InfoSec Island

Science Fiction Come True: Weaponized Technology Threatens to Shatter Security, Critical Systems

InfoSec Island - Tue, 07/03/2018 - 2:58am

By 2020, the very foundations of today’s digital world will shake. Nation states and terrorist groups will increasingly weaponize the cyber domain, launching attacks on critical national infrastructure that cause widespread destruction and chaos. With power, communications and logistics systems down, organizations will lose the basic building blocks needed for doing business. Heating, air conditioning, lighting, transport, information, communication and a safe working environment will no longer be taken for granted.

Let’s take a quick look at a few of the top threats to information security that are expected to emerge over the next two years, as determined by Information Security Forum research, and what they mean for your organization:

Cyber and Physical Attacks Combine to Shatter Business Resilience

Nation states and terrorists will combine traditional military force with their increasingly sophisticated cyber arsenals to launch attacks that create maximum impact. Organizations will face interruptions to business as cities become no-go zones and vital services are rendered unavailable, with governments, militaries and emergency services struggling to respond effectively to concurrent physical and cyber incidents.

Why Does This Threat Matter?

Physical and cyber attacks will be deployed simultaneously, creating unprecedented damage. Many nation states and terrorist groups (or both, working together) will have the capability to bring together the full force of their armaments – both traditional and digital – to perform a clustered ‘hybrid’ attack. The outcome, if successful, would be damage on a vast scale.

Telecommunication services and internet connections will be obvious first targets, leaving individuals and organizations cut off from the outside world. Assistance from emergency response services, as well as local and central governments, will be slow or non-existent as essential physical and digital infrastructure will have broken down.

These attacks will be designed to spread maximum chaos, fear and confusion. The stricken city, or cities, will be brought to a standstill, with both lives and businesses placed in jeopardy. Those at home will be unable and unwilling to go to work, or – without power or communications – unable to work from home. Those already in the office will be trapped with nowhere to escape to, as attacks hit them from every angle. Existing business continuity plans will be useless; they will not have been prepared to cater for an eventuality when every system is down while individuals are in physical danger. People will panic. Work will be off the agenda.

Satellites Cause Chaos on the Ground

As an integral part of almost every walk of life, satellite systems will be targeted. Organizations are more reliant on satellites than ever before, routinely using global positioning systems (GPS) and communications services. Disabling or spoofing signals from GPS will put lives at risk and impact global travel and financial markets. Attackers may also target media, communications, meteorological and military functions to further disrupt operations and trade.

Why Does This Threat Matter?

Compromised satellite signals, whether spoofed by malicious adversaries or knocked out by collisions with other satellites or space debris, will cause widespread chaos down on Earth. As satellites become cheaper and easier for national space agencies and individual businesses to launch and maintain, they will become increasingly integral to modern life. Disabled or spoofed signals will interfere with critical transport, communications systems and even financial services.

Lives will be put at risk and supply chains hampered as spoofed GPS signals are sent to aircraft, ships and road vehicles. International financial systems – from stock exchanges to ATMs – that rely on exact timestamps on digital payments will be unable to record transactions accurately. Trading algorithms that rely on data from satellites on weather or location of specific assets (e.g. to instruct which crops to buy or sell) will be misled, potentially manipulating financial markets.

In the next few years, satellites will play an increasingly crucial role in connecting Earth-based infrastructure and systems. However, organizations will need to realize what the military has known for years – that no one will be spared if attacks against satellites succeed. The potential for crippling disruption is immense.

Weaponized Appliances Leave Organizations Powerless

Enemies aiming to inflict damage will take advantage of vulnerabilities in connected appliances such as thermostats, refrigerators, dishwashers and kettles to create power surges strong enough to knock out regional power grids. This relatively unsophisticated attack will bring operations to a grinding halt for organizations in affected areas, as governments prioritize restoring vital services over trade.

Why Does This Threat Matter?

