monitoring and threat hunting. Automated
analysis and ad hoc validation provides
not just a way to avoid consultancy
fees but to catch problems quickly and
respond effectively. Moreover, this can
be easily demonstrated to the security
illiterate with easily intelligible trending
analysis tools.
Whether they choose to validate
externally or internally, many companies
are discovering their own dark spaces,
areas of their environment which they
can’t see into or analyse.
To light up that dark space, these
companies are looking to new ranges
of network traffic analysis tools
which can accurately identify threats,
vulnerabilities and attack behaviours
and directly integrate that analysis into
SOC workflows.
Any forward plans must have their
sights centred on lighting up that
dark space. Plans for the next year
must ensure complete coverage and
security for the entire enterprise. This
includes capability to see into the
long neglected East-West corridor of
internal traffic and analytics that extend
to cloud services, remote sites and
encrypted traffic.
Getting a better view of
your environment
Real time analysis of network traffic
will give you a full picture of what
your environment actually consists of,
providing you with a full inventory of
assets and putting you most of the way
to meeting CIS Control 1: Inventory and
Control of Hardware Assets.
This allows you to closely monitor and
control your most critical assets such
as databases or developer workstations,
responding quickly when suspicious
behaviour is detected.
www.intelligentciso.com
|
Issue 13
All of this boils
down to richer,
more intelligible
information and that
will make big waves
across an entire
organisation.
That accuracy will vanquish another
bugbear of every CISO and SOC –
false positives. The average platform
supposedly gives out 5,000 alerts a day,
wasting the time of experienced security
teams as they chase – what are too
often – phantom threats.
Real time monitoring can provide the
accurate, contextualised and relevant
analysis required to save time, cut down
on false positives and maximise the talent,
skill and experience of security teams.
Furthermore, such tools can easily
replace pricey encryption audits from
the outside, by gathering data about the
strength and type of encryption being
used on the network. That information is
available not just in real time but can be
published as a regular report.
The same goes for monitoring access.
When it comes to watching privileged
accounts, APIs or sensitive assets, real
time monitoring is far more effective
than occasional scans. With real-time
monitoring, suspicious behaviour can
be detected and quarantined almost
immediately, extinguishing fires before
they even have time to spread.
Increasingly, malware is written to avoid
conventional detection measures. With
that in mind, any monitoring platform
must be able to spot attack activities
which are traditionally hard to identify.
However stealthily a piece of malware
is written, they won’t be able to
outsmart an SOC which can identify
attack behaviours like internal
reconnaissance, lateral movement, C&C
activity and exfiltration.
The SANS Institute considers this
lack of visibility to be the number one
cloud security issue so obviously, that
coverage has to extend to cloud services
and third parties. One patch of dark
space can be just the thing an adversary
needs to do real damage. Deloitte,
one of the world’s largest of the ‘big
four’ accountancy firms, learnt just that
lesson in 2017 when an attacker used
an apparently unmonitored cloud-based
email platform to hide inside its network
for months.
From tactics to strategy
All of this boils down to richer, more
intelligible information and that will
make big waves across an entire
organisation. That means a clearer idea
of what your priorities are and what
your next steps should be. It means a
faster, more effective response to real
threats and not the false positives that
dog so many SOCs.
In essence, it means a way to more
effectively deal with short term threats
and a long-term strategic view – for
everyone – of how to best secure
your organisation.
A secure organisation needs buy in all
the way from the top. Playing the long
game means that decision makers have
better strategies for long term security
success and a better understanding
of how security will enable a business’
true goals. u
65