Breach Containment: Minimize the Impact of an Attack
In an era in which breaches are inevitable, being prepared to respond quickly and effectively is key.
Cybersecurity threats pose challenges to organizations of all sizes, across every industry. Cyberattackers, phishing attempts, network eavesdropping, malware and many other threats jeopardize the confidentiality, integrity and availability of IT resources on a daily basis. IT leaders must clearly understand these threats and develop security controls that allow them to remain vigilant as these threats evolve in sophistication and targeting.
As IT leaders adapt to a world with ever-present security threats, they must develop an internal capability to quickly respond to dangers as they arise, and implement safeguards that keep the organization’s most sensitive data safe from theft, unauthorized alteration and destruction. Fortunately, this is a shared problem across the IT landscape, and technology professionals can leverage best practices via tools and strategies to prevent most breaches, detect breaches that inevitably occur and respond effectively to security incidents. Rounding out these controls with a comprehensive security testing program ensures that controls remain effective against emerging threats.
The Need for Breach Containment
Organizations realize that effective security requires continuous effort. While many security practices in past decades focused on achieving compliance with best practices, laws and regulations, modern security programs focus on developing and maintaining an effective set of controls. Compliance initiatives remain important, and IT leaders understand that project-based security initiatives are useful to implement new controls and upgrade existing ones. But they also must dedicate continuous attention to the monitoring and maintenance of security programs.
This security philosophy recognizes that there is no silver bullet for eradicating all threats. Organizations cannot simply purchase a security appliance, install it on their network and assume that it will keep them safe. Instead, security leaders must build and maintain a defense posture that increases their visibility into enterprise security and facilitates a rapid response when a potential breach is detected. Organizations that take the time to develop strong breach-response policies and processes will limit the ability of attackers to successfully breach their defenses, and ultimately gain access to the organization’s most prized information assets. Developing these capabilities helps keep an organization safe and allows IT leaders to have complete confidence that they are doing everything possible to fulfill their enterprise security responsibilities.
Before an Attack
Organizations preparing to respond when a breach occurs should cover two main categories of breach preparation. The first category entails creating a strong level of situational awareness, ensuring that the organization has the information it needs to identify and respond to potential security breaches. The second category of preparation includes activities designed to reduce the attack surface, making it less likely that an attacker can successfully penetrate the organization’s defenses.
The Breach Detection Landscape
Research clearly shows that enterprise breach detection capabilities remain poor across industries. Many breaches go undetected for weeks or months, allowing attackers to gain a foothold within an organization and then exploit that position of strength for an extended period. For example, an attacker who breaches the perimeter defenses of a retail organization may discover that the company does not retain credit card information, giving the attacker no immediate ability to steal sensitive information. However, if the retailer does not promptly discover the breach, the attacker may install malware on systems that temporarily handle credit card information during a transaction; the malware subsequently sends that data to the attacker as transactions occur. In cases such as this, the longer a breach remains undetected, the greater the damage inflicted.
The 2016 Verizon Data Breach Investigations Report, a widely recognized source of industry breach information, confirms that internal breach detection capabilities are not just failing to improve, they have actually declined significantly in recent years. During 2015, the report reveals, less than 10 percent of breaches were discovered by internal security capabilities, while the remainder were discovered by law enforcement investigations, fraud analysts and other third parties.
Creating Situational Awareness
Situational awareness is one of the most difficult challenges facing enterprise security teams. Security tools, infrastructure components, servers and applications all generate massive amounts of data on a daily basis, and IT teams face a major challenge in combing through this information to discover the proverbial needle in the haystack that may indicate a potential security breach. The challenge is even greater as organizations attempt to conduct this monitoring on a near real-time basis, which enables them to proactively respond to a potential breach rather than discovering it only after it occurs.
Fortunately, the technology available for those seeking to gain visibility into the security state of their IT infrastructure has improved significantly in recent years. Manufacturers such as FireEye, Splunk and Lancope produce security tools that automate monitoring tasks and alert security teams to anomalous activity that may indicate a breach. Of course, these tools are only useful when supported by a team of experts that can monitor their output, assess alerts and initiate containment activities when they believe a breach is under way.
Organizations seeking to increase their situational awareness shouldn’t overlook some of the traditional security tools that they’ve had in place for years. Content filtering and anti-malware solutions, in particular, are effective sources of information about potential breaches. Combined, social engineering and malware were responsible for more data breaches than any other cause in the 2016 Verizon Data Breach Investigations Report. Content filters and malware solutions can provide early warnings of these compromises, notifying security officials when an end user clicks on a suspected phishing link or an endpoint reports unusual system activity. Intervening at the first sign of malicious activity can contain the spread of a breach and prevent damage to the organization.
Reducing the Attack Surface
Organizations should also do everything in their power to lock the doors and close the windows to their IT infrastructures, leaving attackers unable to gain a foothold from which to wage an attack. Technologists have several tools at their disposal that allow them to secure networks against attack.
Vulnerability testing tools provide security analysts with an attacker’s view of their IT infrastructure. These tools scan servers and network devices for potential vulnerabilities and provide reports of insecure configuration settings, missing security patches and other deficiencies that, left uncorrected, might provide attackers with an entry point onto the network. Combined with strong patch management capabilities, vulnerability scanning can significantly strengthen an organization’s security posture.