Attackers will find ways to access a huge proportion of the millions of connected appliances – such as heating systems and ovens – and turn them into weapons. This mass of appliances could be commandeered and misused for a number of disruptive ends, similarly to the way botnets of poorly protected home computers have been used to initiate and sustain large scale DDoS attacks. However, one threat merits specific attention – the damage they can wreak collectively on power grids.

These appliances, forming part of the IoT – many in homes but also found in offices and factories – are always powered-on and always connected to the internet. Manipulated by attackers to switch on to full power simultaneously, appliances will create a demand for power so unexpectedly high that it overloads and brings down regional electricity grids. With the grid offline or severely degraded, organizations will be weakened and struggle to function.

The underlying foundations of many business continuity plans, such as instructing employees to work from home, will be rendered useless as they will have neither power nor a means to communicate. Dependent critical services such as water supplies, food production systems and health care will be unavailable. Power rationing will affect other utilities and services, such as heating, lighting and transport. To cap it all, organizations will lose out to competitors in non-affected areas who will be quick to take advantage of the increased demand for their services.

It's Past Time to Begin Preparation

Information security professionals are facing increasingly complex threats—some new, others familiar but evolving. Their primary challenge remains unchanged; to help their organizations navigate mazes of uncertainty where, at any moment, they could turn a corner and encounter information security threats that inflict severe business impact.

In the face of mounting global threats, organization must make methodical and extensive commitments to ensure that practical plans are in place to adapt to major changes in the near future. Employees at all levels of the organization will need to be involved, from board members to managers in non-technical roles.

The themes listed above could impact businesses operating in cyberspace at break-neck speeds, particularly as the use of the Internet and connected devices spreads. Many organizations will struggle to cope as the pace of change intensifies. These threats should stay on the radar of every organization, both small and large, even if they seem distant.

The future arrives suddenly, especially when you aren’t prepared.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Navigating Dangerous Waters: the Maritime Industry’s New Cybersecurity Threat as Technology Innovation Grows

InfoSec Island - Tue, 07/03/2018 - 1:29am

The rapid evolution of technology and, in particular, the Industrial Internet of Things (IIoT) is transforming critical environments, bringing benefits such as optimised processes, reduced costs and energy efficiencies. The maritime industry, which forms part of our critical infrastructure, is adapting to access many of the benefits that innovation in technology can offer. By the end of the decade, for example, a new era of shipping will have started with the world’s first autonomous container ship transporting goods around the coastline of Norway.

Although such advances are to be applauded, they bring with them a high element of risk. Security researchers have been warning for many years that the shipping industry is a ‘low hanging fruit’, due to the fact that high-value goods are transported by ships with legacy systems and poor cybersecurity practices to safeguard from malicious attacks. This is leaving vessels at risk of a wide range of threats from live location tracking, to the loss of critical function such as power and navigation.

The dangers of Operational Technology at sea

A concerning problem encountered within maritime is a lack of recognition that a container ship is a critical environment, warranting robust protective systems like any other Operational Technology (OT) environment e.g. a utility. Once connected to a network, this technology risks being targeted by hackers. The threat is a real one; researchers have demonstrated proof of concept cyber-attacks against many of the most common maritime systems, and there’s evidence of incidents at sea in which navigational computers were infected with malware on a USB stick being used for upgrades.

A one-size-fits-all approach to cybersecurity won’t be an effective solution, as the shipping industry presents a unique challenge for hardening cybersecurity; that is, every ship is different. A lack of standardisation across vessels means a vast mix of legacy OT has been deployed, much of which was not designed with security in mind, as well as further networked technologies which have been added over time.

A major vulnerability is the lack of cybersecurity skills, knowledge and focussed training among many of the crew members to recognise, understand and address incidents. On the most part, the person responsible for IT combines the role with another, leaving little time to monitor, respond to or rectify a cybersecurity breach. In this circumstance, remote monitoring for such issues is also problematic due to a shortage of reliable bandwidth while at sea.

