In the past few weeks and months we have seen a massive increase in public hacks and threats hitting the news. Organisations around the world were impacted by WannaCry ransomware which encrypted files, resulting in UK hospitals being immobilised, causing outages of Deutsche Bahn display panels, forcing Honda to take production plants offline and resulting in hundreds of speeding fines have become invalid caused by infected speed cameras.
Shortly after this, cyber-threats were again in the news when the UK' s Parliament was hit by an attack in which malicious actors tried to gain access to e-mails. As a first response, the government informed those affected, disabled remote access and liaised with the UK's National Cyber Security Centre (NCSC) to take further measures to secure their computer network. This was followed by yet another hack, named Petya, which had a massive impact in the Ukraine, bringing down monitoring systems around the former nuclear power plant in Chernobyl, as well as many cash machines.
These examples demonstrate that IT or digital security can no longer be just an IT-Security System Admin problem, focused on installing and configuring new network firewalls, deploying endpoint protection solutions and next generation spam filters. For example, the organisations effected by WannaCry that “simply” kept their systems up to date with the latest patches were resilient against it. In the case of the British parliament, a business decision had to be made to disconnect a critical digital communication service for security reasons, heavily interrupting parliamentary operations. This is beyond the usual remit of an IT Security System Admin, and shows that security has to be approached from a business perspective.
What should organisations be doing?
- Maintain basic security hygiene
- Proactively monitor access to critical services
- Define an incident response process and team
Establishing a data driven security strategy underpinned by machine data is the foundation required to support all of the above initiatives. To monitor whether basic security hygiene is being maintained and to identify weak areas that no one is looking after, a security information and event management (SIEM) solution is a good choice. It will aggregate information and let businesses run regular reports such as which systems are patched, provide information from vulnerability scanners, update them on the status of endpoint protection solutions as well as alert to any notable security anomaly happening, such as a virus event or a new service being installed on a system.
If we look at user authentication, it's no longer enough to simply rely on the in-built security of Microsoft Active Directory and its lockout policies. Organisations need to dive into each digital service, figure out how that service is exposed externally, understand how people log on, how they reset their passwords, how new users are created and then identify the machine-generated data required to get those insights. They can then learn the specifics of that data and set up monitoring to proactively detect any outliers. By maintaining basic security hygiene and proactive monitoring companies can reduce risks to a minimum and during the process identify white spaces in their environment.
However, nothing in life is 100 percent secure – so businesses need to think ahead to a potential breach/hack. What's the organisational process? Which people need to take immediate action? Who can help answer questions about what happened? What do we need to do to stop it? Who was impacted, and who takes the important decisions such as taking services offline, notifying the authorities or communicating to the media?
This exercise goes beyond the IT-Security System Admin role with more mature organisations already having crisis and risk planning for “cyber-risks” included within operational planning. The people involved in this are required to find answers to the above questions regarding the breach and must think about which systems they can find their answers in and how long it would take. This information can mostly be found in machine-generated data/log data, which should be stored in a centralised platform where they can ask any question in a flexible way. This makes the process scalable and efficient as technical security investigations can often become a bottleneck during a crisis. Even in the British Parliament example the ability to collaborate and work with others to answer questions was a core requirement. In an instance such as this, a centralised platform with all your machine data is a real strength.
The upcoming European General Data Protection Regulation (GDPR - focusing on personal data) or the NIS Directive (focusing on network and system protection) will force organisations to apply those concepts sooner rather than later.
Contributed by Matthias Maier, security evangelist, Splunk
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.