You Can’t Defend What You Can’t See: The Top Three Questions for Every CISO

One of the favorite parts of my job is the conversations I have with CISOs and their teams. There’s nothing better than learning from their firsthand experiences and challenges. While most of these conversations are productive and engaging, some are troubling. 

Based on these conversations, here are five examples of strategies that completely miss the moment. I’ve followed this with the three most important questions every CISO needs to answer on their security operations. 

In this article:

• Five strategies worth rethinking
• The three questions every CISO needs to answer
• Organize security operations around capabilities

Five strategies worth rethinking

1. Focusing on IOCs/exploits versus attacker TTPs 

The most effective security operations teams I talk to balance their tool investments across detecting exploits and attacker TTPs. Spending solely to defend against exploits provides little to no coverage once the adversary is inside. 

Why is this important? In a world where an “assume compromise” mindset is a must, this thinking doesn’t add up because the exploits are always changing. Pick your major attack from the last six months; the fingerprints (behaviors) are the same. The attack indicators of compromise (IOCs) of how they got in were all different, and once inside, the intrusions shared common fingerprints — tactics, techniques, and procedures (TTPs). All of these attacks started differently, but ended similarly. 

More than half of successful attacks begin with compromised credentials, which bypass vulnerability/exploits/malware controls — and, while we are at it, static detection rules. It’s clear that primarily focusing on these detections leaves an organization exposed. Once these adversaries become trusted insiders, all bets are off. The first step they all take is to acquire new privileges, escalate privileges, and/or find or create new ones in Active Directory.  

Once they get credentials, they look like an employee; there is no visibility into abnormal behavior of credential use, so what, then, is the defender to do?

It’s time to rethink any strategy that invests in prevention infrastructure at the expense of insider threat detection. 

2. The “EDR and SOAR only” approach

I often hear organizations claim with confidence that their prevention strategy is built on their EDR sending its alerts to a SOAR. This strategy overlooks one of the most critical tasks in security operations: conducting complete investigations. 

Let me provide a good example of why this is a flawed strategy; unfortunately, it’s one we see all the time. An EDR detects Mimikatz is running on a server. What do you do next? While this incident did surface with the EDR alert and is most likely impacting other machines and credentials, how do you determine the entire blast radius of the impact?

EDR is simply not capable of connecting all the dots. It can’t answer any of these critical questions: Where did the intrusion begin? What other machines may have been impacted? Were other credentials taken and used on other machines? And if so, who, what, and where?

Advanced security teams try to put the pieces of this puzzle together with exhaustive advanced searches in a data lake. Not only is this a luxury few organizations have, it raises several other challenges. Even the most experienced analysts need to know what they are looking for, and by relying on this strategy, large portions of the attackers’ tracks are missed. 

For low maturity organizations, delivering a Mimikatz alert from an EDR straight to a SOAR product could be detrimental to a complete investigation. SOAR isn’t built to tie together all of the attackers’ TTPs. Where was the attacker before the alert fired? Where did the attacker go after the alert? Did the attacker escalate privileges? Create their own privileges? I learned about a recent breach where the attacker had stolen 233 credentials and accessed more than 500 systems in the organization. An attacker isn’t going to exploit one machine and stop there. 

EDRs provide fantastic telemetry but represent a single source of the truth. This strategy is flawed because a SOAR is only as good as the detection technology to which it’s attached.  

3. “We’ve got threat intel and hundreds of correlation rules running. We’ve got this covered.” 

My first thought is how expensive it must be to run hundreds of real-time correlations; that’s a whole lot of processing. My second thought is, “Say it ain’t so!” 

My response to this one is simple. Run, don’t walk! Relying solely on traditional detections like correlations and rules — even with the benefit of threat intelligence feeds — is, at best, an unmanageable alert machine gun; operationally, it just isn’t enough. Add to this, it’s expensive to manage, prone to operational failure, requires excessive maintenance, and fails under the stress of tracking user credentials.

 4. “We support a Zero Trust Architecture (ZTA) and use Multifactor Authentication (MFA); there’s no way for our credentials to get compromised.“

There’s a reason the most commonly used TTP is stolen credentials. It’s because it works every time. Why is this? It’s because most defenses aren’t equipped to identify the misuse of credentials. Consider these questions: How do you baseline what every employee does with their credentials? Can you reliably identify the normal usage patterns for every employee credential? Can you quickly identify an employee that logs in using their domain credentials and starts using an SA account somewhere else for the first time? 

Lapsus$ isn’t the only time we’ve seen MFA beaten by motivated adversaries. In this case, they used social engineering techniques to determine their targets, successfully reset user passwords, and then co-opted MFA tools to gain access to legitimate credentials. Once again, a best-in-class defense was defeated by a best-in-class attack type. And remember, this isn’t limited to employees only, what about mistakes made by IT contractors or cloud providers?

Identity management tools and best practices are great for many attack types, but they provide limited protection against credential-based attacks using valid credentials. Look to supplement your MFA with credential behavior analysis.  

5. “We use deception technologies, our employees are well trained, and our SOC has the best “ninjas” and threat hunters.”

Best-in-class security operations should value consistency and repeatability over hero work. This industry has been misled to believe that training and good people alone can solve this challenge. 