A change in approach – the importance of risk management

These challenges are not unsolvable and for those that get it right, cybersecurity will be a powerful enabler in the world of more automated shipping. Adopting a risk management approach – where risk appraisal is used to identify, evaluate and prioritise risks in order to control the probability or impact of an incident – will be key to the maritime sector’s future. A risk management approach begins with identifying which systems, data and interfaces are unprotected and pose the greatest risk to operations if compromised. In a maritime context, this should involve the frequent testing and hardening of systems, as well as securing devices and networks by closing unused data ports and ensuring full network segregation between OT and IT systems.

Better staff training is also a must for all those working on a vessel. For example, crew systems, such as terminals for entertainment or personal email, should be kept isolated from other systems as one of the primary threats remains inadvertent infection via a flash drive or mail attachment. Crew members should be able to utilise such technology in a secure manner and be trained to avoid suspicious email links.

But effective cybersecurity must also be business efficient cybersecurity. The maritime industry will need to adapt to access the many benefits of technological innovation but do so in a safe and secure way. Learning the lessons of other industries, it is clear that one of the best ways to improve resilience to cyberattacks and harden maritime networks is to build a cyber secure supply chain. Working with suppliers whose products are demonstrably secure, and partners whose knowledge is advanced in existing maritime systems will be fundamental to robust OT security and a safer future for asset transport at sea.

About the author: Jalal Bouhdada is Founder and Principal ICS Security Consultant at Applied Risk.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Is User Training the Weakest Link for Your Email Security Approach?

InfoSec Island - Thu, 06/28/2018 - 2:41am

The days of only deploying an email security gateway to block viruses, spam and other threats from reaching user email accounts are gone. Even though gateways no doubt have their place in a comprehensive security strategy, in most cases they are paired with supplementary technologies to ensure the most effective layered email protection. This is critical because gateways aren’t designed to sniff out attacks such as social engineering, phishing, spear phishing, and business email compromise (BEC). There is also the constant possibility of users being phished on personal email accounts that aren’t controlled by gateways at all. There are technologies to accompany gateways such as AI powered email security solutions, which offer the best hope to stop spear phishing, impersonation and BEC attacks.

But, let’s say you are well informed and have already deployed extra security layers to protect against sophisticated email-borne data theft, malware, phishing and other threats. Perhaps you even have a comprehensive backup and recovery strategy to combat ransomware attempts that could hold your data hostage? From a technology standpoint you’ve thought of everything, but the problem is—your users probably have not. This could be especially true for mid to low-level employees including sales or customer service teams where being security aware just isn’t at the top of their to-do list. Ultimately, these folks could be part of the problem without even know it.  

That’s because end users frequently receive messages containing links to spoofed websites where criminals intend to steal their credentials in order to gain entry and launch attack campaigns. These employees are also the unlucky recipients of numerous social engineering attacks, including fraud attempts that could result in wire transfers to cybercriminals. What’s more alarming, is that these attacks avoid traditional security technologies, making the actions users take more important than ever. In order to shed a bit more light on this piece of the email security puzzle, Dimensional Research recently collected data from over 630 participants located around the globe who all had some level of responsibility for email security within their organization. Let’s take a deeper look at some of the points covered in the research:   

User behavior and security risks

One of the points that really stands out to me, is that effective security these days isn’t just about security tools and technology, but that employee behavior is actually a greater concern. 84 percent of the respondents attributed security concerns to poor employee behavior while 16 percent cited inadequate tools as the culprit.

It was also interesting to see that there is no real consensus on the level of employee or title that is most likely to fall for an attack. This is proof that cybercriminals are balancing their attacks across organizational levels and not targeting any particular level of employee.

The reasoning for this is that like with any scam, email attacks are typically a numbers game. The more attempts made, the better success rate criminals have, which is one of the reasons they continue to go after individual contributors—there are just more targets available. Alternatively in targeting executives, the payoff is much greater as they have access to more sensitive and critical information. This supports the idea that criminals are operating just like a business—they make good risk versus reward decisions.

