Recently we were discussing a list of security-related tasks that could be done to help protect or provide early warning and possible remediation should something slip through. There were no less than 50 items that we covered, and we know that we skipped many other areas. At the end of the discussion, we summed up with the sentiment that many of our clients feel: “how do we accomplish this?”. While we have the skills and product to perform a large range of protective, defensive, and alerting solutions, most clients have limited time and financial resources to implement and maintain these items.
I’d like to help cover the “low-hanging fruit” that should be the first round of prioritization. We can then keep improving your security posture incrementally as time and budget permits.
This really is job one. I really hate to subscribe to the “it isn’t ‘if’ it is ‘when’ philosophy”, but the playing field is such that a cyber incident of some nature is an eventuality for most organizations.
Finding your way back from that impact (without paying and hoping the keys work) relies on your ability to protect your data. This is why backups are targeted by threat actors to help ensure payment. If you don’t have something to restore, your options to continue as a business are hampered.
There are a few elements to this. First, make sure that all your critical systems are being backed up. You should review the Recovery Point Objectives (RPO), Recovery Time Objectives (RTO), and other related factors as part of this strategy.
Second, make sure you have multiple copies. In the past, having another copy in another building was sufficient because the plan was to prevent a site-wide disaster (fire, flood, tornado, etc.). While that still is an important item to keep in mind, it just seems less likely to occur in comparison to a ransomware attack (not sure if that is statistically accurate, but that is the current sentiment felt by organizations).
This leads to the third element: make sure you have an air-gapped backup. Offline copies of your data (tape, offline storage, etc.) are harder to attack during a cyber incident. They aren’t entirely immune (depending on how long they have been in your environment, there could be elements of the attack on your backups), but they provide a reasonable way back. Some products (such as Veeam) have some components that allow the restore to strip out suspect material during the recovery process; having a backup that is largely intact will go a long way in keeping your business afloat.
Part of the planning process, especially when you start getting into secondary or tertiary backup targets, is to make sure you understand the impact of recovery times. If Internet speed is a factor of the backup process but you are usually performing incremental backups after that first initial seeding, you may be in for a shock as to the estimated time for full recovery over that same link (days and weeks). You may need to see about drive shipping options (encrypted in case of loss during transit) or plane tickets depending on the situation. It is good to have these backups but you also need to figure out how to make use of them.
A final key component of this is making sure your well-laid-out plan is actually being executed. Monitoring, testing, and adjusting backups help ensure that if you ever need to rely on your backup, you can have peace of mind it is there. And of course, we can assist you with our managed backup solution.
Awareness / Visibility / Reaction
Knowing something is wrong in the environment might come from your end-users first saying “I can’t get to my files…” or some other resource. But it would be good to have some warning that something might not be right before the attack is executed.
There are a few products on the market that can help. Microsoft Defender for Identity (formerly Azure Advanced Threat Protection or Azure ATP) sits on the domain controllers and watches for reconnaissance activities and other suspicious activities. Some SIEM products have similar capabilities and will also typically ingest the firewall syslogs to watch and correlate activities.
Notification of possible issues is great so you can start investigating; what happens when that notification comes in at 2 am and no one is watching their email? You’ll want to have a Security Operations Center (SOC) monitoring these activities. Depending on the arrangement, they can wake someone up to get engaged and start investigating, or possibly even take preventive action to stop what is occurring from proceeding further. Our PULSE Alarm solution puts those elements into your active arsenal.
While firewalls and anti-virus and email hygiene are all great preventive items, I’m going to assume most organizations have that covered in some fashion at this point.
But a big gap tends to be user education. You need to make sure that your end-user knows what to look for on an email to question the validity of it, knows to pick up the phone – and which number to call – to validate some key information, and knows how to not fall prey to the onslaught of phishing attempts that are happening. Many of these items are “obvious” to trained eyes, but most users aren’t trained to see what is obvious to others. Phishing attempts today are significantly more sophisticated than they were a couple of years ago when Nigerian Princes were the only concern, and they will continue to be more difficult to discern in the future.
Educating users as to what to look for, testing them, and further educating them afterward as to what was wrong so they know what to look for next time, are key practices to preventing your next attack from happening. Using a managed solution such as PULSE Aware helps keep your end-users tested and educated as to what to look for the next time. Making your users part of your protection services versus being a liability to your environment will be well worth the investment.
There are many more security products and configuration elements to pieces you own to make it more and more difficult to be a victim. The more “flaming hoops” you make the threat actor jump through to compromise your environment, the more likely they will trip up and trigger some alerts in your alarm system. Or you will force them to give up since it is not worth their time if it is too challenging. But you can start with some clear basic elements to help ensure you have good recoverability options and visibility when something happens. We can add on additional layers of controls or hardening of existing elements as time goes on.
Need more information? Email firstname.lastname@example.org. We are happy to help.