Planning Before the Breach: You Can’t Protect What You Can’t See
Webinar Transcript | Air Date March 15, 2022
Watch the Webinar | Read the Blog Post
Okay, thanks for joining us today for our webinar on Planning Before the Breach, you can’t protect what you can’t see. My name is Steve Salinas, I’m the director of solutions and marketing here at Exabeam and today we’re going to be talking about something none of us really want to talk about but we all kind of know is a distinct possibility is planning before a breach. So I’m going to bring it out into a few different topics.
If this is your first webinar with us, before we get into the meat of the webinar, we are using obviously GoToWebinar. So as we move along with the presentation, if you have any questions, please do it to enter them in the questions area and the GoToWebinar panel and I’ll hit them either as we hit those topics or at the end, there should be plenty of time. So we’ll probably run around 30 minutes.
So first of all, if this is your first webinar with Exabeam, thanks for joining us. I’ll give you a quick introduction on what we do and kind of how we fit into this discussion today. And then I want to talk a little about threats and risks in 2022. And then we’ll talk about, based on working with our customers, what we have identified as five different blind spots that most organizations have that you need to figure out how to protect.
Steve Salinas:
We’re also going to cover specifically why we have seen a lot of organizations struggle with SIEMs, legacy SIEMs, and then give you a little bit of something to think about, where to begin to address this big topic that again, none of us really want to think about too hard but we all know we need to plan for it. So before getting into that topic again, let me introduce you to Exabeam quickly.
We are a provider of next-gen SIEM and XDR technologies. I won’t go through all of these, but just to let you know, we are a very well funded organization and have been identified and recognized by the industry as delivering really good technology. That’s basically it. And if you look at the magic quadrant, we are in the leaders quadrant for the third year in the row. With Forrester Wave, we’re a leader also that for security analytics, and last year, we were one of the founding members and really brought product to the idea there’s the XDR Alliance which you may have heard about.
It’s where we’re working with different security vendors to come to you, the security practitioners, with something that makes your job easier. Common data model, make it easy to integrate so on and so forth. So that is what we have worked a lot on. So that’s a little bit about our organization, but what do we do? That’s what I think is going to be most important. Our charter really is to help organizations, whether you have an official SOC or you have a security operations team or you have a couple of security analysts.
We want to help you really streamline and accelerate your operations. So here are four points that are going to help us get there. So really what we are trying to do is help practitioners by delivering a unified view across all your security tools. This is one of the biggest issues. We’ll talk more about that in a few minutes is most organizations have lots and lots of tools. So you don’t really have one really good way to look at all of those tools in one area although the important information that you’re gathering to really identify where those threats are coming from.
Our products and solutions make use of machine learning to distinguish between behaviors that are normal and those that might be anomalous or malicious and I will talk more about that in a few minutes. That’s really, really important to understand what normal looks like for your users, for your groups of users, for your locations, for your regions, and also for your assets, for your machines. What should they be running like? What is normal day in a servers life look like so that what’s you identify normal, then you can identify those malicious and anomalous activities easier.
And part of what we’re also doing and what’s really important for in order to really streamline your operations, it’s important to understand context. And so with our advanced analytics and our ability to provide to security analysts all of the information they need to know around alerts and the different anomalies that we have, you get that context to understand, is this something I really need to worry about or is this not something that is going to really cause a lot of damage?
My environment we’ve seen from our customers claims of significant reduction in false positive investigations and also the ability to really streamline the triage and investigation process as in general. Our solutions are cloud-based, which makes them very easy to deploy. And if you use a lot of security products in the cloud or any kind of products in the cloud, you know that the cost of ownership on that is also low as well. We do help and work with organizations all over the world.
So we have a great basis of expertise in house and working with these organizations, solving the problems that we’re going to talk about today. So I’ll mention again at the end, but if you have any other questions, comments around the content that we’re going to be delivering today, please do reach out to us after the webinar. So that’s enough about us. Let’s get into what we need to the discussion around Planning For the Breach.
