How Prescriptive Security aides defending against phishing attacks
Phishing email campaigns are increasingly targeting smaller, more focused groups and becoming more sophisticated. They are therefore more likely to succeed. As a result, business email compromise (BEC) has taken over as one of the major challenges to security. In this climate, it’s helpful to understand how the processes around prescriptive security are distinct from those around traditional cyber security.
Traditional security processes
In a traditional security environment, the analyst must first log into multiple tools to work out what is happening. The analyst uses each tool to view the necessary logs and data to understand the incident. Whilst the analyst might quickly establish that there is a 0-day polymorphic virus, the tools may not link the endpoint with the user in order to easily trace the attack. Without this link, actions to update security at the boundary may not happen quickly, if at all. As a result, more users could be affected.
The analyst also needs multiple security systems and applications to coordinate the right response. This will take time, especially if these security tools aren’t in daily use – again increasing the risks to other users. There may also be risks associated with the order in which remediation steps are configured into the various systems. Even worse, where devices are offline or not connected back into the corporate network, the design of the virus keeps them vulnerable to attack for some time.
If the analyst is not sufficiently trained, or has no access to a particular tool, they may need to raise service tickets to initiate a response, further lengthening the time to respond, especially if those processes take time or the tool is not managed 24x7.
Each of these steps must be fully documented in order to manually trigger actions. This includes processes for logging into the various toolsets such as anti-virus management, network access control management, endpoint detection and response.
Prescriptive security processes
With prescriptive security, the time it takes to identify a problem shrinks to milliseconds. Information about multiple events is collated into one place, enriched with threat intelligence and ready as a single ‘ticket’ for the analyst to analyze and make decisions.
With prescriptive security, the time it takes to identify a problem shrinks to milliseconds.
Straightaway, the analyst has better visibility of the incident using advanced data processing, analytics and security event management systems. And they can quickly link the virus to a phishing attack, for example, on a specific user. Given that this is a new problem, human intervention is needed and yet still minimal: the analyst selects the most effective playbook of automated actions to protect the whole estate.
This ultimately removes the risk of errors and not only improves the initial response time but also helps to reduce or even eradicate the time to detect similar subsequent incidents.
Ongoing service management
All security incidents are monitored, identified, prioritized and managed at the Security Operations Center. Key to security operations is integration with the rest of service management, for example, to ensure that every change to an IT estate is documented and audited.
If all details and current remediation tasks are held purely within traditional security tools, response times are longer and extra change management tasks are created for the service management team. In contrast, with prescriptive security, everyone involved can easily be kept informed of the situation. So, when a phished user contacts the service desk because a device cannot connect to the network, the service desk instantly sees that it’s an incident response and provides explanation.
Following any serious incident, thoughts will turn to reviewing how the incident occurred, and how to predict and prevent similar attacks in future. Just as having data spread across disparate systems makes analyzing and responding to an incident slower, it also makes it harder to fathom details of the attack path in retrospect.
In contrast, with prescriptive security, there is full auditability and continuous learning working in harmony to bolster the defenses against cyber threats. Prescriptive security transforms the way security analysts work. It helps security teams stay ahead of bad actors who are growing both in number and in sophistication of attack strategies.
This blog post is adapted from Stephen’s article in “Digital Vision for Cyber Security 2,” where you can read more about the new security paradigm from the Atos Scientific Community.