How to go on the offensive vs security foes

10 ways to shift your company’s cybersecurity approach from a focus on prevention to detection.

Focus to detection

Focus to detection

The industry is now moving from a focus on prevention, in which organizations try to make the perimeter impenetrable and avoid being hacked, to a focus on rapid detection, where companies can quickly identify and mitigate threats that are within the perimeter already.

This new approach is centered on the idea that it’s impossible to keep every attacker out indefinitely, which is why companies should focus on mitigating the threats that follow a successful perimeter breach. While this doesn’t mean abandoning prevention efforts altogether, it suggests organizations devote more resources to identification and remediation, with the mindset that a perimeter breach is a matter of time.

The following nine tips provided by Alvaro Hoyos, Chief Information Security Officer at OneLogin, are focused on detection controls rather than prevention.

02 training
pexels (One-Time Use)

Implement security awareness training

At first glance, this seems like a preventive measure designed to stop employees from doing something risky. In reality, chances are high they will do something risky. So making sure your employees are able to recognize their missteps and know what to do after they make a mistake is critical. This can be as simple as making it clear who their point of contact should be, whether it be providing them with an email address or phone number they can reach 24/7. This should also be the point of contact to report suspicious activity they encounter, which can help detect an intruder or a malicious insider.

Empower end users
Thinkstock (Thinkstock)

Empower end users

Typically, admins receive all sorts of automated alerts triggered by activities that are either high risk or known to be suspicious. Empowering end users by briefing them about the activities they have direct control over, such as changing their password or logging in from a new location, can help make employees part of your early detection plan.

Monitor file integrity
pexels (One-Time Use)

Monitor file integrity

Monitoring your files is a must for your high-risk systems. This is especially true for configuration files that can allow someone to escalate their access, open up backdoors, and much, much more. This usually takes the form of automated monitoring and alerting personnel on file changes or enforcing a "golden image" that overwrites any changes to files automatically.

Admin log reviews
pexels (One-Time Use)

Admin log reviews

This is another tried-and-true method that is recommended, and in some cases required, by several security frameworks. Admin log reviews can be accomplished by using alerting based on suspicious admin activities, monitoring for new admins, and periodic manual reviews of the logs. Several tools are available to make these logs easier to digest and leverage automated alerts instead of or in addition to manual reviews.

Employ endpoint threat detection
Thinkstock (Thinkstock)

Employ endpoint threat detection

These host-based or network-based systems can provide insight on suspicious activity. These have either replaced IDS (intrusion detection systems) or work in conjunction with existing solutions depending on the marketing verbiage. Regardless of what you call it or what technology you subscribe to, the objective is the same; have tools that are monitoring for suspicious activities that are already happening within your environment. Several vendors do a great job of reporting on not only suspicious activities, but the activities that preceded and followed those flagged for review. This is a great resource that can assist you in understanding the entirety of an attack and its scope.

Monitor systems for security patch availability
pexels (One-Time Use)

Monitor systems for security patch availability

Many of the vendors that provide some of the services discussed thus far also provide visibility into vulnerabilities already residing in your systems by analyzing what packages are installed and comparing that against published vulnerability databases. This is a simple, yet powerful way of staying ahead of issues like Heartbleed or, if your timing is fortuitous, shutting down a backdoor that is already in place due to a known bug that was already exploited.

Scan for rogue access points
pexels (One-Time Use)

Scan for rogue access points

Wi-Fi has been both a boon and a curse for our global village culture. It’s hard to argue that this technology has not accelerated the reach of the internet to almost all corners of the world and helped accelerate the reality of a global village more so than free trade agreements and the opening up of formerly isolated economies. Nevertheless, it has also introduced a very exploitable attack vector at virtually every home and business. Setting aside the risk of telecommuting employees using wi-fi at home or at the local coffee shop, scanning for rogue access points in your corporate network is critical. Detecting a rogue access point on your network can help you shut down potential or actual exfiltration routes, whether they were set up on purpose or by accident by either an employee or an attacker.

Attract more bees with honey
pexels (One-Time Use)

Attract more bees with honey

The concept of honeypots has been around for a very long time. The idea is elegantly simple; spin up a system or a network of systems that appears to have some value and monitor it for suspicious activity. If a hacker successfully compromises the system, there is no real loss, but you have gained valuable intelligence that you can then use to safeguard actual assets. Another take on this concept are honeycreds, which involves having specific credentials you can then look for in your activity logs or public data dumps. Again, the credentials have no real value, but they provide an early warning system of a system compromise or data exfiltration.

Know when your source code has been exfiltrated
Thinkstock (Thinkstock)

Know when your source code has been exfiltrated

Speaking of data exfiltration, there are two reasons you should be worried about your source code being leaked out into the world. The first reason is the intrinsic intellectual property value of that code. The second reason is that access to source code makes it easier for attackers to find and weaponize potential exploits. There are services that help you determine this by generating "fingerprints" from your code and then searching known dark web markets and forums for those fingerprints. What you do after you confirm that your source code is out there, is a whole separate headache, I mean topic.

11 help
Thinkstock (Thinkstock)

And finally, don’t be afraid to ask for help

If you suspect or detect a cybersecurity incident, aside from making sure you are working with your legal team from the get-go, don't hesitate to leverage consulting services that are dedicated to responding to these type of incidents. These are not inexpensive services, but the cost of a mishandled incident is a lot higher than bringing expertise to help you shut one down for good.

Quicken detection time
paurian (One-Time Use)

Quicken detection time

As cybercriminals become more sophisticated and organized, and to some extent, your employees become more tech savvy, the odds of your organization encountering a cyberattack are the highest they have ever been. By making sure you are able to detect successful attacks rather than hoping no attacks are successful, you are aligning your controls to the reality your company is facing.