So really what we all need to do as security vendors, and one of the things that you’ll notice from Exabeam, obviously we are here to make sure that the security practitioners, security decision makers understand the Exabeam products and solutions that we offer, but we are also a team of marketers and developers, engineers that we have worked collectively. We believe that security vendors have really under delivered for security practitioners and security decision makers.
You have a lot of products that have over promised and what they can do, and they just under deliver. So we are taking an approach and I think you’ll see this more and more to really just be really, to talk with you as honestly and as frankly as we can and call out the elephants in the room where they exist and make you give you the information that you need to let you know that we do understand what the problems that you’re facing. And then ultimately, if you decide to work with us and we can help you, that’s awesome. That’s great.
But really we want to do is give you that information because ultimately you are the decision makers. You are the folks that are using these solutions. And with that context, let’s talk a little bit more about risk. So risk can come from anywhere. We know right now that anywhere from that lone wolf to the organized cyber-criminals, you have your nation states or the ones that we don’t like to talk about a lot are your rogue insiders. These are probably the ones that hurt the most because when your trusted employee turns against you, but that risk to your environment didn’t come from anywhere.
And in 2020, more than 80% of the breaches that were reported unfortunately used valid credentials or involved brute force attack. These are obviously two different types of things but we think about valid credentials. Now that doesn’t mean that your insiders were part of it, but we also know that our credentials, and I’m sure we all get these all the time.
If you’re logging into your smartphone or some website or you’re using Google at all, you probably see a number of times like I do when you’re logging in oh, your greatest password has been identified as compromised in some sort of dark web or something. So I’m constantly having to change what? Change passwords. The point is our credentials, well, they are out there in the wild unfortunately. So that is a big part of the risk.
And then we can see that from the data point that 80% percent of these breaches involved these compromised credentials that are valid. So the key point here is we all know that we have risk. And over the last few years, it’s interesting. And I’ve been doing this for quite a while for a lot of different security vendors, talked with dozens of CSOs and security practitioners and the mentality around protecting your environment has shifted quite a bit.
It went from detect and respond to try to prevent, to now I think what we’re seeing and I think is the right mentality is, at the 2021 Gartner Summit, the Gartner analysis, Peter Firstbrook, said in a slide that assume breach mindset is really the only valid mindset for cybersecurity. Unfortunately, this is the truth. And I know what you see a lot of solutions marketed as we can stop this and we can stop that and we can prevent this and we can prevent that.
And surely that is what they’re trying to do. And a lot of times they can do that but it’s cliche, but it’s true. The attackers only need to be right once. And if they’re in there, they can cause serious significant damage. Let’s take a look at somebody cost associated with that. This is from a report by the Ponemon Institute and IBM, just a couple of key data points. And again, this can be debated a lot but the fact of the matter is, breaches can cost a lot of money.
If you’re a smaller organization obviously wouldn’t be that much. But if you’re a substantial really sized organization based on, and this is what the research showed, we’re talking millions of dollars, up to over $4 million in 2021 for the cost of a breach. Now there are different ways you can mitigate that. So organizations that used artificial intelligence to help protect their environment, they spend quite a bit less, significant amount less to recover from breach.
If you’re in the cloud, it impacted your cost and containment differently. So although on average 77 days faster to identify if they were breached but then remote work is a big factor. And obviously right now, even though we’re now starting to kind of slowly get back into some sort of normal, I think you might say working model post COVID or kind of towards the end of all of the restrictions and prohibit around getting people into offices.
I think we’re still always going to have some sort of remote employee base and that can change your breach and a risk of structure. We’re all working from different places, using different machines, which probably increases your risk. The other thing just to, again, kind of an elephant in the room, is security teams we’re always chasing attackers. This is the attackers on the attack. I mean, not to be too obvious, obviously.
