In today’s IT environment, where system compromises are almost a daily occurrence, many security experts have moved from a posture of prevention to detection. CISO’s are more focused on utilizing approaches to find the attackers within their walls rather than building higher walls in hopes of keeping them out.
In a recent article by CIO.com, OneLogin CISO Alvaro Hoyos said that this new approach “…is centered on the idea that it’s impossible to keep every attacker out indefinitely, which is why companies should focus on mitigating the threats that follow a successful perimeter breach. While this doesn’t mean abandoning prevention efforts altogether, it suggests organizations devote more resources to identification and remediation, with the mindset that a perimeter breach is a matter of time.”
Hoyos provided nine tips focused on detection controls that security professionals can implement to make their corporate environments more secure.
Implement security awareness training
Security Awareness training, at first glance, seems to be a preventive measure; stop employees from doing something risky. In reality, chances are high they will do something risky, so making sure your employees know what to do AFTER they do that, is critical. This can be as simple as making it clear who their point of contact should be; an email address, a person, a phone number, etc. This is also useful for them to report suspicious activity they they encounter, which can help detect an intruder or a malicious insider.
Empower End Users
Typically, admins receive all sorts of automated alerts triggered by activities that are either high risk or known to be suspicious. Empowering end users by alerting them on activities they have direct control over; changing their password, logging in from new locations, etc., can help make them part of your early detection strategy.
Monitor file integrity
File integrity monitoring is a must for your high risk systems. This is especially true for configuration files that can allow someone to escalate their access, open up backdoors, and much, much more. This usually takes the form of automated monitoring and alerting personnel on file changes, or enforcing a “golden image” that overwrites any changes to files automatically.
Admin log reviews
Admin log reviews are another tried and true method that is recommended or required by several security frameworks. This can take form of alerting based on suspicious admin activities, monitoring for new admins, and periodic manual reviews of the logs. Several tools are available to make these logs easier to digest and leverage automated alerts instead of or in addition to manual reviews.
Employ endpoint threat detection
Intrusion detection systems or endpoint threat detection, whether host based or network based, can give you insight into suspicious activity in your systems. Several vendors do a great job of reporting on not only suspicious activities, but the activities that preceded and followed those flagged. This is a great resource that can assist you in understanding the entirety of an attack and its scope.
Monitor systems for security patch availability
Many of the vendors that provide some of the services discussed thus far also provide visibility of vulnerabilities in your systems by analyzing what packages are running on them and comparing that against published vulnerability databases. This is a simple, yet powerful way of staying ahead of issues like Heartbleed or, if you are timing is fortuitous, shutting down a backdoor that may already be in place due to a known bug.
Attract more bees with honey
The concept of honeypots has been around for a very long time. The idea is elegantly simple; spin up a system or a network of systems that appears to have some value, and monitor it for suspicious activity. If a hacker does successfully compromise the system, there is no real loss, but you have gained valuable intelligence that you can then use to safeguard actual assets. Another take on this concept are “honeycreds”, which as you might guess, involves having specific credentials you can then look for in data dumps or activity logs. Again, the credentials have no real value, but provide an early warning system of a data compromise.
Know when your source code has been exfiltrated
There are two reasons you should be worried about your source code being leaked out into the world; the first is the intrinsic intellectual property value of that code, but the second is that it makes it easier for attackers to find potential exploits they can then weaponize. There are services that help you determine this by generating “fingerprints” from your code and then searching known dark web markets and forums for those fingerprints.
Don’t be afraid to ask for help
And finally, don’t be afraid to ask for help. If you suspect or detect a cybersecurity incident, aside from making sure you are working with your legal team from the get go, don’t hesitate to leverage consulting services that dedicate themselves to responding to these type of incidents. These are not inexpensive services, but the cost of a mishandled incident is a lot higher than bringing expertise to help you shut one down for good.
Complimentary Forrester Report
Thanks for reading! To help you succeed with your Cybersecurity planning, we’re sharing a complimentary copy of the Forrester Playbook™: Build Your Identity And Access Management Strategy (IAM). Download the report for systematic guidance on how to establish a modern approach to IAM, as well as recommendations on what’s needed to make your strategy a reality.