The sad reality is that people make mistakes, even those with training. As for having “ninjas”, wouldn’t it be nice if every company could afford a former red teamer from the NSA? Organizations need to be able to do more with less and invest in data science to help solve the largest cybersecurity challenges.   

No matter how much training you have or how many ninjas are on your team, you are still exposed. Even ninjas need to know what they are looking for. Without context, how can they possibly anticipate an attack while it’s happening? That’s mission impossible. I compare this to putting together a jigsaw puzzle without knowing what the finished picture looks like. Behavioral context assembles the borders and large chunks of the puzzle so ninjas, and everyday analysts, know what to hunt for.

Behavioral analysis of your users and assets is the ninja you’ve always been looking for and consumes a lot less Red Bull. Having behavioral analytics in your arsenal helps you to natively respond to the questions you should be asking and answering, with the help of a CPU and not burning out your team.

The three questions every CISO needs to answer about security operations

I’ve shared a few of the most troubling strategies I hear from security operations teams; now, I want to share the most important questions a CISO can answer about their security operations. Keep in mind, there are no silver bullets, but systems — built or bought — that address these three questions allow the defending team to win. We see it repeatedly.

With this in mind, let me share the questions that every CISO must answer to enable a best-in-class security operations program. 

1. Do you know what normal looks like for every user and entity in your environment?

This is the million-dollar question. Having a handle on what normal activity looks like in your environment is key to detecting anomalous activity. 

Some examples: 

• A user is resetting their credentials outside of the corporate change window. 
• A user who doesn’t usually create new accounts has created several new accounts outside of the provisioning process.
• A contractor accessed a new system using admin credentials.
• A system in your cloud account is accessing a database every 30 seconds.
• A user has staged some files and has not done anything else.
• A system is communicating with a remote server we’ve never seen.
• A user is copying a significantly large number of files.
• A developer is accessing a system with backdoor access.
• A user just sent a large number of emails to their personal account.
• A previously quiet service account is now surfing the internet or signing in interactively to other systems.

With behavioral models running in the background, you enable a CPU, rather than one of your heroes, to spot anomalies and assign risk values. Rules are great but only detect known knowns. There’s a little more to this process; one anomaly typically isn’t enough to take decisive action. That sets us up for the next question.

2. Do you create and use timelines?

I hope that you have never experienced a breach. If you have, one of the first things the expensive third party you hire is going to do is build a timeline of activities to help pinpoint the attack and the impacted systems — even at its best, this is still static and point-in-time. I’ve been in cybersecurity for more than 25 years, and I’ve yet to see anything more powerful than the impact of timelines for a security operations team. When done correctly, timelines answer the unanswerable; they provide a contextualized time window of any activity associated with a user or asset. If any one of the above examples is triggered, the risk score is elevated and each user or asset can automatically be placed on a watchlist. The timeline is ready to help any level of analyst determine what other activities have occurred that might raise their risk level and drive automated or manual intervention. 

If you experience a breach, you likely will end up paying a third-party IR firm to help you assess the damage and toss out adversaries. The tool they use to do it is a timeline. What if there were an easier and better way to leverage timelines? How about an automatic way? Exabeam Smart Timelines^TM are an evolution beyond third-party support because, among other things, they are automated and identify abnormal behavior. Timelines are showstoppers — attackers hate them!

3. What’s your plan for credential-based attacks?

With few exceptions, all of the most recent destructive breaches have been from insiders and credential-based attacks. The adversaries know the drill: acquire someone’s credentials, avoid external threat detection, gain access using legitimate credentials, and move laterally. With credentials on sale in criminal marketplaces for $15 a person, and admin credentials selling for anywhere from $500 to $100,000 each, there’s an opportunity for both sellers and buyers. Add to this, the recent Lapsus$ attacks present a new wrinkle, where the attacking/criminal organization is using social media to recruit insiders for tens of thousands of dollars. We see this as a new Insider Threat vector, “Colluding Insiders”.

There’s more. Your credential-based attack plan must reach beyond cybercriminals. You need to account for others: employees, contractors, vendors, partners, and ex-employees whose access has not been disabled. This level of attention supports supply chain and third-party risk management security as well.

Your plan should be to identify credential-based attacks (aka insider threats) as quickly as possible before they become major incidents. Unlike external threats, insider threats typically evolve over a long period of time. To discover them, you have to be able to monitor user behavior that isn’t within a normal range (question #1) and likely incorporates timelines (question #2) to respond immediately.

Simply put, best-in-class security operations need the well-thought-out capabilities of a next-gen SIEM.

Organize security operations around capabilities

The key tool to identifying insider threat behavior is a SIEM with UEBA capabilities that apply data science across all users and asset activities to determine a normal baseline of expected behavior. Then, when behavior drifts away from that baseline, the solution brings those users and/or assets to the attention of security analysts. 

Exabeam Fusion SIEM offers industry-leading UEBA capabilities to help security operations teams turn the tables on attackers. It takes a behavior-based approach by analyzing user behavior in your on-prem or cloud environments and applies advanced analytics to identify your riskiest users/assets based on their behavior/actions. It automatically analyzes relevant events from IT, cloud, identity, productivity, and other security controls to calculate specific user and asset risks, viewable within machine-built Smart Timelines™ that make it easier to detect and respond (often automatically) to insider activity. 

I invite you to learn more and see for yourself. Request a product demonstration today.