In today’s ‘new normal’ world of information security, yesterday’s approaches to keeping the bad guys out have effectively been rendered useless. Put simply, it is my view that it’s no longer possible to protect your personal data or your organisation’s intellectual property by maintaining a reactive strategy.
Brendan McAravey, Country Manager, Citrix South Africa
As traditional perimeters decrease in size, yet multiply with every new mobile device or IoT connected endpoint, the aggregate threat vector increases, rendering traditional methods totally ineffective. For example, PricewaterhouseCoopers’ Global State of Information Security Survey 2016 found that 41.44% of companies in South Africa and the Middle East had detected 50 or more cyber security incidents in the past 12 months, while a further 17.47% of companies had identified between 10 and 49 threats.
At the heart of many of the best examples of modern, effective security postures that I have seen has been the concept of using intelligence to help drive the desired outcomes of each of the key cornerstones of Deter, Detect, Respond, Remediate. Just as, in the physical world, we look to law enforcement and government entities to use intelligence to protect from harm, so must we embrace the same philosophies in the virtual world – we are in a relentless state of cyber-war and we must prepare for the ongoing battle by out-thinking and out-smarting the enemy.
In terms of the role that intelligence plays in the new normal, I think of it as a combination of Human and Artificial – each with a key role to play and each as vital as the other in the successful implementation of a progressive, adaptive security posture.
Don’t underestimate the human factor
Human intelligence is an oft-neglected, yet critical part of the line of defence. It’s a game of hearts and minds and every organisation has to view their employees, contractors and partners as extensions of their firewall. According to CompTIA’s International Trends in Cybersecurity 2016 Report, 60% of cyber security risks in South Africa were due to human error. This mirrors the global total of 58%, highlighting that this is a common threat for both developing and developed economies.
For the human intelligence element to be effective, organisations must commit to deliberately blurring the lines between personal (at home) and corporate (in-office) security – designing scenarios and exercises that imitate social engineering or phishing attacks and using those results to consistently address gaps in how those employees, contractors and partners behave and react to suspicious scenarios.
The rapid growth in ransomware, where attackers deliberately look to use social engineering techniques to ‘lock’ files with their own encryption and demand a hefty sum to provide the key to unencrypt, is mentioned on the front of the world’s newspapers and is another example of why it is critical to educate, educate, educate.
Making the most of artificial intelligence
Artificial intelligence is an emerging paradigm and perhaps the best weapon any organisation could possess in today’s evolving threat landscape. Collecting, analysing and acting upon system and log information is fundamental to the ‘hand-to-hand combat’ approach that is required to keep the bad actors at bay. Attackers no longer use traditional methods to breach firewalls; they are much more sophisticated and use Advance Persistent Threat tactics, which can include leaving Remote Access Trojans dormant for months at a time. It is therefore critical to add an ‘East-to-West’ view to accompany the existing ‘North-to-South’ approach, so that lateral data movement and network activity can also be captured and assessed.
The key to utilising an artificial intelligence approach is being able to derive anomalies from the huge amounts of information that are captured in log management solutions and Security Information and Event Management (SIEM) systems. The application of readily available machine learning techniques with anomaly detection algorithms can help give an organisation ‘X-ray vision’ into activity on their corporate networks and provide an advantage over the attacker.
Change your mindset
As Country Manager, there is one question that comes up from customers over and over again:
“What advice would you give us about where we should spend our time, effort and money to prevent or more quickly detect and remediate threats?”
Given that cybercrime in South Africa costs the economy an estimated R6 billion annually,* my answer is always the same, irrespective of customer or industry sector:
“The fact that many organisations go months before they realise they have been compromised means there are not enough tools in place to quickly detect ‘indicators of attack’ and ‘indicators of compromise’. You have to act like you’ve already been breached – that’s the change of mindset you need. Assume you are compromised right now, today, and then think about how you would architect segmentation at the access, network, application and data level.
You also need more visibility to determine a baseline for what activity is valid, i.e. bandwidth usage, which users connect from where, which networks typically communicate at what times of day and what constitutes normal traffic, so that anomalous traffic will stand out. For example, one way to gain visibility into attacks against web applications is with Citrix’s NetScaler Security Insight, which uses the application firewall function to better identify and prioritise attacks for more effective triage. Security insight also analyses the NetScaler configuration to highlight inconsistencies that weaken the security posture.”
At Citrix, we are passionate about security and are committed to providing a portfolio of solutions –across the entire company –that address their security and compliance needs and keep their data safe in transit, in use and at rest.
* A Guide to Cyber Risk: Managing the Impact of Increasing Interconnectivity (2015) – Allianz Global Corporate and Specialty.