So they’re looking for initial access to get some persistent, find the goodies that they want to get, where that might be. That means they’re probably moving laterally across the organization. And then as they continue their movements, they reach objectives. So a lot of times, even if you have a really good strong security stack, you’re getting notified hopefully as close to the beginning of the attack as possible but not necessarily in the very first step.
Now draw on top of that, if this attacker got their hands on some valid credentials, then your security stack is not even going to see that. This attacker is going to move into the environment. Now you might have other technologies in place that at some point you would identify that something occurred. Maybe you have a DLP that’s in place. But guess what? What does that DLP really fire maybe depending on how you have it configured, when it’s either detected that data has already left your environment or maybe it did try to block it, or maybe the attackers know that you have DLP and they try to obviously [inaudible 00:12:12] their data.
At any rate, you’re always kind of chasing that attacker. And we have found that the problem is too, once these alerts go get fired off, it’s not like you get one alert. I work with customers where they say on average, their analysts get 500 alerts each or more which is… Obviously we know no analyst. I don’t care how good you are, you’re never going to get through that stack of alerts. So you have to perform some sort of triage first. You have to either use some of your tribal knowledge about alerts and the experience you have or maybe you have some technology in place to help with that.
But the bottom line is, it’s not like you’re sitting there waiting with your hand over your keyboard waiting for that alert to come and you’re a robot. So the alerts come in, there might be a delay before you see the alert. And then again, it’s getting mixed in with all these other hundreds of alerts that are coming all the time. Bottom line is, you have a great spot where you’re chasing these attackers. So getting back to the quote, we need to be prepared.
That’s really what we’re trying to talk about here is, we know risk exists, it can come from anywhere. It can come at any time. We know that when we do get breached, it can be expensive not only to recover, but the long term effect on our brands. We all know this. And we know that we are not the attackers. As much as we don’t want to admit they have advantage because they can throw numbers of attacks and guess how their failures should cost them nothing. It doesn’t matter. They’ll keep trying and trying and trying until they figure out a way to get into your environment.
And unfortunately, no matter how good your security stack is and how much time and effort, this is nothing that your team is doing incorrectly but you have to assume that that breach can still exist, can still occur I should say. So again, we talk with numbers of different stocks and security teams and we’ve identified five different blind spots that you can start to prepare for or you should make sure and think about when we think about these breaches and how they occur.
Obviously the first one that is going to come to mind or should come to mind, compromised credentials. By far the number one vector for data breaches, just so many different ways credentials can be compromised. Again, they could already have been leaked, they could be on the dark web. They could be a phishing attack where unsuspecting employee dishes over their credentials or there’s some other way the attacker has got those. This is tricky.
This is really, really tricky because when you log in, everything looks fine. Behavior seems completely legitimate until it isn’t and that’s where maybe some of your other tools might kick into place. But the fact of the matter is a lot of security products that the organizations use, they have an outward bias looking for threats because that’s traditionally where we thought threats came from, where it’s a ransomware attack or it’s something it’s a denial of service.
It’s some sort of an attack from someone outside your walls, your theoretical walls I guess you could say, is trying to cause harm to your organization. So of course you need to protect against that. But it’s kind of interesting. But if that attacker is able to evade those protections and we know that they can, guess what? That does kind of become an insider threat, even though it’s not from a trusted insider, but this becomes something that for now the attacker is in your environment, taking, carrying out their attacks and plane sight and they can either go slow and low. And that makes it very difficult. Or they can be smashy and grabby where they come in, they know no one’s seeing it. Maybe they lease some back doors.
They do some mapping of your networks and they just hang out. We have all heard of those stories, those horror stories, where attackers were in environments for six months, a year, two years, five years. I mean, this happens. You don’t think it happens, but it definitely happens. And it’s because they’re in there and they’ve established that foothold. And once a foothold is established, it’s very difficult to get them out.
