets, but continues to drive a divide between corporate confidence and actual ability to protect their interests in a transformed workplace and economy,” says Mark Sangster, Vice President and Industry Security Strategist at eSentire.
“An example drill-down exposes that having satisfactory staffing levels does not ensure that the firm is equipped with critical expertise and competencies to detect threats across a perimeter less environment, nor is prepared to manage those threats once discovered. Cyber adversaries are as prepared to embrace digital transformation, and exploit the lag between the time organizations adopt emerging technology, and then retrofit security programs and staff to properly protect their assets in this new, self-inflicted risk paradigm.”