Planning Before the Breach

Cybersecurity risk can come from anywhere — a lone wolf, organized cybercriminals, nation-states, or rogue insiders. 

In 2020, more than 80 percent of the breaches that were reported involved compromised credentials, according to the Verizon Data Breach Investigations Report (DBIR). How many times have you gotten a breached password detection alert, prompting you to change your password? Unfortunately, our credentials are out there in the wild, making them a big part of the risk picture.

We all know that we have risk. Over the last few years, the mentality around protecting your environment has shifted significantly from “detect and respond” to “try to prevent”. At the 2021 Gartner Summit, Gartner analyst Peter Firstbrook said in a presentation that an “assume breach” mindset is the only valid mindset for cybersecurity. 

Attackers only need to be right once. Once they’ve entered your environment, they can cause serious damage. According to the 2021 IBM Cost of Data Breach Report, the cost of a data breach in 2021 was upwards of $4 million, up 10% from 2019, and the highest it’s ever been in the 17 years this study has been conducted. Importantly, the report shows that organizations that used artificial intelligence to help protect their environments spent significantly less to recover from a breach.

Intruders are always looking for an initial access point to get in and find what they’re looking for, wherever it might be. That means they’re probably moving laterally across the organization. As they continue their movements, they reach their objectives. Getting notified early on — as close as possible to the beginning of the attack — can make a tremendous difference.

In the event of an intrusion, it’s the security analyst’s job to chase the attacker. An analyst may get 500 alerts or more. How do they know where to start? How to triage and manage hundreds of alerts while there’s an active attack underway?

The answer is: be prepared. Knowing that it’s a distinct possibility that your organization will encounter a breach, it’s critical to plan before a breach occurs. We have identified five blindspots that are common in most organizations, which you should consider when thinking about how breaches occur.

Five common security blindspots

1. Compromised user credentials — The number one vector for data breaches, according to the Verizon DBIR. Credentials could have already been leaked and exist on the dark web, or they could have been handed over by an unsuspecting employee who was the victim of a phishing attack. This blindspot is particularly tricky; the attacker’s behavior seems completely legitimate at first, so rules- and correlations-driven security tools can’t defend against it. 
2. Compromised system — Unpatched vulnerabilities are an attacker’s best friend, and there’s no reason they should exist today. Keep security tools, servers, and systems updated to help avoid this. If you haven’t been able to reboot a system in a year, or you’re not using technology that can be updated without a reboot, you’re vulnerable and attackers are going to take advantage of that. Once they’re on that system, they’re completely undetected.
3. Rogue insiders — These are the ones that hurt the most, because the risk is coming from a trusted employee who’s turned against you. This goes beyond IT; ensuring that your employees are satisfied and happy with their jobs is very important. Because rogue insiders appear to be legitimate users, most security tools don’t trigger alerts to their behaviors.
4. Lateral movement — involves systematically moving through a network in search of sensitive data and assets. Attackers get into your environment, then keep looking for ways to get to what they want. You can have a malicious actor in your environment for months or even years, mapping your networks and hanging out undetected. Once a foothold is established, it’s very difficult to get them out.
5. Service account misuse — We all need service accounts, and they really power the organization. Because of their nature and the machines on which they run, service accounts usually have high privileges, making them a prime target for attackers. If they get compromised, attackers can escalate to other accounts without tripping any alarms.

Four points to help streamline and accelerate security operations:

1. Get a unified view across all your security tools — Most organizations have many different tools without a good way of seeing all of them in one place. It’s important to be able to aggregate all of the important information gathered from all of those tools, so you can truly identify where the threats are coming from
2. Understand what normal looks like — for your users, groups of users, locations, regions, assets, and machines. What should they be running like? What does a normal day in the life of your servers look like? When you identify normal, then you can more easily identify anomalous and malicious activities.
3. Understand context around alerts and anomalies — so that you can know what to worry about vs. what isn’t going to cause a lot of damage
4. Reduce false positives — to streamline the triage and investigation process

Why organizations struggle with SIEM

Security Information and Event Management (SIEM) tools are designed to make sense of the multitude of alerts that come from all of the different products in the security stack: endpoints, firewalls, data loss prevention (DLP), etc. SIEM technologies are complicated, and difficult to get to work directly. They require a lot of maintenance because they work off of static correlation rules. You need to be an engineer or work for the security provider to get the most out of these products.

SIEMs generally do not understand what normal behavior looks like. Normal for one person can be entirely different for another. But understanding how users and assets behave is critical because without that understanding it’s impossible to know when the behavior moves outside of normal. This knowledge helps illuminate the five blindspots identified above.

There’s no silver bullet to guarantee that you’ll never get breached. But you can make those blindspots much easier to manage by adding behavioral analytics to your security stack. Behavioral analytics gives you deeper visibility to really understand when something is working as it should, and when it is not. Then you will be able to take action more quietly, so that if there is an attacker moving laterally in your environment, you can take steps to mitigate that risk right away.

Conclusion

Each product in the security stack is in place for a discrete purpose, and each tool is usually very good at what it does. For example, endpoint protection’s job is to identify ransomware, malware attacks, and other threats targeting endpoints. But things like ransomware and phishing attacks can still get through. SIEM technology with behavioral analytics adds a secondary layer of defense so that when an attack does get past, you have a way to see that it’s occurring and take steps to mitigate it right away.

Learn more about protecting your environment

For more insights, watch the on-demand webinar, “Planning Before the Breach: You Can’t Protect What You Can’t See.” Hear more about how to better understand your risk and improve your security and detection and response capabilities. Read the transcript.