Compromised systems, the same sort of thing. The unpached vulnerabilities let’s face it, these are our attackers best friends. And you wouldn’t think this would occurs but when you, and I think this happened just recently, there was a ransomware attack. And this isn’t a vulnerability so much but it’s an example of something that could have been applied to protect an organization against something that was known was never applied. WannaCry, which was like two, three years old, attacked an organization recently.
And there is no reason that should exist today. So there’s either security tools that weren’t ever updated or there were servers or systems that for whatever reason, we all have seen them. We all know them depending on your business that they have been rebooted for years. They have been up and running for years because it’s crypto system is critical. It’s difficult to move it so on, so forth. But the fact of the matter is that becomes a huge blind spot.
If you haven’t been able to reboot a system in a year, or you’re not using technology that can be updated without a reboot, you’re vulnerable. That system is vulnerable and attackers are going to take advantage of that. So once they’re on that system, again, it’s completely undetected. They’re in your environment. And right here, it says almost 300 days to detective breach. That seems crazy, but it’s the truth.
So compromised systems. Do you have any in your environment? Do you have any that have not been rebooted in years? Have they been patched? Have they been upgraded? I think you should probably check that out. Next a rogue insider. Again, this one hurts. This is the friend and the turns against you when the trusted turns into the threat. And there’s a lot of research around the rogue insider and it can happen anywhere at any time but I think as an organization and this goes well beyond just IT and security I think ensuring your employees are satisfied and happy with their job it’s very, very important.
And I think that sometimes that goes that part of it isn’t discussed enough. And we actually did a webinar about a two months ago, I suggest you could check it out where a Forrestry analyst and I we’d a nice discussion around insider threats and some of the things that organizations can do to kind of minimize that occurrence. But the fact of the matter is you have an employee and they start to get dissatisfied. Maybe they think they were passed over promotion. They had a better view. They’re coring with employees. It also could be a trusted third party though. A contractor.
Someone come in your environment and works. For whatever reason they decide you know what? I’m going to move against this organization. So again, their behaviors are going to seem totally fine and totally above board until they’re not. And then you’re in trouble because that attack can just take seconds or to carry out but the recovery period can be very long. And almost half of organizations have had a rogue insider within the last year which is a sad fact to reality.
So I think either a couple of things to take from this and we’re going to talk about what are some of the things you can do to help all of these blind spots. But one of the things that I didn’t mention there is get HR involved. Make sure that you’re keeping abreast on how your employees are doing, especially now. Over the last two years, there’s been a lot of more stress in people’s lives based on what was going on in the world with COVID. So I think now that we’re starting to get back into some sort of normalcy I should say, let’s check in with them.
Make sure we’re not accidentally kind of turning it to a very trusted employee into someone that might turn into a rogue insider without us knowing it. And then the last one, oh, I have two more I think. So lateral movement. So again, I’ve been in this space for quite a while and this is one of these areas that is very tricky to identify. Based on how security technologies work, a lot of times they’re very focused on the individual item or asset that they’re protecting but they don’t necessarily have the context of all the other assets that they’re protecting as well.
Attackers know this. So they know if they can infiltrate in one machine, they’re going to try to spread as quickly as they possibly can so that if they do happen to get identified in some machines that they still have a footprint in the organization. And that’s how they’re going to actually find their intended target. They want to try to own my machine but they might say I’m not interested in Steve’s machine, I want to get to that server.
But I’m going to get out on Steve’s machine and I’m going to move around slowly and I’m going to get to the server and I’m going to get the pot of gold, whatever they’re they’re looking to get. I’m talking lots and lots of organizations that they identify that, oh, this attacker moved laterally but unfortunately they’re doing it in their post threat kind of looking at what happened after the fact. When the damage has been done, when they’ve already had to call in the expense of third party, IR teams to try to help them recover.
