This document discusses strategies for mitigating risks from cyber security attacks. Traditional security controls like firewalls and antivirus software are ineffective against targeted attacks. To combat cyber threats, organizations must define a security baseline and monitor for any changes, detect abnormalities as early as possible to minimize damage, and implement automated solutions along with security processes and expertise, as manual auditing alone is not scalable for most organizations. Continuous monitoring that identifies and correlates changes can help quickly detect breaches and threats while providing intelligence to security teams.
2. Mitigating Risk from Cyber Security Attacks
Edward Hamilton, Senior Manager
Ref: 18161-446
3. 3
The threat profile from cyber security attacks is
significantly different from the traditional security threat
profile
Opportunistic Low skill utilise known Scripts and
vulnerabilities other tools
Develop
new attacks Bespoke tools
Targeted High skill + utilise known
vulnerabilities
18161-446
4. 4
Traditional security controls will not prevent cyber
security attacks
Firewalls Anti-virus / malware detection
Cyber security attacks use Anti-virus is based on
open ports (HTTP. HTTPS) detecting signatures - cyber
on the firewall to attack attacks utilise bespoke
applications located behind malware - so anti virus
the firewalls applications does not detect
Traditional the attack
security
controls
Content management End point security
(web / email) Security hardening, hard disk
Cyber security threats use
encryption, etc. will not stop
standard data formats (HTTP,
cyber security attacks, as the
word documents etc.) from
attacks utilise a user’s own
what appears to be trusted
privileges to access the data
locations
18161-446
5. 5
How traditional cyber security attacks are detected
Abnormal desktop A user’s desktop acts abnormally and the user
behaviour suspects they have a virus
Users report that the Internet is slow, and
Reports that the Internet
investigations reveal that a significant amount of
link is slow
web traffic is going out of the organisation
Intelligence
An attacker was unlucky as their bespoke trojan is
Error by the attackers
mis-identified as a virus
18161-446
6. 6
How to combat cyber security attacks [1]: Know your
security baseline and detect any changes
Identify
Define
compliance Detect
your Record Monitor
of each abnormal Alert Investigate
security activities for changes
system with changes
baseline
baseline
As traditional security controls are insufficient to detect and mitigate cyber security threats you need to be
able to detect the possible warning signs of a cyber attack, such as:
w an increase in the data being viewed / accessed by a particular user account
w changes to the configuration of an application or operating system
w increased demand for network bandwidth
w activity outside normal business hours
18161-446
7. 7
How to combat cyber security attacks [2]: Detect change
and monitor continuously
Window of opportunity If you deploy a solution that combines detection
of change and continuous monitoring you will:
detect the breach as soon as practically
possible
minimise the window of opportunity – from
How often do the initiation of a cyber attack to its detection
you check
your systems minimise the data loss
– every
day, week, mo be able to take control of the security
nth …? incident – by understanding what has
changed you will be able to put suitable
mitigation in place quickly
Check
the
systems
18161-446
8. 8
How to combat cyber security attacks [3]: Manual auditing
and continuous monitoring is not scalable
Limited bandwidth within security operation teams-
Security teams are relatively streamlined and do not
have the bandwidth to dedicate staff to incident
investigation
To combat cyber security a
Large distributed environment - networks are complex combination of automated
running numerous applications, from multiple locations and technology, processes and
utlising many technologies people is required
Reduced budgets – with the current budget constraints
having a dedicate investigation team is not possible or
practical
18161-446
9. 9
The result…
Increase visibility – quickly and efficiently detect the affects of
cyber attacks
Achieve a cyber security
Intelligence solution that is
• Correlate changes and activities to identify the root pragmatic, realistic and
cause of the security incident allows you to detect and
• Get the right information to the security team as quickly manage cyber security
as possible threats
Automate – minimise the affects of cyber attacks
18161-446
10. 10
Edward Hamilton
edward.hamilton@analysysmason.com
Analysys Mason Limited
Bush House, North West Wing
Aldwych, London WC2B 4PJ, UK
Tel: +44 (0)20 7395 9000
www.analysysmason.com
18161-446