In today’s information-rich enterprises, data is viewed and treated as a valuable and pivotal business asset. Which is precisely why data loss and security breaches can have devastating and far reaching consequences. Modern hackers understand this well, culminating in targeted cyber-attacks aimed at exposing confidential business data and using it for financial gain.
In recent years, the exponential increase in sophisticated data breaches has given significant weight to information security efforts. It has also brought about a paradigm shift in the way information security is viewed. As a result, IT and security administrators are moving from simply being aware of the latest security solutions to building their own internal security policies and deploying security information and event management (SIEM) tools to mitigate threats.
However, in order to properly protect confidential business data, organisations must move beyond collecting and analysing logs from critical log sources in a central location. As the saying goes, to catch a thief, you've to think like one, which is why the only way for security administrators to foresee and prevent or react immediately to a security breach is to work out the modus operandi of any would-be hackers.
Of course, security admins are not equipped with super powers that could enable them to travel back and forth in time. Yet, they do have one special skill that can help in the fight against cyber-crime – namely, their ability to predict a suspicious event, treat it as a potential data threat and neutralise it before it causes any damage.
The following three simple steps can contribute to a more connected approach for detecting and mitigating security attacks:
1. Understand the 80/20 rule on security attack patterns
Investigations into security breaches across the world have uncovered some common attacking patterns used to steal data. In fact, the Pareto principle that for many events, roughly 80% of the effects come from 20% of the causes holds true in many security attack patterns. According to the Verizon Data Breach Investigation Report 2015, just nine attack patterns have given rise to 80% of the security breaches that have occurred in the past few years.
Understanding these common attack patterns brings insight into how a data breach could unfold in an organisation’s network and crucially, the best way to seal any security loopholes before data loss or corruption occurs.
2. Consider attack patterns in the context of the business
Having narrowed down the attack patterns, the next challenge for security admins is to work out the probability of these attack patterns occurring in their networks. Here, contextual information such as the industry, the type of confidential data the enterprise deals with and its network infrastructure plays a vital role in determining which attack pattern is most likely to occur.
For instance, a financial organisation dealing with credit card data could expect a high chance of insider security threats, along with phishing and attacks on their DOS or operating systems. Steps that could be taken to mitigate these attacks might include and audit trail on privileged user activity, constant monitoring of critical web servers and applications, along with compliance with regulatory mandates such as PCI DSS.
A healthcare provider with confidential patient records should also be alert to internal and malware threats and mitigate security threats by carrying out privileged user activity, monitoring user activities on critical servers and applications and compliance with data security regulation.
Retailers need to have an extra eye on point of sale (POS) devices to avoid RAM scrapping (examining the memory of the running web server and extracting data while it is in its processed, unencrypted state), as well as being alert to threats such as payment card skimming and web app attacks. Here, being compliant to regulatory mandates such as PCI DSS, monitoring point of sale devices and analysing POS logs for unusual activities are all important, threat-mitigating activities.
Meanwhile, in the education sector, critical server and application monitoring, analysing and correlating logs from critical servers to find out network anomalies and regulatory compliance can help prevent the kind of malware threats commonly experienced by schools, colleges and universities.
3. Close the gap between speed of attack and speed of discovery
As a rule of thumb, organisations seeking to combat security threats should accept the fact that all not all security breaches can be proactively mitigated. In most cases, an organisation will not even know an attack has happened until they are told about it by a third-party vendor.
?To understand on what limits the speed of discovery, it’s important to look at the various stages of security attacks. In most cases, there are four stages: Examining the network; network intrusion; exploiting data or a critical source and then escaping the network without getting noticed.
Initially, hackers will examine their target’s business type, the data they want to breach and the network infrastructure. This will help them choose their attacking technique. Once this is fixed, they will attempt to invade the network infrastructure.
To proactively mitigate attacks, security administrators must contain the incident at this stage. What makes this difficult is having insufficient visibility over security incidents that indicate network intrusion. In some cases, hackers might slowly intrude the network over time, making it impossible for security administrators to correlate events. The more sustained and drawn out the attack, the greater the probability that it will be missed by security administrators.
Once the security firewalls are broken, the speed of attack will accelerate. To contain it at this stage and neutralise the damage, security administrators must speed up the discovery process, as well cope with the unfolding incident.
Here, a real-time detection system with a powerful correlation engine is an essential tool. By capturing events and analysing them as soon as they happen on the network, a truly real-time SIEM engine will improve the speed of discovery by analysing and correlating incidents. In turn, this can mitigate the significant damage data breaches cause in less prepared organisations.