Finance is considered the most vulnerable

It probably isn’t surprising to anyone that finance employees are thought of as being the most vulnerable, as they usually have access to the company’s crown jewels. 24 percent of respondents believe that finance departments are the most vulnerable to an attack. What might be surprising about this set of findings is that the respondents believe that legal departments are of very little risk. Perhaps legal teams are just viewed as being more aware of the consequences or less likely to act on an attempted attack?

On the other side of the office, we have the sales and customer service departments, who according to respondents—were the most likely to put their organization at risk. This could be simply because these teams communicate heavily over email at a rapid pace, which could open the door for attacks. Regardless of the reason, if the belief is true—organizations may want to take the necessary steps to make sure these teams are aware of the possible threats that could be lurking in their inboxes.  

End user training is essential, but a better offering is needed

100 percent of the respondents said that end-user training is important to their email security posture. It is great to see that training is recognized as an important cog rather than labeling it as a “nice to have” piece of the strategy.  

We also learned that organizations are offering more than just a traditional classroom style approach to education for their users. In our experience, the most effective programs are able to scale, move quickly, and offer the flexibility to work into and around busy schedules. Offering training at the convenience of each individual’s schedule makes all the difference in retention of information and employees’ willingness to participate. With that said, it’s essential to test if these training programs are making an impact. This could mean testing employees on their knowledge with simulated email attacks, or even tracking behavior to help security teams drill down on weaknesses in their organization.

Who actually trains their users?

We’re seeing that all organizations have good intentions, but according to the data, only 77 percent of the respondents said they are actually training their employees. Not a terrible number by any means—but there’s definitely still a gap, and room to improve.

The reported data also shows that organizations with over 1000 employees are more likely to implement training. This isn’t uncommon or too surprising as large businesses have more resources and are typically early adopters of new technologies and trends. Smaller organizations usually follow proven practices, but are forced to make the most of their available budgets.

Ideally, every organization regardless of the size should be exploring new technologies and practices to adapt to the evolving threats in the wild. Employees of any level or title should be trained regularly and tested on their security knowledge.

So, is end-user security training and awareness the missing link to your complete email security strategy? The data shown suggests that it is definitely a clear concern, and if you consider the amount of attacks happening daily—almost every incident involves human interaction.

Malicious links must be clicked for cybercriminals to gain initial entry. Attachments must be downloaded and money has to be willingly transferred by an unsuspecting employee for these attacks to be successful. Putting training at the top of your layered security strategy alongside your technology stack will ensure that your employees are less of a liability, and the risk of a breach will be significantly lower.

About the author: Dennis is responsible for entire business lifecycle of the PhishLine product family at Barracuda Networks, including product strategy, product design, sales, onboarding, support, and renewals.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Least Privilege Access – Still at the Front Lines of Security

InfoSec Island - Wed, 06/27/2018 - 8:33am

Ever since authentication and authorization became the norm for access to computer systems, the principle of least privilege (POLP) has been the de-facto baseline for proper security. At its very core, least privilege access means granting a user just enough permissions (authorization) to access the data and systems in their company’s enterprise necessary to do his or her job – nothing more, nothing less. In theory, adhering to the POLP sounds like the perfect identity and access management strategy, but often implementing least privilege is easier said than done.

Why is it so hard?

There are a number of factors to consider. First, in order to implement least privilege, there needs to be a clear understanding of what the right access actually is for each user and their role. Second, in order to enforce the defined level of access, there has to be some sort of enforcement tool. And third, the definition and enforcement of granting access should be executed in a way that doesn’t get in the way of users doing their jobs. While least privilege is of value for securing all types of access, it is most critical when managing administrator access.

