Effective Defense for New Attack Vectors

By Lonnie Carter, SVP, Information Security Manager, Ameris Bank

Lonnie Carter, SVP, Information Security Manager, Ameris Bank

The changing landscape of security for technology and data is driving significant changes to the processes and tools needed to protect against and mitigate cybersecurity risks. Traditional security defenses such as firewalls, web filtering and anti-virus are no longer considered adequate to defend against the evolving threat landscape. Significant amounts of time, resources, and investment are being made by criminals to circumvent these traditional defenses and in many cases the traditional defenses are no longer pertinent. The rapid rise of the monetization of cybercrime has taken the security industry in new directions as it is no longer just about protecting systems. The introduction of ransomware is a clear indication that monetary gain is driving the majority of efforts by criminals. Ransomware has made this monetary effort easier and less expensive as the criminal only needs to have a successful phishing attempt to have a possible monetary payback. There is no need to gather data and information, no need for multiple bank accounts to move money, no need for “mules” to physically obtain and move money, there is less risk, and most important, it costs less to so the potential reward is higher. Ransomware has the potential to be the greatest cybersecurity threat in the history of cybercrime.

“The evolving threat landscape requires human resources that can evaluate and react to the ever changing conditions”

To be successful, three areas that must be addressed in any effort to defend against these evolving threats are:

• Insider Threat – Employees represent the single largest threat to the security of systems and data. Employees, intentionally or unintentionally, are taking actions which allow systems and data to be compromised. These compromises are most commonly a result of an action taken during web browsing, managing email, not securing data such as physical files, or via social engineering efforts by criminals.

• Advanced Persistent Threats (APT) – Criminals are utilizing new tactics which circumvent traditional security measures. These tactics allow for extended periods of reconnaissance and discovery that allow for significant levels of data loss. Defenses against these evolving threats require a revision of the traditional security model to provide an additional layer of security, specifically, a defined incident response process, a security driven culture, and continuous monitoring to identify and correlate anomalies to threats and then to actions taken.

• Vendors – As the complexity of systems has increased and the dependence upon Software as a Service (SaaS) has increased, vendors are now retaining significant levels of customer data. Vendor relationships are being implemented without consideration for control mechanisms critical to the security of the data being managed by the vendor. There is insufficient oversight and control of vendors and vendor relationships.

How can we defend against these evolving threats? The following steps are critical to any efforts to fight these threats:

• Acknowledge the Risk – Cybersecurity is rarely accepted as a point of risk until it has become an actual issue. Executive and senior management must acknowledge the risk, determine their risk appetite, and identify an appropriate course of action to bring the risk to acceptable levels. Failure to engage and obtain senior management support will always result in a failure.

• Budget for Security – Cyber criminals are innovating and identifying new methods to monetize cybercrime. It is not possible to fight this battle without the necessary resources. Do you have the right systems? Are your systems outdated? Do you have the right people manning the defenses? Resources will be both current systems to defend against cybercrime, but also a staffing model that specifically includes IT Security Professionals. This evolving threat landscape requires human resources that can evaluate and react to the ever changing conditions. These human resources must have the correct tools. Just as modern warfare has evolved to include real time intelligence, so must the fight against cybercrime. Systems such as a SIEM that can provide real time analysis of log files and network traffic and provide correlation of identified events is critical to today’s defensive efforts.

• Culture of Security – The prevailing thought today is that security is an IT problem which could not be further from the truth. Many IT departments have implemented and continue to maintain the traditional defenses against cyber threats. The majority of cyber security issues arise from users with little or no understanding of cyber security or the risks posed by email, web sites, and social engineering. It is this lack of a “security culture” that must be changed before any real progress can be achieved in fighting cybercrime. Ongoing required training, phishing exercises both internal and external driven, and providing defined methods to provide timely and effective reporting of potential incidents is a requirement in any successful effort to fight cybercrime.

• Know your Environment – Where are your risk points? What are your weaknesses? What are your controls? Are they working? Who is managing and monitoring the defenses? Do you have adequate insight into the environment to know when you are at risk or have been compromised? Where are your devices? Are they protected and patched? What is your mean time to detect? What is your mean time to respond?

• Incident Response – It is no longer an offensive effort in this cyber battle. Today’s reality is we are on the defense and losing ground. It is critical to have an incident response plan in place to react when a compromise or breach occurs. Failure to have a plan in place results in critical time delays that can result in greater loss or damage than was necessary. The incident response process must be provide the tools to rapidly triage, analyze, and act upon incident intelligence. The incident response process must be given the necessary authority to take definitive actions and must have access to or include key decision makers to insure the process does not get mired in red tape.

The cybercrime threat is real. Each day, cybercriminals develop more variants of exploits and release them to the criminal underworld. It is a never-ending battle between the criminals and the companies striving to secure systems and data. It is clear that cybercrime has become a new revenue stream for criminals and they are embracing it. An effective defense will always be evolving and changing to meet the new attack vectors.

Technology has become a challenging environment. The protection of systems and data is critical to the digital world that we now live in. However, careful planning and execution will enable a successful defense.