In the span of a few months, the coronavirus has reached every country, every community, and every neighborhood. No nation is spared. The economy grinds to a halt. Millions have fallen sick. In the meantime, if you take a look at the 15 biggest cybersecurity attacks in the 21st century, you’d notice a few things. First, no country is untouched. Second, it’s extremely disruptive to business operations. Third, millions have fallen victim to these attacks. We have been dealing with a different kind of outbreak for many years, that is, the pandemic of cyberattacks.
The world responds
By now, most countries have imposed a mixed bag of measures to deal with the outbreak. If you look closely, the overarching strategy for dealing with coronavirus has revolved around four quadrants: prevention, detection, response, and prediction.
In cybersecurity, we often talk about the importance of a holistic strategy that consists of the same quadrants. At its core, a good cybersecurity strategy should take a multi-pronged approach and a long-term view.
Prevention
The first pillar of the defense is prevention. In the time of coronavirus, prevention means protecting people from being infected in the first place, such as washing your hands, socially distancing yourself from others, disinfecting your phone and wallet when you get home, and more.
In cybersecurity, prevention means the exact same thing – protecting your IT assets from being infected in the first place. Because most major data breaches can be traced back to a single point of failure that could have been prevented.
Today, many new cybersecurity vendors talk of a shining silver bullet that miraculously waves away all your cybersecurity headaches – such as machine learning or EDR. But in reality, the concept of a single silver bullet doesn’t hold up. You need the basic technologies – such as antivirus, application control, web and file reputation, etc. – to do the heavy lifting. These technologies can filter majority of the alerts, categorising them as either good or bad.
Detection – knowing what you’re looking for
Contact tracing is crucial during outbreaks. The longer you take to identify a patient, the more people will be infected.
In cybersecurity, detection is about the same thing – how fast you can detect a breach in your system determines the scope of damage. We believe in this strategy called connected threat defense. By deploying security solutions at all the touchpoints in an IT system, from the endpoints to the network to the server, you can start to connect the dots and gain visibility into every nook and cranny. If you know what’s lurking in your IT environment, you can significantly increase your chance of getting rid of it.
Endpoint detection and response (EDR) is another tool designed for the same purpose. EDR technology works like a black box in a plane. It records everything that takes place on the endpoints and threat hunters can rewind to see from which point a threat entered the system, and how it spread across the network. Based on the information, a blueprint of the malware’s infection path can be drawn.
Response – prioritizing the important ones
During the outbreak, there are many false positives and false negatives. Some people may test negative now but develop the symptoms next week. Suspected cases may turn out to be totally innocuous. Because the medical supplies are limited, the healthcare workers need to prioritize. To prioritise, you need context-rich information about the patient.
It’s the same in cybersecurity. A security operations centre (SOC) receives thousands of alerts on a daily basis. Hence, prioritization becomes the key and this is where XDR comes into picture. XDR is the natural progression from EDR. The X stands for anything you can apply detection technology to, such as emails, servers, or the network. XDR is a big collector of security alerts, absorbing data from various touchpoints.
Essentially what XDR does is to break the silos between all these solutions gathering data on their own. A prominent feature of the XDR tool is a central data lake where all data will flow to eventually and be analysed as a collective.
All this data churning can minimise alert fatigue, as it produces high-priority alerts with rich context around it. SOC analysts can now focus on alerts that need immediate action instead of combing through every single one of them and manually looking for connection.
Prediction – taking two steps ahead
Wall Street Journal reported that epidemiologists were teaming up with data scientists to forecast the spread of the coronavirus outbreak in the near future. By taking into consideration a vast array of different types of data, the model is expected to predict the number of new cases to arise in an exposed population, or peak infection rates.
Likewise, in cybersecurity, the more accurate our predictions are, the more effectively we can deal with an upcoming data breach. We achieve this by collecting and correlating a vast array of different types of detection and activity data from our native sensors, deployed at different layers within the organization, like the endpoint, network, email, and the cloud environment.
Combined with big data analytics, threat models, advisory-based behaviour analytics and detection rules from our security experts, we can help to uncover if an emerging or unknown threat or a threat actor is attempting to infect your organization. On top of that, continuous risk assessment of an organisation’s cybersecurity posture also serves to predict impending issues.
Conclusion
Coronavirus will go away, just like any of the pandemics in the past. But cybersecurity attacks will stay as long as there’s a computer connected to the internet. The most effective way to deal with cyberattacks is not to dream of a cure-all panacea, but to take small but coordinated measures that culminate in an all-rounded defense strategy.
Discussion about this post