Be One Step Ahead: What Makes a Holistic Threat Prevention System
Understandably, leaders across the board are actively reviewing new ways for safeguarding their cloud-based and hybrid operations. Advanced threat prevention systems, in particular, are in high demand. But what should such a system entail, and which security areas should it address?
To withstand emerging threats, our information security team suggests CISOs to focus on the next five areas:
- Leverage an identity management service
- Implement advanced data protection software
- Adopt new standards for device trust
- Make a strong focus on cloud security
- Conduct upgrades to infrastructure security
Now, let’s put them under the microscope to better understand how to excel in each one.
1. Identity Management
The value of any type of threat protection system greatly diminishes if your organization does not take identity management seriously enough. Compromised user credentials provide a direct leeway for hackers to penetrate your systems and access sensitive corporate data.
In most cases, your employees will act as “accidental insiders”, unknowingly enabling access to criminals with their day-to-day behavior. To put that into perspective, one financial enterprise with 250,000 employees globally decided to monitor how their workforce interacts with the web. Their discovery was staggering: every day, the employees made over 660 million attempts to access various websites. Among them, 2.2 million were identified as “malicious” and blocked by the installed threat prevention system. Additionally, 244 suspicious files were captured by the network perimeter anti-malware solution.
We can infer from that data, that a lot of dubious websites could steal employee credentials and private data. It could also be collected to be re-sold to the hackers, using password cracking algorithms for breaking into corporate systems.
The newer generation of identity management software can help reduce the toll of compromised credentials in two ways:
- Firstly, you can set up Single Sign-On (SSO) and Two Factor Authentication (2FA) for accessing all the corporate accounts. This will prevent risks associated with weak passwords/password re-usage.
- Secondly, a centralized identity management system can give you complete visibility into the individual user’s health and browsing behaviors. Through proactive monitoring and privilege access management, your security team can exercise more granular control over user permissions and rapidly ‘cut the cord’ if a security incident is detected.
In our previous post, we showcased how to leverage Azure identity management solutions to secure cloud-based operations.
2. Corporate Data Protection
A strong data protection policy is both a regulatory and a security requirement. GDPR set forth the requirement for data “integrity and confidentiality”, as well as “storage limitations”. And so did California Consumer Privacy Act (CCPA) in 2019.
Though both provisions have vague wording regarding which data protection standards and methods should be exercised, there’s no ambiguity around the penalties. They are costly and imminent to businesses found to be negligent with sensitive data.
While different businesses store and operate different types of records, the general levels of corporate data protection should extend to:
- All operational data
- Systems, networks, and configuration data
- Personal data of customers/users and employees
- Audit data shared with external third parties.
Furthermore, your data protection solutions should be configured to support:
- Endpoint data protection
- Communications data protection
- Configuration data protection
- Monitoring data protection.
That’s a lot of “spinning platters”, especially for organizations with hybrid or multi-cloud infrastructure. Granted, most cloud services come with native data protection mechanisms and continuous data protection solutions that can be centrally configured to safeguard different data types (data at rest, data in use, and data in motion), as well as enable security monitoring for data exchanges.
Microsoft Azure, for example, uses SSL/TLS for protecting all data in transit, plus uses encryption for all LDAP and partition/replication traffic. Data at rest can be encrypted using the Distributed Key Manager (DKM) and protected with symmetric keys, private asymmetric keys, and passwords.
Still, extra vigilance is necessary when it comes to securing different types of assets. Here’s a cautionary tale from Blind. A couple of years ago, the anonymous workplace social media app reportedly was testing an internal tool for the users. During those trials, an external security expert found that one of the company’s backend Elasticsearch databases that hosted some sensitive user data was live without a password. In other words, anyone could steal user account information and go public with it, if they knew where to look.
The takeaway: cloud data protection is a shared responsibility. While the cloud vendor provides you with all the tools and services for safeguarding your data and infrastructure, it’s your IT security analyst’s job to ensure that the defense perimeter is airtight.
3. User Verification and Device Trust
Secure identity management has also become of greatest importance since the rapid shift to remote work. With employees using personal mobile devices, laptops, and unprotected home networks, the security tax on corporate infrastructure has grown significantly.