Some systems make it easy with well-defined roles and granular definitions of the permissions associated with those roles. But other systems aren’t as cooperative, with no native utilities to define and enforce what right actually means. For those systems, organizations are often left to their own devices relying on tribal knowledge to define right and have limited tools to enforce it. The result is many organizations deeply wanting to enforce least privilege but, in practice, finding themselves only successful on a very limited scale.

From an administrative access standpoint, many organizations take the easy way out by sharing administrative (or “superuser”) credentials among all individuals who might require them for their role, giving many more employees more access to data and systems than may be necessary to do their job – the polar opposite of POLP.

The classic example of least privilege for administrative access is an open source utility available for Unix and Linux systems called sudo (short for “superuser do”), which allows an organization to define a role with a certain subset of the all-powerful root credential in a sudoer file. When an administrator logs on, they must preface the command with “su.” If the command in question is allowed in the sudoer policy, the user will be allowed to execute it – if not access will be denied.

Sudo works great in many instances. However, when a Unix/Linux environment hits a certain size, the fact that sudo runs independently on each Unix/Linux server makes its execution of least privilege unruly, error-prone, and counterproductive. Consequently, there are whole categories of privileged access management (PAM) solutions that either replace sudo with a single solution that covers the entire environment with one policy and enforcement set along with keystroke logging, or augment sudo with centralized policy across all instances (as opposed to multiple islands of sudoer files).

When looking at PAM, Unix/Linux is typically only a part of the overall PAM picture. There are other systems where unchecked administrator access can be just as damaging, if not worse, than Unix/Linux. For example most organizations have a significant investment in Microsoft Active Directory (AD) and Azure Active Directory (AAD) with those systems being the primary front door for the majority of end user access needs. This makes the AD/AAD Admin critical in any PAM program. The POLP should extend to these administrators as well.

The reality is that beyond the Unix/Linux and AD/AAD platforms, POLP is extremely difficult to enforce consistently in the modern heterogeneous enterprise. Some applications have the capability built in, while others make no attempt to enable the practice. It becomes a crapshoot – but is a practice that needs to be run as much as possible through all PAM programs. Here are a few tips to help you get the most from the POLP in your PAM program:

  • Make the most of what you can control: within Unix/Linux look for opportunities to improve on the native sudo capabilities to eliminate weaknesses and improve operational efficiency in executing least privilege. Simply augmenting or replacing sudo with a commercial solution yields significant security gains. Similarly, with the status AD/AAD enjoys it only makes sense to seek third-party assistance in removing the all-or-nothing default of administrator access.
  • Use a vault: privileged password vaults are a great alternative to shared administrative passwords when least privilege is not an option. With day-to-day Unix/Linux and AD/AAD admin access delegated in a least privilege model, placing security, policy, and automation around the issuance, approval, and management of other privileged passwords makes sense. It removes the anonymity that is so dangerous with unchecked administrative access and provides controls around the whole process. Vaults also provide a viable alternative to issuing the entire permission set of a delegated admin account to a single user. Delegate the day-to-day activities and vault the superuser access for firecall and other critical tasks.
  • Audit activities: no PAM program is complete without the ability to close the loop on what administrators actually do with their permissions. Employ session audit and keystroke logging to augment delegated administrator access, allowing you the visibility to know what is actually done with the permissions in question.
  • Implement analytics: the final piece of the PAM puzzle is to implement analytics. Privileged behavioral analytics will help detect anomalous and dangerous activities, while identity analytics will evaluate the rights associated with an individual administrator’s permissions in both the vault and the least-privileged model. Analysis of rights and permissions across administrators in similar roles can help organizations identify weak spots in your least privilege model.

The POLP is a critical component to any effective PAM program, but it is not the only principle. A well-rounded program will also augment with POLP with vaulting, session auditing, and analytics to truly deliver on the security objectives for which the program is designed.

