Graph-Fueled Defense-in-Depth Can Strengthen Security Posture
“GM Customer Accounts Hacked”, “Hacker Steals Database of Hundreds of Verizon Employees”, “Ransomware Attack Hits New Jersey County”.
Another day, another breach, hack or ransomware attack. In fact, the average cost of a data breach today is $4.24 million—and rising. More anxiety-provoking is the fact that it can take between 290 and 315 days for an organization to identify and contain a breach, according to recent research from the Ponemon Institute and IBM. Yes, cybersecurity has always been a moving target. When you factor in an ongoing global pandemic and the war in Eastern Europe, it’s not surprising that President Joe Biden has urged U.S. companies to “harden [their] cyber defenses immediately.” The approach used varies by company but complete visibility is critical.
Defense-in-Depth: A Multi-Layered Approach
While it is nearly impossible to prevent all cyberattacks, organizations can indeed harden their defenses to detect potential breaches earlier, act more quickly and minimize damage. In today’s attack-laden era, it is not only about the prevention of an attack, but the focus must be on early detection. How can organizations stay one step ahead of everything from phishing emails and ransomware rings to distributed denial-of-service (DDoS) attacks and synthetic identity fraud? Smart companies have embraced “defense-in-depth,” (DiD) a cybersecurity strategy originally deployed by the NSA that involves a series of systems, mechanisms and controls layered together to protect your company’s network, computer systems and the data contained within these resources. This strategy is a replication of the military strategy used as far back as the third and fourth centuries by the Roman army. Today, the implementation of DiD is being deployed by smarter companies using graph analytics to power their multi-layered, defense-in-depth cybersecurity ecosystem with extended visualization and real-time analysis with in-depth machine learning and AI.
Why graph? When a bad actor enters a network, they are looking for breadcrumbs or metadata stored on devices that lead to the more interesting and potentially sensitive information (think data systems, financial systems, HR systems or email servers). In a way, attackers are “thinking in graphs,” scouring for bits of data they can follow to locate critical data deep within your organization’s infrastructure. The goal is to identify these threats earlier in the MITRE ATT&CK kill chain or cyberattack life cycle. We can apply graph analytics to detect anomalies and suspicious patterns of activity as well as unusual lateral movement of data and abnormal user interactions with systems or their respective data.
Graph-based Cyberattack Defense: A Centralized View of Your Security Landscape
Today’s organizations are swimming in massive amounts of data spread among multiple data sources—and that doesn’t even factor in multi-cloud systems or interconnected data structures and architectures such as services and microservices. When you add in things like IoT systems, IP-based cameras or door locks, HVAC systems and remote devices that have exploded due to the global pandemic, graph’s deep link analytics, multi-dimensional entity and pattern matching, centrality identification, as well as hub and community detection, can help companies take preventative, defensive and corrective action against potential threats and threat actors.
When combined with your security stack, graph database technology boosts your level of visibility into user patterns, data mining, lateral movement of users and data, privileged user permissions escalation, malware attacks, payload disbursement and deployment, ransomware data encryption and more. With the flexibility and in-depth strength of graph algorithms, the use of an existing IoC embedded into these easy-to-create algorithms allows for extended search and analytics across all of your data from all of your systems in one place at one time. A real-time graph model of your network allows you to set up monitoring and defenses at certain points, making early identification of active cyberthreats possible. Graph can detect if one service receives a larger number of different requests from the same IP than usual. Graph can also identify if a user who happens to be moving data with newly escalated permissions happens to be on vacation. It can also uncover the number of hops between a specific user and a blacklisted IP, system, application or account, highlighting the potential for fraud, money laundering, a potential breach or other malicious activity.
Cybersecurity Defense-in-Depth + Graph Analytics: A One-Two Punch
The combination of a defense-in-depth cybersecurity strategy and graph analytics provides multiple and duplicative defenses for your organization. Defense-in-depth layers in the necessary controls to protect the technical, administrative and physical aspects of your business network. Meanwhile, graph allows you to use the connected data from your security stack, IOT systems, administrative systems and more to correlate activity across multiple environments and systems ensuring you can proactively respond to threats as they are identified. Together, especially with the implementation of ML and AI, the use of these tools together can anticipate cyberattacks and disrupt them when they happen versus before your organization becomes a statistic. A combined, multi-layered approach incorporates the following:
Administrative Controls: Defense-in-depth encompasses the administrative aspects of your business, including policies and procedures directed at the organization’s employees as well as the labeling of sensitive information as “confidential.” The use of privileged access management (PAM) solutions, along with graph analytics, controls who gets into what systems and flags any anomalous privilege escalations for user accounts.
Technical Controls: This refers to the hardware you put in place to protect network systems and resources. Software such as an network detection and response (NDR) system and network firewall appliances, intrusion detection and prevention system (IDP/IDS) or an antivirus program work hand in hand with the hardware controls. Deploying an endpoint protection and endpoint detection and response system (EPP/EDR) to control unwanted activities on your endpoint devices is also part of the technical controls. The connected data analytics as well as algorithms used to automate threat hunting, threat analysis and attack vector tracing and analysis will bolster the security team’s efforts while providing the needed level of automation.
Physical Controls: These defense-in-depth measures prevent physical access to your IT systems. These should include security guards, locked doors, and alarm systems, cameras, biometric systems and more. The log data from each of these systems will be added to the other security data collected to complete the picture of your environment and enable complete visibility.
Access Measures: Access to any data will require access codes, or measures such as biometrics, timed access pins, encryption key pairs, and/or controlled authentication. The use of identity and access management (IAM) and multifactor authentication ensures proper validation of users and the systems they use to access sensitive systems or information. Graph database technology ensures you can connect events and alerts with the data from all of your security stack tools, administrative systems and log systems to best react to threats as they arise.
Additional Defense Mechanisms and Measures: Perimeter defenses such as intrusion detection systems, firewalls, proxy servers and data encryption; monitoring prevention which includes auditing network activity, logging, sandboxing, vulnerability scanners, penetration testing, attestations and security awareness training; workstation defense mechanisms which include anti-spam and antivirus software including, where possible, client-side data encryption; and data protection mechanisms which involve hashing, data-at-rest encryption, secure data transmission with modern-day technologies such as TLS and encrypted backup systems. You can monitor logs, SIEM data, XDR, NDR, EDR, EPP, IoT and administrative data sources as well as other system data in a single graph database to ensure you are protecting your data through proactive defense-in-depth strategies.
Cyberattacks are a constant, ever-evolving threat to businesses. Bad actors are always looking for the crack in an organization’s armor, a weak link or a security gap to exploit. A defense-in-depth cybersecurity strategy coupled with a least-privilege model and graph analytics ensure your organization has multiple lines of defense to safeguard your network systems, users and data. Breaches, hacks, and cyberattacks will always be a part of the technology landscape. A multi-layered cybersecurity model gives your organization a proactive, preemptive edge — an edge that may keep your organization from being in the headlines for the wrong reason.