Amidst rapid exodus to remote work, 45% of organizations had to ask their employees to use personal devices for work. Over 6 months into the pandemic, 42% also admit that they are yet to secure those devices.
Several problems arise here:
- Personal employee devices are more exposed to malware risks since they are less properly maintained.
- Connecting a growing number of devices to corporate networks and properly verifying each device is hardly possible.
Subsequently, here’s what happens: a trusted user logs onto the corporate network with a VPN from an infected computer. The malware travels through the VPN to the corporate network. Alternatively, users could browse various websites and download questionable software to their devices. While such actions are restricted within the corporate network, a remote machine connected via VPN isn’t restricted against that. That is how security incidents happen.
To prevent bad scenarios, CISOs can do several things:
- Select a security solution that would allow to create and enforce corporate IT policies to VMs, hosting operating systems, enterprise apps, and sensitive data.
- Implement centralized VM authentication to verify the users’ identities.
- Consider dynamic or just-in-time access to VMs to reduce the exposure of your systems to the outside world.
- Enable continuous monitoring across all your VMs to identify possible vulnerabilities early on.
4. Cloud Security
As mentioned already, cloud security is a shared responsibility between the vendor and the company. This fact can create security issues for early cloud adopters, who attempt to transpose on-premises security information and event management (SIEM) practices to the newly created cloud environment. The problem is that most rule-based SIEM solutions no longer suffice for advanced threat prevention.
Apart from ensuring proper cloud identity management and continuous data protection, you should also leverage the following best practices:
- Monitor for multi-vector anomalies: A newer generation of machine learning algorithms can help identify patterns indicative of fraud, rather than one-time minor security offenses (such as unsanctioned app download).
- Set up intelligent alerts: Be reasonable, your SOC team won’t be able to act on every event your threat prevention system detects (including false-positive ones). Cloud-based SIEM solutions such as Azure Sentinel let teams set custom analytics rules for threat detection (whitelisting known events and/or low-risk users). Plus, configure and prioritize alerts to better match your operations.
- Monitor for shadow IT and sanctioned apps: Monitor network traffic to locate unapproved and suspicious data flows. These are typically indicative of shadow IT.
To assist CISOs with targeted shadow IT monitoring and prevention, Microsoft recently released Microsoft Cloud App Security (MCAS) tool. This solution helps IT teams dentify unapproved apps, educate users about alternatives, and/or update policies around the usage of similar solutions. According to the Forrester study, companies using MCAS experienced 75% fewer security incidents.
5. Infrastructure Security
Last, but not least, make sure that you have sufficient cyber threat prevention facets implemented for protecting corporate infrastructure — servers, VMs, networks, and databases, hosted both on-premises and in the cloud.
With a larger fraction of work happening remotely, leaders should get more intentional with implementing the following practices:
- Ensure proper remote access to all assets. Don’t rely on out-of-the-box configurations, suggested by the software vendor. Re-check these for all crucial remote access endpoints to verify that they are indeed in line with the latest security standards.
- Don’t compromise on traffic monitoring. With more devices and more Internet-bound traffic, network administrators may be willing to lax monitoring or even allow security-sensitive practices such as split tunneling and IP safe-listing removal. This results in muddled visibility and limits the ability to check incoming and outbound traffic, traveling to malicious destinations.
- Prioritize protection of privileged users and the infrastructure they require. Verify that all the remotely accessible services are properly safeguarded. Use a bastion host to protect access to critical VDIs and VMs. For example, you can use Azure Bastion to set up private SSH/RDP access to Azure-based VMs, running the most sensitive operations.
Setting up a comprehensive threat prevention system is a time-demanding commitment. But skimping on controls isn’t an option either as basic negligence can lead to grave security consequences — data breaches, information theft, and subsequent regulatory intervention.
If you are a Microsoft Azure client, however, you are better positioned security-wise. Last year, Microsoft deployed an integrated threat protection service — a single-pane control panel for configuring, managing, and monitoring security configurations across all identities, infrastructure, endpoints, and cloud apps.
Infopulse is a Certified Microsoft Azure Partner and Microsoft CSP Tier 1 Partner, also providing standalone SIEM architecture implementation and SOC services. Let’s secure your operations together. Contact us!