Managing a breach or ‘dirty’ network

Issue 5 2021 Editor's Choice, Cyber Security

Nasser Bostan, head of security sales, Middle East and Africa, BT, shares BT’s insights gleaned from the SolarWinds incident and offers recommendations for organisations to step up their cybersecurity strategies.

Nasser Bostan.

In December 2020, it became apparent that SolarWinds, a major US information technology firm, had been the subject of a cyberattack that spread to its clients. The attack went undetected for months and it has had a huge impact across the entire technology ecosystem as it continues to unfold.

One immediate effect is that the whole security community is now questioning some of its fundamental practices and assumptions around how to implement a successful security environment. The attack is forcing a rethink of how to assess and manage supplier risk.

All security professionals know that you’re only ever as strong as the weakest link in your defences. And to complicate the matter further, most organisations don’t grow organically over time. They grow through a series of mergers, acquisitions and divestments which each play a part in changing their IT landscape. As their infrastructure evolves, it becomes a mixture of new, established and legacy systems from a range of different suppliers. Despite this, users expect IT to be frictionless, leading many organisations to become increasingly borderless. In this complex, blurred environment, finding ‘bad’, or even sub-optimal elements can be challenging.

In BT’s recent whitepaper, Assume breach: Managing a dirty network[1], we make six recommendations for how organisations can achieve ‘assume breach’, based on policies and solutions we’re following ourselves.

1. Know the personas on your estate (identity)

The complexity of managing and understanding personas and identities leaves many organisations blind to the activity of an attacker. In this context, identity and access mechanisms that give you visibility and control of your estate are hugely valuable. Since identity is one of the areas of compromise frequently implicated in high profile and impactful breaches, a firm understanding of the roles and users in your organisation, coupled with high confidence audit, reporting and alerting is critically important.

2. Understand your assets

It comes back to the old adage: If you don’t know what you have, how can you protect it? But understanding what and where your assets are is only one part of the problem. You also need to rigorously assess your asset life cycle strategy. The asset lifecycle is perhaps one of the most difficult aspects of successfully managing IT infrastructure and it gets more difficult as you move to the cloud and more corporate assets fall outside your traditional network perimeter. However, if you fail to identify affected versions, they can delay the remediation and patching process, even after fixes are made available, worsening the risks and impacts.

3. Prioritise modern endpoint tooling

Endpoint Detection and Response (EDR) solutions bring together next-generation antivirus with threat hunting and threat intelligence on the endpoint device, constantly analysing events to identify malicious behaviour. Although an EDR solution gives excellent visibility of adversary behaviour as it occurs, organisations often need prior understanding of this behaviour to detect and prevent it effectively. When this information isn’t available and prevention and detection fail silently, many EDR solutions monitor and record the chain of execution of activities occurring on the endpoint. This enables SOC teams to look back and verify where the attack happened.

4. Make it difficult to move between zones and workloads

Organisations must adopt a Zero Trust model that’s secure by default and only allows traffic to flow between applications that have been positively verified against policy. This will reduce the opportunity for malware or threat actors to move between network zones, servers or workloads, providing crucial protections during many cyber incidents. Creating boundaries between different zones of your network, using network segmentation and application micro-segmentation can make it more difficult for an attacker to move laterally around your infrastructure.

5. Take a systemic approach to detecting threats

Organisations invest in threat detection capabilities such as Security Information and Event Management (SIEM) to make sure they can detect compromises within their estate quickly. To fine-tune your detection, the SOC team operating the SIEM needs to adopt a systematic approach. They need a good understanding of threat actor behaviour and should work closely with their counterparts in threat intelligence to identify the behaviour of known actor groups and map this knowledge to a common classification structure.

6. Be curious

The most inquisitive and engaged people in the organisation are the analysts you have defending your estate. So, allow them to focus on using their natural talents to maximum effect by managing their workloads and automating volume activity where possible. Burdening them with repetitive or routine tasks might produce a steady flow of outputs, but it isn’t the most effective use of their time or skills. Consider automating or offloading such items to trusted providers, so your analysts can better spend their time searching things out. Pulling on loose threads takes time, but ultimately, it improves your security baseline and might just uncover the thing no-one was looking for.

Cyber attackers and criminals will never stop trying to invent new ways of gaining a return on their investments. If you can make it expensive, difficult and time-consuming for them to achieve their goal, it will limit the range and motivation of cyber attackers targeting your organisation.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

FortiGuard labs reports disruptive shift of cyber threats
Issue 1 2021 , Editor's Choice
Threat intelligence from the second half of 2020 demonstrates an unprecedented cyber-threat landscape where cyber adversaries maximised the constantly expanding attack surface to scale threat efforts around the world. Adversaries proved to be highly adaptable, creating waves of disruptive and sophisticated attacks.

The year resilience paid off
Issue 8 2020 , Editor's Choice, Security Services & Risk Management
Hi-Tech Security Solutions spoke to Michael Davies about business continuity and resilience in a year when everything was put to the test.

Retail solutions beyond security
Issue 8 2020, Axis Communications SA, Technews Publishing, Hikvision South Africa , Editor's Choice, CCTV, Surveillance & Remote Monitoring
The need for security technology to deliver more than videos of people falling or stealing from retail stores is greater than ever.

Covid-19 rarely spreads through contact with surfaces
Issue 6 2021, iPulse Systems , Editor's Choice
While the virus is capable of lingering on public surfaces, studies show that this is not a major source of infection as many believe it to be.

Elvey appointed as Technoswitch national distributor
Issue 6 2021, Elvey Security Technologies , Editor's Choice
Elvey’s appointment as a national distributor for the Technoswitch range of fire detection and suppression technology forms part of the company’s strategic plan to supplement its security offering with high-quality fire products.

Harnessing 5G for South Africa
Issue 6 2021 , Editor's Choice
As the promise of 5G begins to become a reality, the role of communication services providers will change as we address the needs of future homes and lifestyles.

Enabling SMEs to build back better
Issue 6 2021 , Editor's Choice, News, Conferences & Events
Simpli ConnectED podcast series addresses the demands placed on SMEs in the current economic climate and offers suggestions for keeping the wheels turning.

Cathexis Africa welcomes new managing director, Dene Alkema
Issue 6 2021, Cathexis Technologies , Editor's Choice
South Africa’s leading video management software company is starting a new chapter in the region with the appointment of a new managing director of Cathexis Africa, Dene Alkema.

Securex South Africa, A-OSH and Facilities Management Expo postponed to 2022
Issue 6 2021, Specialised Exhibitions , Editor's Choice
Specialised Exhibitions, a division of Montgomery Group, has made the difficult decision to postpone Securex South Africa, A-OSH Expo and Facilities Management Expo.

Leveraging intelligence for surveillance
Issue 6 2021, Leaderware , Editor's Choice, CCTV, Surveillance & Remote Monitoring
Have companies seized the opportunities to complement and enhance the capabilities of both CCTV surveillance and that of intelligence gathering to gain strategic and operational insights?