The principles of tackling the coronavirus pandemic—prevention, detection, response and prediction—apply to cybersecurity as well.
In the span of a few months, the coronavirus has reached every country, every community, and every neighbourhood. No nation is spared. Economies have ground to a halt. Millions have fallen sick.
In the meantime, if we take a look at the 15 biggest cyberattacks in the 21st century, we would notice a few things. First, no country is untouched. Second, it is extremely disruptive to business operations. Third, millions have fallen victim to these attacks.
Based on the statistics, the conclusion is clear: we have been dealing with a different kind of outbreak for many years, that is, the pandemic of cyberattacks.
The world responds
By now, most countries have imposed a mixed bag of measures to deal with the outbreak.
If we examine their approaches closely, the overarching strategy for dealing with COVID-19 has revolved around four quadrants: prevention, detection, response, and prediction.
Similarly, in cybersecurity, we often talk about the importance of a holistic strategy that consists of the same quadrants.
Responding to a pandemic is not a one-off event. We cannot contain an outbreak with several dramatic measures and be done with it. At its core, a good cybersecurity strategy should take a multi-pronged approach and a long-term view.
The first pillar of defence is prevention. In the time of COVID-19, prevention means not getting infected in the first place, such as by washing your hands, socially distancing yourself from others, disinfecting your phone and wallet when you get home, and more.
In cybersecurity, prevention means the exact same thing—protecting your IT assets from being infected in the first place. Because most major data breaches can be traced back to a single point of failure that could have been prevented.
While not the most advanced, these tools perform well in keeping organizations’ vulnerable systems patched, blocking malware from hitting the machines, alerting IT teams to phishing emails, and more.
Today, many new cybersecurity vendors talk of a shining silver bullet that waves away all cybersecurity headaches, such as machine learning or Endpoint Detection and Response (EDR). However in reality, the concept of a single silver bullet does not hold up.
A business can receive thousands of security events in a single day and a high percentage of them are false positives or commonplace malware. If businesses were to feed all of them through the machine learning technology, performance issues will inevitably crop up.
What businesses need are the basic technologies—the humble antivirus suite, application control, web and file reputation, etc.,—to do the heavy lifting. These technologies can filter the majority of the alerts, categorizing them as either benign (to let through) or malicious (to block).
Whatever are left are the threats you have never seen before. These are the unknown threats and require further studying. They can then be fed through the advanced technologies, like machine learning or behavioral analysis. This way, the software divides the load, and ensures that a balance between security and efficiency can be achieved.
Contact tracing is crucial during outbreaks. The longer you take to identify a patient, the more people will be infected.
It is the same principle in cybersecurity—how fast you can detect a breach in your system determines the scope of damage.
A strategy called ‘connected threat defense’ can help detect suspicious activity in your system holistically. By deploying security solutions at all the touchpoints in an IT system, from the endpoints to the network to the server, businesses can start to connect the dots and gain visibility into every nook and cranny.
It is only when businesses know what is lurking in their IT environment, could they significantly increase the chances of getting rid of it.
EDR is another tool designed for the same purpose. EDR technology works like a black box in a plane. It records everything that takes place on the endpoints and threat hunters can rewind to see from which point a threat entered the system, and how it spread across the network. Based on the information, a blueprint of the malware’s infection path can be drawn.
During the outbreak, there are many false positives and false negatives. Some people may test negative now but develop the symptoms next week. Suspected cases may turn out to be totally innocuous.
Because the medical supplies are limited, the healthcare workers need to prioritize. To prioritise, you need context-rich information about the patient.
So it is the same in cybersecurity. A security operations centre (SOC) receives thousands of alerts on a daily basis. IT security personnel widely report that working in a SOC is a laborious job. Many of them experience burnout, and the two most-cited reasons are increasing workload and having too many alerts to chase.
Prioritization becomes the key in this case. Instead of 500 alerts, what if you can winnow them down to two most critical alerts that require immediate action? Enter XDR.
XDR is the natural progression from EDR. The X stands for anything you can apply detection technology to, such as emails, servers, or the network. XDR is a big collector of security alerts, absorbing data from various touchpoints
Essentially what XDR does is to break down the silos between all these solutions gathering data on their own. A prominent feature of the XDR tool is a central data lake where all data will flow to eventually and be analyzed collectively. This way, data collected from the endpoints can be correlated with data collected from the cloud workloads, for instance.
Breaking down the silos means more attacks would become visible as more pieces of the puzzle are now stitched together. All this data churning can minimize alert fatigue, as it produces high-priority alerts with rich contexts around them. SOC analysts can now focus on alerts that need immediate action instead of combing through every single one of them and manually looking for connection.
There are reports around of epidemiologists teaming up with data scientists to forecast the spread of the coronavirus outbreak in the near future. By taking into consideration a vast array of different types of data, the model is expected to predict the number of new cases to arise in an exposed population, or peak infection rates.
Likewise, in cybersecurity, the more accurate our predictions are, the more effectively we can deal with an upcoming data breach. Here is how you could do so: by collecting and correlating a vast array of different types of detection and activity data from the native sensors, deployed at different layers within the organization, like the endpoint, network, email, and the cloud environment. Combined with big data analytics, threat models, advisory-based behaviour analytics and detection rules from our security experts, we can uncover if an emerging or unknown threat or a threat actor is attempting to infect your organization. On top of that, continuous risk assessment of an organization’s cybersecurity posture also serves to predict impending issues.
COVID-19 will go away, just like any of the pandemics in the past. But cyberattacks will stay as long as there is a computer connected to the internet.
The most effective way to deal with cyberattacks is not to dream of a cure-all panacea, but to take small but coordinated measures that culminate in an all-round defense strategy.