Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

Enterprise Security in Times of War

Enterprises define security policies that match their business objectives. By setting security policy rules, an organization can better enable the business to achieve its goals while protecting them from advanced threats. They work reasonably well, even allowing for the well-publicized breaches and insider threats. Without policies or a set of tools in place for such eventualities, it will be very difficult for the business to operate effectively when under attack.
Enterprise Security War

It draws a similar comparison to “times of war” when security threat levels have increased and citizens are asked to take more care or follow more security processes (like at the airport or attending large stadium events).

I recently wrote about this topic for IT Security Planet. You can read more here: Cybersecurity Strategy. It’s Your Move

The question now is what enterprises can do when under attack?  Take for example when an organization realizes that it is under an immediate security threat like a Distributed Denial of Service or that it has been crippled by Ransomware. Will employees, partners, and customers still have access like they did during ‘normal’ times? Will the enterprise network be shut down? Or will it be some combination of the two?

Conceivably, some of these security events may continue over an extended period of time. It may not be feasible to adopt a severely limiting posture like network isolation, which can impact all business operations. Intermediate options could include limiting access to critical servers and services, enabling enterprise-wide Two Factor Authentication (2FA)  to validate identity, limiting access to the Internet, restricting access to cloud services, etc.

Assuming cybersecurity threats are here to stay, what enterprises will need is a well-defined set of policies that include an ability to respond in ways that match the type or types of threats. The threat can be as small as a user opening a spear-phishing email, or realizing that multiple machines have been compromised inside the network, to being subjected to DDoS attacks, combined with compromised internal machines with confidential data inaccessible due to Ransomware.

Currently, there are no easy or granular approaches to responding to different kinds of threats, especially once the threat is inside the network. Next-Generation Firewalls are effective at protecting the network from external threats and policies can be enabled to restrict access from the outside. The same is not true for the internal network as usage patterns are complex, multi-directional, and evolving. That is because applications like Active Directory, the center of identity, and access within the enterprise, does not provide such capabilities.

Being able to step up the level of security while still allowing enterprises to function needs to be a requirement. Also, having the ability to revoke the credentials of users or a group of users. A good example of where this is important would be when there is a significant incident, the enterprise might want to force Multi-Factor Authentication (MFA) on all users if they are accessing specific critical assets. Or, the enterprise may want to restrict access to certain servers to specific users while the incident is in progress. In the worst case, you may need a cybersecurity kill switch.

The key process here is to build a business-wide strategy that takes into account various factors regarding the threat: internal, external, ongoing, industry-specific, widespread, automated attacks, etc. Once that is understood, and with full buy-in from the various stakeholders, a plan can be developed that meets the needs of the business while maintaining security. Such a plan will include an understanding of the key resources that need to be protected at all costs, an asset that will have heightened focus, assets that will available only to a select group of users while the threat is ongoing, etc. The degree of detail for such a plan has to be high and roles during the attack should be clearly identified. After all, it is fighting a war as a disciplined army would.

The last step is implementation. Implementation can be achieved with specific tools that enable response based on the threats. Using policy-based solutions like Next-Generation firewalls, Behavioral Firewalls, and other network security devices, enterprises can obtain the desired level of security while a cybersecurity incident is in progress. Next-Generation firewalls can help to protect the enterprise from attacks outside the perimeter. That can keep on going threats outside the core of the network, especially if the threat is still external.

For access to cloud applications, cloud Single Sign-On (SSO) products can help to rapidly and systematically restrict access to users if that is required. Cloud infrastructure services like Azure and Amazon Web Services (AWS) provide Role-Based Access Controls (RBOC). If roles are well defined, these can be effectively quarantined. Similar access controls can be enabled inside the enterprise network to control access to applications. The challenge with these kinds of approaches is that they are very clear cut. Either access is allowed or disallowed. To balance the desire for security with the necessity of access to meet business objectives, a more nuanced approach is necessary.

Behavioral firewalls, an emerging category of solutions, can help achieve balance. Behavioral firewalls combine user behavior and entity analytics (UEBA) and adaptive response to be able to detect and respond to insider threats, credential compromise, and breaches. As one of the keys to rapid and unfettered movement in the network is access to legitimate user credentials, enterprises can use the policy capabilities of Behavioral Firewalls to restrict access using a fine-grained set of responses. Such adaptive response options include actions like controlling user access by forcing dynamic user identification via MFA on the fly, re-authentication, notify user, allow, block user, etc.

Behavioral Firewalls have the ability to define policies by individual, group, organization, etc. Such granularity, along with granularity of response, is two key components of a solution that can be effective in times of peace and times of war. The glue between user and response is the policy that enables action. Having this as part of the security strategy can protect the enterprise while being able to respond effectively to a large scale threat.

If a CISO’s security team has access to tools that can limit access quickly and effectively, responding to a security threat can be possible. Enterprises will need to respond to cybersecurity events. It is only a matter of time before an incident happens. The first thing to do, though, is to have the right policy and tools in place to enable such a graduated and granular response.

Topics: Adaptive Response, Behavioral Firewall, CISO, Credential Compromise, Insider Threats, ueba, User and Entity Behavior Analytics,

Posted by Roman Blachman on September 8, 2016 7:58 AM


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More


What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More


A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More


10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More