The cybersecurity threat landscape has become extremely vast and complex, as has cybersecurity technology. It’s becoming increasingly confusing for organizations to grasp the what, when, where, and how of protecting the enterprise. But it doesn’t have to be. Think about how you would protect your home; you’d want perimeter security (a fence), endpoint protection (doors with sturdy locks), video surveillance (cameras), and a connection to law enforcement (detection and response), right? Well, the same applies to your business – though the solutions are slightly higher-tech!
Fences (Firewalls)
I remember the fence we had around our yard when I was growing up; it was never used for security. It did provide us with some privacy until someone opened the gate or jumped over it. It’s the same concept as the tried-and-tested firewall—it won’t keep an intruder out, but it will slow them down. Intruders are kept at bay; however, if they try hard enough, they will get in through the most common web ports/protocols that are always left open.
Doors and Locks (Endpoint Protection)
This is the most basic form of protection for your home, just as antivirus and endpoint protection is the most basic protection your enterprise can have on your laptops, desktops, servers, and cloud resources. At home, you lock your door(s) behind you and feel secure that your home is protected. But just like the key to your door can be stolen by an attacker, antivirus solutions can be terminated or removed by attackers. So, implementing tamper protection on your endpoints can function like the deadbolt on the door of your home. Again, you just slowed down the attacker; if you have something they really want, a determined adversary will break in another way. At your home, they’ll try to find a window to break or a door without a deadbolt; in your enterprise, they’ll find a different vulnerability.
Cameras (Network Detection)
Perhaps you recently read a story in your local paper (or saw a post on Nextdoor) about intruders breaking into homes in your area. Today, in your online chat group, you hear about criminals in your neighborhood who are hijacking cars from driveways. You think, ‘Maybe it’s time to get a video doorbell,’ or you consider splurging on a whole-home security kit to monitor your front porch, driveway, backyard, and indoor areas. For an enterprise, this is the point when network detection and response (NDR) is essential. It is the natural evolution to the next level of maturity. It’s not just critical to monitor a bad guy snooping and fumbling to get in. Still, you also want to understand when and how the intruders actually made it onto the premises or into the network, what they took, and where they are leaving from (north/south traffic). Do you have additional cameras (or sensors) to see what other rooms they went in and what else they took or vandalized (east/west traffic)?
Law Enforcement (Response)
Incident response is critical, and unfortunately, this is where many security failures occur. What if you had cameras, but they were never triggered when motion was detected? What if the intruder was able to get into your home without tripping the alarm? What if the alarm goes off and the police don’t respond? When you apply these failures to your enterprise security posture, it’s clear that this is why an NDR solution is essential. With the proper placement of cameras, the proper resources to help you respond, and continuous monitoring of your most critical assets, you are able to carry out response functions and find exactly how intruders got it, where they went when they entered and left, and what the adversaries took.
Let’s take this a step further and think about what happens when the police arrive. You have the recorded surveillance and list of stolen items, which gives them critical information they need to investigate and respond. Did they first attempt to use the door and pick the lock, or did they go directly to the back and use a window? Did they take cash, credit cards, or jewelry? Maybe they were after electronics, TVs, your Alexa, and those Air Pods in your office. Your cameras thankfully spotted where items were taken from, what time it happened, and how the intruders got away.
It’s the same with your enterprise; NDR provides the surveillance and records so your security team can examine the break-in and look for forensic artifacts, ‘fingerprints,’ and other indicators that show the methods of intrusion (adversary TTPs: techniques, tactics, and procedures). Using NDR can help you successfully identify these adversary TTPs and their perceived goals based on what they took. This can harden your network against a similar attack or the same attackers returning for another try.
Your security system now knows profiles on these behaviors and detections, so it can automatically detect adversary behavior from intrusion attempts and prevent the exfiltration of your prized possessions. NDR became a critical part of your organization, and your security maturity grew tenfold.
The original article can be found here.
Comments