Article by Simon Eid, Splunk A/NZ Area Vice President
There’s no guarantee your business will never be hacked. Organisations around the world have been impacted by WannaCry Ransomware which encrypted files, resulting in Australian organisations being immobilised.Shortly after this, cyber threats were again in the news as WannaCry’s evil twin brother, Petya, had a large impact in Australia, bringing down Cadbury’s chocolate factory in Hobart, Tasmania, as well as law firm DLA Piper Ltd.
These examples, along with the fact that almost a quarter of Australian organisations deal with security breaches that interrupt their business on a monthly basis, underscore the urgency for cybersecurity to be approached from a business perspective. It’s no longer just an IT security system admin problem, focused on installing and configuring new network firewalls and deploying endpoint protection solutions.
This shift in approach comes as spending on security is expected to reach US$90 billion in 2017, according to Gartner. For example, those organisations that ‘simply’ kept their systems up to date with the latest patches were resilient against the WannaCry Ransomware. Organisations who actively manage security are well positioned to mitigate damage and recover quickly. Here are three practical tips on how to do just that.
A data-driven security strategy underpinned by machine data is the foundation required to support cybersecurity initiatives. From monitoring whether basic security hygiene is being maintained to identifying weak areas that no one is looking after, a security information and event management (SIEM) solution is a good choice.
It’ll aggregate information and let you run regular reports to determine which systems are patched, provide information from vulnerability scanners, and update you on the status of endpoint protection solutions. SIEM will also alert you to any notable security anomaly happening, such as a virus or anomaly on the system. