Authored by: Dhanya Thakkar, Vice President and Managing Director, AMEA, Trend Micro
In the span of a few months, the coronavirus has reached every country, every community, and every neighborhood. No nation is spared. Economy grinds to a halt. Millions have fallen sick.
In the meantime, if you take a look at the 15 biggest cyberattacks of the 21st century, you’d notice a few things. First, no country is untouched. Second, it’s extremely disruptive to business operations. Third, millions have fallen victim to these attacks. Studying the statistics, I can’t help but arrive at this conclusion: we have been dealing with a different kind of outbreak for many years, that is, the pandemic of cyberattacks.
The world responds
By now, most countries have imposed a mixed bag of measures to deal with the outbreak.
If you look closely, the overarching strategy for dealing with COVID-19 has revolved around four quadrants: prevention, detection, response, and prediction. In cybersecurity, we often talk about the importance of a holistic strategy that consists of the same quadrants.
Responding to a pandemic is not a one-off event. You can’t contain an outbreak with several dramatic measures and be done with it. Similarly, a good cybersecurity strategy should take a multi-pronged approach and a long-term view.
The first pillar of the defense is prevention. In the time of COVID-19, prevention means protecting people from being infected in the first place, such as washing your hands, socially distancing yourself from others, disinfecting your phone and wallet when you get home, and more.
In cybersecurity, prevention means the exact same thing – protecting your IT assets from being infected in the first place, because most major data breaches can be traced back to a single point of failure that could have been prevented.
These are not sexy toys, but they do a pretty darn good job keeping your vulnerable systems patched, blocking malware from hitting your machines, alerting you to phishing emails, and more.
Today, many new cybersecurity vendors talk of a shining silver bullet that miraculously waves away all your cybersecurity headaches – such as machine learning or EDR. But in reality, the concept of a single silver bullet doesn’t hold up.
A business can receive thousands of security events in a single day and a high percentage of them are false positives or commonplace malware. Imagine feeding all of them through the machine learning technology. You’re bound to have a performance issue.
You need the basic technologies – such as your humble antivirus, application control, web and file reputation, and so on – to do the heavy lifting. These technologiAes can filter the majority of the alerts, categorizing them as either good (to let go through) or bad (to block).
Then you’re left with the threats you have never seen before. These are the unknown threats that require further studying. They can then be fed through the advanced technologies, like machine learning or behavioral analysis. This way, the software divides the load, and ensures a balance between security and efficiency can be achieved.
Detection – knowing what you’re looking for
Contact tracing is crucial during outbreaks. The longer you take to identify a patient, the more people will be infected. In cybersecurity, detection is about the same thing – how fast you can detect a breach in your system determines the scope of damage.
At Trend Micro, we believe in a strategy called connected threat defence. By deploying security solutions at all the touchpoints in an IT system, from the endpoints to the network to the server, you can start to connect the dots and gain visibility into every nook and cranny. If you know what’s lurking in your IT environment, you can significantly increase your chance of getting rid of it.
Endpoint detection and response (EDR) is another tool designed for the same purpose. EDR technology works like a black box in a plane. It records everything that takes place on the endpoints and threat hunters can rewind to see from which point a threat entered the system, and how it spread across the network. Based on the information, a blueprint of the malware’s infection path can be drawn.
Response – prioritizing the important ones
During the outbreak, there are many false positives and false negatives. Some people may test negative now but develop symptoms next week. Suspected cases may turn out to be totally innocuous. Because the medical supplies are limited, the healthcare workers need to prioritize. To prioritize, you need context-rich information about the patient.
It’s the same in cybersecurity. A security operations centre (SOC) receives thousands of alerts on the daily. IT security personnel widely report that working in a SOC is a laborious job. Many of them are burned out after a while, and the two most cited reasons are increasing workload and having too many alerts to chase.
Prioritization becomes the key in this case. Instead of 500 alerts, what if you can winnow them down to the two most critical alerts that require immediate action? Enter XDR.
XDR is the natural progression from EDR, where the ‘X’ stands for anything you can apply detection technology to, such as emails, servers, or the network. XDR is a big collector of security alerts, absorbing data from various touchpoints.
XDR breaks the silos between all these solutions gathering data on their own. A prominent feature of the XDR tool is a central data lake where all data will flow into before it is analyzed as a collective. This way, data collected from the endpoints can be correlated with data collected from the cloud workloads, for instance. Breaking the silos means more attacks would become visible as more pieces of the puzzle are now stitched together.
All this data churning can minimize alert fatigue, as it produces high-priority alerts with rich context around it. SOC analysts can now focus on alerts that need immediate action instead of combing through every single alert and manually looking for connection.
Prediction – taking two steps ahead
The Wall Street Journal reported that epidemiologists were teaming up with data scientists to forecast the spread of the coronavirus. By taking into consideration a vast array of data, the model is expected to predict the number of new cases to arise in an exposed population, or peak infection rates.
Likewise, in cybersecurity, the more accurate our predictions are, the more effectively we can deal with an upcoming data breach. We achieve this by collecting and correlating a vast array of detection and activity data from Trend Micro native sensors, deployed at different layers within the organization like the endpoint, network, email, and the cloud environment.
Combined with big data analytics, threat models, advisory-based behavior analytics and detection rules from our security experts, we can monitor whether an emerging or unknown threat or a threat actor is attempting to infect your organization. On top of that, continuous risk assessment of an organization’s cybersecurity posture also serves to predict impending issues.
COVID-19 will eventually go away, just like any of the pandemics in the past. However, cyberattacks will stay as long as there’s a computer connected to the internet.
The most effective way to deal with cyberattacks is not to dream of a cure-all, but to take small, coordinated measures that culminate in a well-rounded defense strategy.