So you got a unique to find and figure out how you can identify lateral movement. And then the last one we’ll discuss here are service accounts, the gems. These service accounts and we all need them. We have to have them. So they’re running on your different services and they really power your organization. And because of the nature of them, some of them might have high privileges because the machines that they’re running on.
So if these service accounts get compromised, that can be really a trouble because now maybe the service account gets owned by an attacker. Now they can go, what might they do? Maybe they can elevate to other accounts. And it looks like it’s fine because it’s already a higher privileged account but these can cause lots of harm for your organization. No doubt. So I’m going to talk specifically about one of the technologies that I think a lot of organizations have looked to help them do what obviously well those correlation.
So we have our security products that are in place, security stack, endpoints, firewalls, DLPs, NetWare, whatever it is. You have built out a security strategy and all these different technologies what do they do? They generate alerts. Some of them have the ability to block like maybe the endpoint product doesn’t just alert, but it has the ability to block or DLP does too. But a lot of times and I used to work with organizations that would use web application firewalls and you would think it’s firewall.
Well, if you are a primarily online organization or if that’s your entire business, you have to really weigh when you identify you’re being attacked. You have to way how you want this firewall to work, because most of these applications work in a way that if they detect an attack, they can bring the site down to protect it. They’ll shut the site down, shut down access. But that also means all of that legitimate traffic that is looking to get to your website to book airplane tickets and buy concert tickets and whatever it is, those folks can’t get there either.
So a lot of organizations would allow those to fail open. So they identify the attack but they don’t want to bring the website down and they’re willing to take that risk. So a lot of these security products work in that way as well and for [inaudible 00:24:16] too. So a lot of times you’re getting, the point is, you’re getting alerts from all these different products. There’s no way in the world you can make sense of them without something in the middle. And that’s what the SIEM is designed for, obviously.
Let’s get this, let’s correlate all our log activities with alerts and then get these correlated alerts. Hopefully that will make sense to the security analyst. But sure enough, SIEM technologies, if you have them, if you run them, if you ever run them, they are complicated. They’re complicated to get work directly. They require a lot of maintenance because they work off of static correlation rules. And unfortunately you kind of need to be an engineer or work for the security provider to really get the most out of those products.
But what I want to focus on really is we’ve identified as one of the core problems with these SIEM technologies. It comes back to what I mentioned a little while ago. SIEMs generally do not understand what normal behavior looks like. And normal for you and normal for me can be totally different. Maybe your normal working hours are Monday through Friday, eight to five, maybe I work nine to six or seven to four and then I took every Tuesday off for family reach, whatever it is.
But understanding how users and assets behave is really important because if you don’t have that understanding, then you’re not going to be able to understand when the behavior moves outside of that normal. So all of these different five blind spots that we talked about, if you think about them, if you had a way to identify normal behavior, and I had technology that could help you do that, you would close up those blind spots. Can you guarantee you would never get breached? Of course not. No one can do that.
There’s no silver bullet but what you can do is you can start to get those blind spots so low that they’re manageable, close them up so much that they’re much more manage. So how do you do that? So the way that you’re going to be able to do that is you need to use behavior analytics. You need to layer in behavior analytics in your security stack and there are lots of different ways you can do that. But really what that is that gives you that deeper visibility to really understand when something is working as it should and Steve is working as Steve or when Steve is actually not Steve, Steve is an attacker from a foreign country that has grabbed his credentials and is now logging in from a foreign place or somewhere else and moving all around like the lateral moving for example.
Steve never has access to these machines ever before. Now, if you don’t have anything to understand that is not a normal activity for Steve, you’re not going to do anything. You’re not going to see that might be something to investigate, but with behavior and analytics and a deep understanding of what normal behavior looks like, that will bubble up and that will allow you to take action quicker so that if the attacker is in and is actually moving laterally in your environment, you can take some steps to mitigate that risk right away.
