In my previous blog, I talked about the need to rethink how our people, our teams and our businesses continue to operate securely. Evidenced by two recent state-sponsored cyber attacks – SolarWinds and the Hafnium hack on Microsoft Exchange Servers – the adversarial mindset of cyber criminals continually reinvents new ways to gain access to your valuable data.
The SolarWinds and the Hafnium hack on Microsoft Exchange servers were amongst the most sophisticated and severe zero day attacks we have seen. It also represented new thinking in our adversaries who wandered from host-to-host undetected digging around servers and data without once being tempted to draw attention to themselves with a nice big ransomware-fest.
What can we do?
Some may ask if zero-trust is the answer. And in my opinion, not really – it’s OK for user-side comms but servers, whose very purpose it is to connect to other stuff on the internet, like SMTP servers, are trickier to lock down.
This is when behavioural analytics-based threat detection of both your networks and your users can help. The challenge here is to notice the unusual, rather than the blatantly malicious – we have plenty of tools for that – and behavioural analytics has made great strides recently in offering an effective layer of protection.
What about “best practice”? – Yep. Every time a universal security event takes place, we realise that we’ve drifted (sometimes a long way) from basic good practice, and we learn lessons, run projects, make changes and then a couple of years later it happens again and we find our “secure” updated server has a password of “solarwinds123” and it’s on GitHub in plain text. That is not a tool problem, well, not in the typical sense.
One of my earliest engineering jobs in security was as a very junior part of a team connecting hundreds of retail bank buildings to the internet. My mentor was the “firewall guy” and I spent months bringing him tea and cigarettes as he systematically connected ISP links and then denied anyone, and anything, access to them.
Best practice, of course, evolves, but at that time if you wanted to connect something to the internet you needed a very good reason, and be willing to jump through onerous change control hoops to get it done – and even then he’d review the rules weekly and check if you still needed the thing you’d managed to get approved. Granted it was easier then – we could review the firewall logs manually and that’s a bit tricker since we increased bandwidth from 64Kbps.
Still, the message is one of knowing your environment. Sure, it’s difficult, and with SaaS, SASE, IaaS et al. the lines are blurred, the perimeter nebulous – but it remains crucial.
Cyber Security: a balance between usability and protection, user experience and controls.
By combining the right policies and foundational security controls, good endpoint protection and some behavioural analysis to help spot abnormal events; together with well configured and monitored logs, affording us a historic view, AND by taking the time to review changes and requests for ever-more connectivity in the context of business benefit vs. risk – we as an industry can help to at least protect our little corners of the internet from the worst of these outbreaks.