Leveraging Behavioral-based Workload, Application, and Identity Controls for Automated Workload Protection
By John Masserini, TAG Cyber DevOps is driving ownership of the entire environment away…
Malicious cyber attackers have had unprecedented success in the past few years, but their attacks often rely on tricking or exploiting people inside an organization. Employees, software developers, partners, and even executives can intentionally or unintentionally clear the way for malicious intrusions. According to the Identity Theft Resource Center, phishing, smishing, malware, and ransomware were the top causes of data breaches in the first quarter of 2022. And according to Verizon’s 2022 Data Breach Investigations Report, 82% of attacks involved humans inside organizations making mistakes, such as falling for social engineering, failing to follow security best practices, or misusing privileged information. Security teams cannot underestimate this “insider threat.” And while it’s not likely that any organization can eradicate all human error, there are effective strategies for cutting down on blunders and recovering faster when mistakes are made.
Over decades, attackers have refined and strengthened their abilities to take advantage of human error, and even when employees know about hacking methods, they can still fall prey.
Phishing emails, smishing texts, and fake websites are some of the most common and effective social engineering techniques for attackers. But they’ve also resorted to more brute force methods, such as tailgating, grabbing passwords from sticky notes, and peering at data on someone else’s computer.
Aside from getting tricked into sharing data, many people simply forget to be careful with private information. Someone can compromise security with an accidental “reply all” or fat-finger an email address to an outsider.
With a remote workforce, employees may use unauthorized devices or download third-party software, applications, or internet services which make their work easier. But these DIY operations don’t have IT oversight. It’s part of a “Shadow IT” that could inadvertently introduce vulnerabilities over which the security team has no control.
Software developers know that modern computing is complex and flexible, but business deadlines are simple and immutable. Sometimes, when schedules are squeezed, development teams just want to push code that works. They don’t have the bandwidth to patch all the back-end security holes or follow best practices.
Accordingly, developers may fail to maintain secure keys for private or partner APIs. Or they may hardcode passwords and authentication tokens for easier development and forget to remove them after deployment. Hackers know what corners the dev team is likely to cut and waste no time taking advantage.
Unfortunately, some data thieves get help from people actively working with them. While this pernicious threat is not the most common, poor security practices can make it easier for malicious insiders to steal information.
For example, long term employees may take advantage of “Privilege Creep.” As they’ve moved through different roles in the company, security doesn’t remove their old permissions. With access to several business divisions no longer relevant to their current position, they can aggregate large collections of sensitive data to leak or sell.
Regular employee training has proven very effective against phishing and other social engineering tactics. Training and a security-minded culture also help employees stay alert to how their actions could imperil data protection. Organizations with remote workforces need to gain control of remote devices, ensure they have updated antivirus software and patches, and prevent Shadow IT from expanding the organization’s attack surface.
Development teams can prioritize security practices and take the time needed to implement important safety measures, such as authorizing users and devices, limiting exposure of sensitive data to only privileged parties, scanning open source code for weaknesses, and updating default configurations and passwords.
Of course, as they say, “Nobody’s perfect.” Even with training and best practices, mistakes happen, and security teams need the tools to catch and contain any security incidents before they do serious damage, whether they had inside help or not. Some of the most effective defenses include a Zero Trust security model, real-time network visibility, workload behavior profiling, and detailed file integrity monitoring.
In a Zero Trust architecture, all users, accounts, and devices are authenticated, authorized, and validated against security policies optimized by network segment, application, workload, or data resource. For breaches facilitated by inside information, Zero Trust helps prevent traditionally trusted users or accounts from accessing applications or network segments (as granularly as which workloads within an application) for which they don’t have privileges. It effectively minimizes the blast radius when attackers or insiders compromise the network.
In order to catch malicious activity fast, SOC teams need to know what’s happening in the network and all environments in real time. Software which collects event-based telemetry across the network and surfaces it for analysis and monitoring helps security experts zero on in suspicious behavior. The continuous real-time data collection also feeds into workload behavior profiling and file integrity monitoring.
One of the challenges to finding malicious actions in a network is separating out the good, normal activity from the suspicious. Machine learning algorithms help solve the problem by tracking and analyzing normal workload behavior. They build an environment-wide behavioral graph of business-as-usual, so when a user or machine strays from the normal, they can be flagged and investigated. Basing security alerts on a positive model of known-good behavior also reduces false alarms which can overwhelm the SOC team and disrupt business processes.
While file integrity monitoring (FIM) helps organizations stay compliant with data protection regulations, it can also help catch file changes resulting from internal and external attackers deploying malware, encrypting data, or changing access privileges.
FIM software compares changes against approved updates, including versions, modification dates, content changes, and checksum deviations. FIM combined with a positive security model helps capture problematic alterations while cutting down on false-positive alerts. FIM also helps improve the accuracy and speed of response teams’ remediation efforts.
Whether inside or outside an organization, the human element introduces a degree of unpredictability to cyber attacks. Security teams have to be ready for mistakes, surprises and fresh new tactics from attackers. A strong security culture and best practices form the bedrock of a good defense, and a Zero Trust approach along with real-time visibility and smart machine analysis will help ensure the latest criminal innovations don’t get the upper hand.