So SIEMs are great but they need help. So the idea behind this discussion today wasn’t to provide you A, we have the answer for all your problems, because guess what we don’t because I don’t know your problems. I don’t know what you’re faced with specifically. I don’t know what’s causing you trouble today, but what I can give you is a little bit of a roadmap, give you an idea where to go and what you might want to start with. And some of the sign might say, no kidding. But sometimes we need to see it in paper or see it and talk about it to kind of get us motivated and push us to start the process.
So obviously what you want to do is, what are your existing capabilities? You have a security stack, security defenses that are there, what can they do based on or do you have any blind spots that we discuss today? Do you think they exist in your environment? And maybe you don’t. Maybe you think, well, you know what? I’m a fortunate. I have a SIEM that’s using behavioral analytics. That’s great. So go in there and make sure that it’s configured and that you have the ability to identify the normal actions and take action when something isn’t normal, but a lot of organizations don’t.
So I think what you need to do is see how ways and solutions that can help you close those gap. So obviously we are here to help. We can help with providing security assessments. We have a pretty easy little survey that we can walk you through. We can do some consultations and obviously we have technology that is helping lots of different organizations today to close up these blind spots, limit their attached surfaces so that the chance, again, can anything that you purchase and put in your sock or you’re running from a security perspective guarantee, no breaches, not really.
I mean, I think that’s part of the problem getting this false sets of security. But what we can do is we can help you mitigate the chances of any of significant damage being caused by a breach. So that is my discussion. Again, just wanted to kind of get you to think about where you might want to do and what you might want to do from a planning perspective. I have a couple of a little questions or other things to think about. So I don’t want to give the misconception because I talked a little bit about alerts and there’s always the questions around, well, are these alerts no good? That’s not true at all.
The security stack, what those security products are in place for is usually a very discreet purpose. And they’re usually very good at it. So let’s take Endpoint for example. Endpoint is their job to identify ransomware, malware attacks and different things honing your endpoints and some of some known own attacks, known threats. And by and large, especially when you’re talking about next gen solutions, they do a pretty good job. But again, we know that ransomware can still get through. We know that phishing attacks still occur.
So it’s important that you have kind of that other layer, I’ll call like a secondary layer of protection or defenses to where when that attack does get passed, that your initial primary which let’s hope it’s not very often, but it can happen, that you have a way to still unsee that it’s occurring and take some steps to mitigate it. Also a little bit of questions around SIEMs and do I need to get rid of my SIEM, what’s in the SIEMs right now when you start to search at Google SIEMS or you also see come up a lot XDRs. That’s the new phrase. XDR more acronyms, but really what are these technologies?
So depending on what you have in place. So we frankly work with a lot of organizations that have a SIEM that’s been deployed and they actually are pretty happy with it for APU of their use cases. Maybe it’s just for their basic logging for some compliance reasons but they’re not really happy with the security, the security use cases and the coverage that they get. So we layer our technology, our behavioral analytics, our advanced analytics with their SIEM using their data they’re collecting on their logs and we can identify threats and that works fine.
That’s a wide approach you can go. We’ve also worked with organizations that said, you know what? I’m not happy with the security outcomes I’m getting, I’m not happy with any outcomes I’m getting. So I want to get rid of the SIEM. So that’s totally fine as well. So we can use our technologies and replace your existing SIEM as well. That’s really up to you and it’s really up to what you’re faced with today and what are your objectives. And what we talk a lot about with our customers is really what are you trying to achieve?Because security is such a broad topic.
I think it’s really important you understand what are you trying to achieve so that you know what technologies you need to use. So that’s just something else to think about. Well, I won’t keep it any longer. Want to just quickly give a little plug for our next webinar that’s coming up on April 15th, Fantastic Attacks and How to Find Them. So we’ll be talking about some different attack types with our product managers and product marketers directors from Exabeam, that’s on April 15th. So keep a look out for that invitation and have a great rest of your week. And if you have any questions, please do reach out to us. We’re happy to help you. Thanks.