Just as physical hygiene practice is crucial to reducing COVID infection, so is cyber hygiene in reducing the need for reactive recovery.
Security operations teams today are experiencing alert fatigue as cyber-threats grow increasingly more sophisticated, and a typical security investigation workflow may take dozens of tools that fire numerous alerts with a high percentage of false positives.
We are all familiar, in this time of pandemic, with the importance of hygiene. Knowing is not enough; it’s the practice that helps. Similarly, cyber hygiene practice is crucial. It is important to pay attention to how we operate, but with the evolution of cyber-threats, we need more than just attention.
While hygiene does not totally prevent infections, it helps to reduce the need for resource-exhausting and health-sapping reactive recovery. It also helps to have regular checkups; the technology equivalent is security automation and network visibility.
So how do we enhance and ensure cyber hygiene in our organizations – and increase network visibility – to strengthen our immunity and fight off attacks? CybersecAsia sought out some insights from David Sajoto, Vice President for Asia Pacific and Japan, ExtraHop.
How can we leverage awareness of what cyber hygiene is to awareness of how cyber hygiene is practised?
Sajoto: Hackers obtain access to networks through the exploitation of weaknesses in businesses’ cyber behavior. Many attacks utilize simplistic phishing schemes, where an email appears to be from a trusted source and clicking it will unleash malware and create vulnerability for malicious activity.
Cybercriminals take advantage of the cyber habits of their victims by executing malicious threats masquerading under everyday activities such as email, social media feeds and even private messages. Since these activities are routine, links within are clicked and attachments are opened without a second thought, making people more susceptible to cyber-attacks.
Developing cyber hygiene requires the active encouragement of creating it. Beyond educating businesses on the risks of the actions they take online, there needs to be training for the development of fraud detection. At the very minimum, businesses must have an understanding of online security protocols, safe browsing practices, secure password creation and storage, and the right measures to quarantine and report suspicious activities.
Knowing the level of encryption in use on the company’s network is also a vital part of maintaining good cyber hygiene and a strong posture. For a proactive security operations (SecOps) team, it is important to have the ability to monitor which algorithms are in use, when certificates will expire, and which sessions are using weak ciphers or self-signed certificates. Such awareness lets them know where to look for vulnerabilities within the company’s IT infrastructure.
How can security automation support cyber hygiene?
Sajoto: SecOps teams today are experiencing alert fatigue as cyber threats increasingly become more sophisticated. A typical security investigation workflow today involves dozens of tools that fire numerous alerts with a high percentage of false positives. Without an automated security process, analysts manually gather the data to identify which alerts to prioritize and follow up on. This is an especially impossible task for organizations receiving more than 5,000 alerts daily. When alerts become overloaded, there is a greater potential for threats to slip through the cracks.
This is where automation can play a critical role. While automation is not designed to be a panacea, it serves as a force multiplier for businesses; it was built to address the alert overload issue by eliminating false positives, prioritizing threats and providing actionable notifications. It simplifies the security operations process by enabling IT teams to gather, correlate, and analyse large amounts of data faster and with minimal effort, allowing for a more productive and efficient security team. It can also detect threats that could be missed by a manual incident response process. By automating their security processes, organizations can provide unprecedented visibility, definitive insights and immediate answers, without burning out their security teams.
What cyber hygiene practices should businesses prioritize?
Sajoto: Businesses need to have in place the right tools that can provide the visibility to detect malicious software and automated scans. Furthermore, it is crucial to ensure that all programs utilized are up to date so that any potential glitches are eliminated.
Consistent backups of the company’s data should be maintained by prioritizing what is most crucial to business continuity. This ensures protection against data loss should cybercriminals penetrate the system.
A common misconception about cyber hygiene is that data encryption is completely safe, which can be corrected by an important cyber hygiene practice, decryption for network visibility. Data encryption is on the rise and while it’s a good thing for privacy, it may pose as a boon to hackers. Encryption, both inside corporate networks and on the public internet, creates dark space and blind spots that attackers use to hide their activities from security teams.
Cybercriminals have taken the cue and are increasingly hiding their malicious activities inside encrypted traffic. We observe that attackers are learning to “live off the land” by using existing systems and technology inside their target networks to move laterally and escalate privileges. Encryption is vital for security and privacy, but it can be a double-edged sword when attackers are able to hide their malicious actions in seemingly legitimate encrypted traffic using approved capabilities in their target networks.
For all these reasons, visibility into encrypted communications is essential for detecting malicious access patterns to databases, storage, and APIs, as well as internal authentication activity associated with lateral movement, data staging, and privilege escalation. Analyzing the decrypted contents of transactions across the network allows for faster identification and remediation of threats before a headline-making data breach happens.
What role does network visibility play in cyber hygiene?
Sajoto: If cybercriminals are using unknown tactics, how do certain companies detect and stop multifaceted extortion attempts while others fall victim? The answer lies within the network.
As organizations continue to move to the cloud, encrypt communications, adopt IoT, and manage third-party vendors, the complexity of the network increases. This, in turn, impedes visibility, slows operations, and impacts security. In fact, the 2020 SANS Network Visibility and Threat Detection Survey revealed that 59% of the businesses polled believe that lack of network visibility poses a high or very high risk to their operations, and 64% of respondents experienced at least one compromise over the past 12 months.
Attackers have become highly adept at evading detection upon entry into a network, but they can not hide from the network. The network represents an empirical source of behavioral evidence of the connective tissue of the enterprise. It’s a passive, observational and definitive source of truth for cybersecurity teams. By adding network detection and response (NDR) as a critical aspect of cybersecurity defense, an organization gains the ability to detect compromise before any major harm.
NDR can help organizations detect threats in their networks with the help of machine learning. By establishing a network baseline, behavior-based detectors empower security teams to spot malicious activity, even if it does not follow a known pattern. This tactic gives organizations an advantage, even in the face of zero-day exploits, newly introduced malware, and evolving ransomware tactics.