About the author: Jackson Shaw is senior director of product management at One Identity, an identity and access management company formerly under Dell. Jackson has been leading security, directory and identity initiatives for 25 years.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

"Can you Hear Me Now?” - Security Professionals Warn about Who May Be Listening

InfoSec Island - Wed, 06/27/2018 - 7:32am

In light of the recent move by Verizon to stop sharing location data with third parties, companies need to rethink strategies for data gathering from users.

While in the past, companies and app makers used different technologies on mobile devices in order to gather more and more data it is becoming more attractive for unethical hackers to find a way in for malicious purposes.

In one case, the company ‘La Liga’ disclosed to the user about what the microphones will be used for and how they’re used. Malicious app developers are not always so kind, and ignorant app developers put people at risk without realizing it.

La Liga wants to collect user locational data to track down unlicensed broadcasts of soccer games at sports bars and clubs. This activity is for their own interests without consideration for the user. Of course, there are likely other ways to approach this problem that don’t require utilizing their customers' mobile devices as their own personal eavesdropper, but this is the route they undertook. And to top it all off, they had enough courage to openly disclose this to their userbase, perhaps because they hope there will not be any huge any significant user backlash. While this approach will likely be successful, due to a prevailing lack of information to end users in many countries about data privacy, the rights to information privacy, and inappropriate sharing.

The tradeoff here with trying to stop someone from misusing a service is opening up a new potential attack scenario for the bad guys.  As we have seen with other apps that drive voice-enabled technology, how it is intended to work, and how it may be used or misused are two very different things.  

Don Green, Mobile Security Manager, WhiteHat Security, shared his thoughts on a few items that might have a bad guy smiling, including:

  • “The mobile device microphone and geolocation will only be activated during the time slots of matches in which La Liga teams compete.”

The Bad Guy perspective is the first thing I am going to do is try to abuse the match time slot data to have listening and geolocation occur 7x24.   If I’m after you, I want to make sure I’m hearing everything you say all the time and know where you are at all times.

  • “La Liga will periodically remind users that it can activate their microphones and GPS and will ask them to reconfirm consent.”

“Periodically” is a term hackers just love, while for users it’s a nightmare.   Oh here’s a notice to reconfirm consent…is it really? For bad guys, this is the perfect scenario set up to send users fake notices and get them to download malware.

While it is a good practice for businesses who are fighting against fraud, extreme caution must be used with the approach. There’s a fine line between protecting the business and putting business at risk by passing additional risks to customers.  For example, courts want to track the phones of criminals and inmates on parole and Apple recently started cracking down on geolocation apps especially since GDPR views location and personally identifiable information (PII) with a broad spectrum.

Application designers and sellers need to be able to scan the apps and determine whether they are accidentally releasing this kind of information, versus making a deliberate decision based on business need to broadcast where each cell phone user is. Ultimately, customers define what is an acceptable level of risk and privacy.

About the author: Jeannie currently serves security manager at WhiteHat Security. She believes application security is the Next Big Thing in the security space.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Every Business Can Have Visibility into Advanced and Sophisticated Attacks

InfoSec Island - Mon, 06/18/2018 - 2:15am

Years ago, senior managers of large organizations and enterprises were primarily preoccupied with growing their businesses, forming strategic alliances and increasing revenue. Security, mostly left to IT departments, was usually regarded as a set-and-forget solution that was in place for either compliance purposes or to prevent permanent damage within the organization’s infrastructure.

Fast forward several years, and organizations have woken up to the cold reality of data breaches, malware outbreaks, and hefty financial penalties because of increased sophistication of threats and inadequate security measures implemented by organizations. Since 2013, hacks and data breaches have not only flooded the main stream media, but have also shown just how ill-prepared organizations really are when dealing with them.

Equifax, Yahoo, the US and French election scandals, Wannacry, NotPetya, BadRabbit, and Uber are among the most memorable events in recent cybersecurity history. Equifax lost over 30 percent of its market value, which is about $5 billion. Verizon saved $350 million when buying Yahoo, because of the massive data loss scandal. Cyberattacks are bad for businesses, and their consequences bring cyber risk to the top of the minds of senior executives.

