Cybercriminals are infiltrating networks in less time than ever, but organisations are not keeping up with the time it takes to detect these intrusions. Fortunately, operational intelligence platforms can be leveraged for greater data security.
According to Verizon’s 2016 Data Breach Investigations Report, the detection deficit – the amount of time it takes to discover that a breach has occurred – grew to 84 per cent in 2015. While nearly all intrusions were executed in a matter of days, less than a quarter were actually discovered in the same timeframe.
With the amount of damage these breaches can cause, early detection is essential. What cyber intrusions must organisations be aware of in 2017, and what strategies can they use to combat these risks?
A false sense of security in 2017
Currently, many businesses think they are secure, sitting behind firewalls with active anti-malware and anti-virus protections. The reality is that those organisations are still vulnerable to intrusions, particularly ones executed through social engineering – a psychology-based attack where infiltrators gather personal information about an individual at a company in order to create a network vulnerability.
Cybercriminals use social engineering to gain and exploit information about an individual.
One of the most common types of social engineering is spear phishing. In this approach, cybercriminals use the information on an individual’s social media presence to create a targeted and manipulative email. This email will usually contain a malicious link or attachment that – if clicked or downloaded – will create an opening into a secure system. According to the Australian Cyber Security Centre’s Threat Report 2016, there has been a growing prevalence in malicious emails that employ this method.
The real danger of social engineering and spear phishing is that they are more likely to slip through automated network security systems, so organisations need a more nuanced strategy to fight back.
Vigilance is the key to security
Prevention is always more worthwhile than cure, especially when it comes to cyberattacks. Feng Zhang, a security consultant at Avocado Consulting, recommends two key approaches to mitigating the risk of social engineering intrusions.
“Companies forget that people are a vulnerable entry point.”
“Most importantly, big companies and financial institutes need to provide annual training against social engineering, phishing, malware and other attacks,” Feng says.
“They rely on their ‘safeguards’ like firewalls, but they forget that people are a vulnerable entry point.”
This training should focus on security best practices in and out of the workplace, especially given the role of social media in spear phishing.
“We are losing our identity, our private information, to unknown third parties. That’s dangerous behaviour but most people don’t realise it’s happening,” Feng notes.
More sophisticated monitoring
Another key approach to combating spear phishing and advance persistent threats (APT) is the use of a security information and event management (SIEM) system on top of an operational intelligence platform, such as Splunk.
Spear phishing emails pose a significant risk as they open the door for APTs against an organisation. Splunk, however, provides advanced monitoring and alerting capabilities. An organisation’s email security system detects malicious emails, sending relevant data to Splunk for real-time correlation, notification and investigation by security teams.
Splunk is also able to rapidly adapt to new spear phishing attempts. When spear phishing emails are detected coming from a specific email signature over an extended length of time, anti-virus and anti-malware programs publish those details. Splunk checks for these new signatures in daily updates, ensuring that its detection capabilities are current.
Splunk can identify email signatures originating from known spear phishers.
Splunk can also detect if an employee’s login credentials have been used to gain access to a system at an atypical location, another signifier of a breach. This is combined with DDoS and firewall attack detection capabilities, providing network security administrators with a full perspective of their company’s readiness to react to cyberattacks.
There are a number of additional security advantages to Splunk, including:
- Elimination of IT silos by bringing machine data into a centralised platform.
- Broader and more precise detection with the leveraging of big data into security monitoring.
- Faster responses thanks to real-time monitoring.
- Improved performance and scale thanks to the ability to integrate with a number of security products from around the world.
To learn more about using Splunk and operational intelligence for improved security, or for the latest advice on protecting your organisation from digital intrusions, get in touch with the experts at Avocado Consulting today.