Reevaluating Your Breach Prevention Strategy
Do you deploy security products to protect your organization against data breaches as part of your infrastructure cybersecurity strategy? If so, it’s important to ensure there are no critical gaps in your security stack. If you consider the category of breach protection critical, you should shift from a product-oriented to a protection-oriented mindset. This all begins with a better understanding of the types of attacks your organization faces and checking to see if your approach provides the necessary protection.
The first of these attacks is the hit-and-run. In this scenario, the attacker achieves their objective with a one-time malware execution. Once their objective is accomplished, the damage is done. Examples of this include ransomware, wipeware and phishing attacks. The next attack category is the hit-and-stay. In this instance, the attacker seeks to maintain persistence on the endpoint they’ve penetrated to abuse its resources or data. Some examples of this include cryptomining, banking trojans or any other password-stealing malware. Finally, hit-and-expand attacks access and exfiltrate data or perform a supply chain attack. These attacks start with an initial endpoint compromise followed by a long-lasting presence in the environment. Examples of this include advanced persistent threats (APTs), insider attacks and other advanced cybercrimes.
Security Technologies Versus Attack Types
Each attack type can be detected by the anomalies it generates in either file structure, process behavior, network traffic or user activity and then blocked accordingly. Full breach protection entails your security stack having the ability to prevent and detect threats across all of these attack types. To address these, there are three approaches to consider:
- Choosing a single advanced security product like endpoint detection and response (EDR), network analytics or user and entity behavior analytics (UEBA). This makes sense from a budget perspective, but leaves the company exposed to at least one attack type.
- Deploying multiple products and manually integrating them to protect from all attack types. This is a costly path that will require a highly-skilled workforce to deploy and operate.
- Finally, using a platform that natively integrates all breach protection functionalities, either alongside or as a replacement to your antivirus solution and provides protection from all three attack types with easy deployment and simple operation.
Key Breach Protection Considerations
After selecting the most appropriate technology deployment strategy, the most essential thing required from a security product is to be fully deployed. This sounds like a no-brainer, in theory, but in practice installation issues often result in partial deployment of these solutions, which leaves parts of the environment exposed. This applies equally to evaluating existing solutions or to purchasing a new one. If you have endpoint protection, does it include agents that are installed on all endpoints? If it’s a network analytics tool, does it cover all portions of your network?
For many organizations, breach protection is about placing and piecing together standard antivirus and firewall solutions with an additional product dedicated to addressing advanced threats. However, this common practice is likely to result in unaddressed security risks.
Attackers seek weak points in the protection stack, and it’s up to security professionals to reduce these weaknesses as much as possible. Therefore, it is recommended that the protection level current products offer is checked against each of the three attack types. They might score high against one but fail against others. For example, a first-class next-generation antivirus (NGAV) would dramatically decrease exposure to hit-and-run and hit-and-stay attacks, but would offer little to no protection against hit-and-expand scenarios.
Breach protection involves multiple workflows: proactive IT hygiene and vulnerability management, triage and prioritization of alerts, response to active attacks and orchestration of the recovery process. Easy and intuitive management of all these capabilities is a must. The competency bar is straightforward and if efficient day-to-day operation of these workflows is beyond the skill of the in-house team, then the setup is, most likely, insecure.
At the end of the day, advanced attacks call for advanced skills. The security administrator doesn’t need—and typically cannot afford to employ—such skills as part of the team. This need arises regardless of the products in place and is especially required when facing a hit-and-expand attack. In these cases, skilled analysts are a must when dealing with these defense-evading malicious attacks.
The Emergence of Autonomous Security
When we think of breach protection, we tend to think about a complicated stack of multiple products pieced together, operated by a team of highly skilled analysts. However, now is the time for breach protection to become a commodity within reach for all organizations. Companies of any size need the ability to instantly move from exposure to protection and totally remove deployment issues from the equation. Infrastructure must become a transparent operational layer that requires zero maintenance efforts to enable all protection capabilities to operate.
Multilayered protection across all attack surfaces is a must, regardless of the attack’s type and vector. The protection capabilities must span all aspects of breach protection, from proactive IT hygiene through active threat prevention and detection to full response orchestration. The required skill to efficiently manage day-to-day operations must become a commodity within reach of every business’ IT/security workforce, overcoming the infamous ‘security skills shortage.’ Only the use of simple yet functional technology can provide sustainable protection.