Quantifying the impact of cyberattacks

While decision makers and senior executives prefer hard numbers when quantifying the impact of a cyberattack, it’s worth noting that the traditional method of assessing breaches is somewhat flawed. Simply looking at the direct costs associated with the theft of personal information is no longer enough, especially with GDPR threatening heavy penalties for the breach of customer or employee records.

For a complete view on the impact of cyberattacks, organizations need to look beyond the theft of intellectual property, the disruption of core operations, and the destruction of critical infrastructure. They need to start factoring in hidden costs that revolve around insurance premiums, lost value of customer relationships, value of contract revenue, devaluation of brand, and the loss of intellectual property.

Understanding the Change

To understand how things have changed, organizations need to look at the cyberattack kill-chain that most advanced and targeted attacks employ to breach an organization’s infrastructure.

Reconnaissance, the first stage, involves threat actors selecting a target, researching it, and attempting to identify vulnerabilities in its infrastructure. Weaponization is the process in which threat actors create or repurpose malware and exploits to breach the target organization. Delivery and exploitation involve transmitting the cyber weapon to the target, either via email attachments or infected websites, and exploiting a vulnerability in a target program on the victim’s endpoint. The last three stages usually involve the installation of access tools that allow the malware to connect to a C&C (Command and Control) server to let the intruder gain persistency into the targeted infrastructure, and conclude with data exfiltration, data destruction, or whatever actions on objectives threat actors had in mind when targeting the organization.

The obvious goal is to break the attack kill-chain before it reaches the actions on objectives phase. As such, endpoint protection platforms (EPPs) have predominantly focused on disrupting the first four steps of the kill chain, preventing threat actors from installing malware on the targeted endpoint. However, prevention is never 100% bulletproof.

The most radical change companies have made in recent years to address this, is implementing solutions that improve the ability to quickly detect and effectively respond to these types of targeted attacks. This is where the Endpoint Detection and Response solutions (EDR) come in.

Breaking the Unbreakable Shield

In recent years, EPPs were commonly regarded much like Captain America’s shield -- one of the Marvel Universe’s most resilient and almost invulnerable objects. However, on rare occasions, the shield—though it was designed to be indestructible—has failed to protect Captain America. Even though villains with such powers are few and far between, it can happen, just like with an advanced, targeted cyberattack breaking through an EPP.

Similarly, no matter how seriously a company takes security and regardless of what state-of-the-art tools it’s using to prevent cyber-attacks, prevention doesn’t work 100% of the time, especially for sensitive industries or high-profile organizations which are targets of very advanced and persistent attacks. The attacks that manage to elude prevention are typically very insidious, incredibly difficult to detect, and highly damaging to organizations.

Companies need to improve their ability to quickly detect and effectively respond to these types of attacks, investigate incidents for scope and impact, limit damages, and fortify themselves with an enhanced security posture against future attacks.

EDR tools help companies achieve these objectives and are focused on detecting security-related events and incidents, while providing strong instruments for investigation, and capabilities to appropriately respond to incidents. Therefore, in context of the increasing number and sophistication of attacks, the importance of EDR solutions for companies is growing quickly.

Building a Security Ecosystem

Building a strong security ecosystem is about having both the shield and the sword working together to increase the overall security posture of the organization. Integrated EPP and EDR means evolved security over time. A strongly integrated platform will enable security teams to incorporate the threat intelligence into improving the security posture of the organization, by adapting security policies to block identified threats or by eliminating vulnerabilities through security patching. A platform developed from the ground up as an integrated solution enables superior operational effectiveness. It’s faster and cheaper to acquire, easier to deploy, consumes less endpoint resources and saves time for the security team.

Having all these built into a single platform can help provide enterprises with prevention, detection, automatic response, threat visibility and one-click resolution capabilities to accurately defend against even the most sophisticated cyber threats and to be prepared even if their virtually invincible shield cracks.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island