Network segmentation is an established method for safeguarding critical information assets. Organizations may use firewalls, virtual local area networks and other network controls to separate their most sensitive systems from other network resources. When a breach occurs, segmentation protects the enterprise by denying attackers access to the organization’s most sensitive information, even after they successfully penetrate the network perimeter.
Finally, organizations may reduce their attack surface by auditing the level of access provided to users and administrators. Enforcing the principle of “least privilege” restricts users’ access to the minimum set of permissions necessary to perform their jobs. This is an especially effective control in the event that a user’s account becomes compromised, limiting the damage that an attacker with stolen credentials can cause an organization.
User and Entity Behavior Analysis (UEBA)
Many traditional security tools depend on signature detection technology to identify potential breaches. These systems use databases containing descriptions of known malicious activity and then monitor systems and networks for activity resembling these patterns. This is an effective technique against known attacks, but it is ineffective against novel attacks or those waged by malicious insiders.
User and entity behavior analysis (UEBA) solutions take a different approach to security monitoring. Instead of watching for known patterns of malicious activity, they use machine-learning technology to monitor the behavior of users and systems. Over time, UEBA solutions develop models of what constitutes “normal” behavior and can then alert administrators when unusual activity takes place. For example, if an accounts payable clerk normally logs into the accounting system only during business hours from the main office, a UEBA solution might identify a midnight access attempt from overseas as anomalous, allowing further investigation.
Organizations should continue to use established signature detection as a core component of their enterprise security strategy, but complementing these tools with UEBA may uncover breaches that would otherwise remain undetected.
During an Attack
The moments after an attacker successfully breaches enterprise defenses present a short, but extremely critical, window for security professionals. Prompt responses to successful breaches, aided by security automation tools, limit the amount of time an attacker has access to the network. The primary focus of security professionals responding to a breach in progress should be to limit the ability of the attacker to gain further access to the network and to cut off the access already gained, removing the foothold inside the organization’s technology infrastructure.
Most breaches occur too quickly for a manual response. By the time administrators become aware of a breach, the attacker has probably already gained access to sensitive information and may have moved on to another target. The damage may be done before security analysts put down their cup of coffee and begin understanding what took place. Fortunately, security technologies can not only assist with the detection of a breach, but also automate response actions that seek to limit further access and remove an attacker from the network.
Intrusion prevention systems (IPSs) continuously scan network traffic, watching for signs of a potential breach by identifying known signatures of malicious activity or anomalous behavior. When an IPS detects a potential incursion, it may automatically block traffic, preventing attacks from reaching their intended targets. If an attack does reach the intended target, data loss prevention (DLP) systems step in and seek to prevent the successful theft of sensitive information. DLP systems watch traffic leaving the network, looking for unauthorized transmissions of sensitive information. If the DLP solution detects such activity, it can block the transmission and notify security administrators.
Enterprises may also leverage threat intelligence information from security partners that complements their own expertise. Threat intelligence products facilitate the sharing of threat information across a wide variety of enterprises. If a new attacker appears on the landscape and attempts to breach the security of one enterprise on the threat intelligence network, information about that attacker may then be shared with others, allowing the organization to automatically block traffic from known malicious addresses, stopping attacks before they occur.
Security analysts responding to an attack may also perform a manual investigation into the breach, looking for evidence of how the attacker gained access and using that information to stop the flow of data out of the organization. Actions taken by security professionals may include changing firewall rules, updating security policies, adding hosts to a blacklist and quarantining suspect systems.
After an Attack
The work of security professionals isn’t finished after they simply detect and stop an attack in progress. After the immediate danger passes, security analysts should follow a process of due diligence designed to return the organization to normal activity. The goal of this process is to restore the organization to a secure operating state and learn from the incident.
As with the other stages of an attack, security professionals may leverage a set of tools to assist with post-incident analysis. Forensic tools allow the close examination of systems involved in the compromise. Security information and event management (SIEM) systems allow the review and correlation of records from a wide variety of technology components, as well as threat intelligence information from security partners.
Combined, these sources of information provide an important view into an attack that allows security teams to understand the sequence of events leading up to the breach, and to gain insight into the activities undertaken by the attacker after gaining access to the network. Security teams may use this information to address the vulnerabilities exploited by potential attackers and can retrace the attacker’s footsteps to identify the extent of a security breach.
CDW: A Security Partner That Gets IT
CDW has a dedicated security practice that is available to help you navigate and determine the best solution to mitigate risk, whether through recommending security assessments or through designing and architecting the best toolset for your organization’s needs and seeing it through to implementation. With more than 15 years of experience, CDW provides the risk management methodologies that you need to secure data, maximize continuity of operations and put disaster recovery plans in place.
CDW’s long-standing partnerships with key security vendors, including Intel Security/McAfee, Trend Micro, RSA and Symantec allow CDW experts to take a comprehensive approach to identifying and meeting the needs of every customer. Each engagement includes five phases designed to help you achieve your security objectives in an efficient, effective manner.
These phases include:
- An initial discovery session to understand your goals, requirements and budget
- An assessment review of your existing environment and definition of project requirements
- Detailed vendor evaluations, recommendations, future environment design and proof of concept
- Procurement, configuration and deployment of the final solution
- 24/7 telephone support and ongoing product lifecycle support