Cybercriminals are becoming more sophisticated. They have their own microeconomy. They have business models. They have service models (as in “aaS”). They are armed with AI. They are adept at social engineering. And they are winning.
Global research from Vectra AI reveals that more than two thirds (69 percent) of cybersecurity professionals believe bad actors are gaining the upper hand and easily bypassing current preventative measures. In the UAE, in 2020, KPMG found that 98 percent of stakeholders from line of business and IT were worried about the 2021 threat landscape. And they were right. As well as global incidents such as SolarWinds and the Colonial Pipeline, neighboring Saudi Arabia endured 7 million attacks in January and February alone.
The reason for the success of cybercriminals is two-fold. The first, as mentioned, is their growing sophistication. The second is the growth of the attack surface. Remote working employees, multi-cloud environments and understaffed security teams all mean more opportunities. But this need not be the case. With a deft adjustment to threat posture, organisations can jettison legacy approaches, which concentrate on prevention, and focus instead on detection and response.
Going on the prowl
This is beneficial because proactive standards spark a culture change in the IT and security functions. Instead of bracing for the blow of a costly attack, teams go on the offensive. Automated procedures have freed them up to do so. Their days are now spent on the prowl, armed with the right tools — equipped and ready to do battle. The hunter (bad actor) has become the hunted.
In this new culture, IT and security have finally accepted that even if you have a “Strain-B-Gone” for ransomware and other malicious payloads, you must first find the pest. Prevention approaches assume you can spray malware at the front door. But modern attackers don’t knock. They find open windows, chimneys, and cracks in the walls and ceilings. Proactive threat hunters are equipped and ready to look behind walls and under sofas.
But that word “equipped” is all important. Accepting that the old preventative ways do not work is the first step. Next, organisations must take inventory of their threat arsenal and replenish it. It should be obvious, halting digital transformation is not an option. In fact, as companies experiment with new technologies, the attack surface will expand even more. And so, we come back to the question: how do we equip CISOs and their teams for the hunt?
Simplicity, visibility, control
The legacy spaghetti of multiple vendors and disparate solutions will not hold the line. Integration has already become problematic, and many older tools may not have cloud-native capabilities. Then there is visibility. The entire digital estate should be viewable from any angle, from the bird’s-eye perspective to the nanoscale zoom-in. And tight controls should give security personnel reign over everything from update policies to identity management.
So, the solution delivers a clutter-free environment (which simplifies management of security), a comprehensive view of the infrastructure (which enables threat hunters to see threats from afar), and granular control over action (which allows business-relevant workflows to start when a threat is discovered).
But unfortunately, perception stands in the way of getting properly equipped. Past surveys have revealed a perplexing proportion of CISOs believe it’s “game over” once the perimeter has been breached. This is despite the common knowledge that being attacked is not a matter of “if” but “when”. Today, most security professionals will tell you openly how easy it is for attackers to bypass perimeter defenses. They are aware of reports such as a 2020 study from Verizon that claims 80 percent of breaches occur through stolen logons. And while organisations such as Microsoft can extol the virtues of MFA, threat actors can use BEC, spoofed logon pages, and other devices to circumvent it. All of this calls for updating the prevention mission to focus on detection and response.
Beware blinkered optimism
Another stumbling block can often be non-technical decision makers who have established relationships with vendors and buy into their prevention-only narrative. Such decision makers are rarely up to date on the current threat landscape. The CISO should shape a narrative that ties action on the security front to the optimisation of the corporate risk profile. This will appeal directly to most decision makers.
Regional business leaders may come around sooner rather than later. The sheer volume of high-profile incidents occurring at the same time as economic recovery may shock the C-suite from blinkered optimism and towards real action. For them, the question will be what the new equipment should look like.
AI-based behavioural network detection and response (NDR) is a tight fit with the requirements of today’s regional threat hunters. A unified solution that puts paid to the multi-facetted legacy environment by providing the ability to track attacker activity pivoting between on-premise, data center, IaaS and SaaS environments, it also allows the automation of many humdrum tasks. Automated threat discovery means hunters can chase their prey and run it to ground before it can do damage. All of this is enabled by advanced machine learning and rich visualisation of data, from network metadata and logs to processes in the cloud. Prevention in the form of signature-based endpoint tools, multi-factor authentication, and others is by no means cast aside, but it plays a supporting role to the active hunt.
The fight goes on
Bad actors have had it easy for too long. We should ensure that 2022 is the year we finally make their lives difficult. No doubt they will find ways around new countermeasures, but by switching from prevention to detection and response, we stand the best chance of spotting those next-gen tricks too.
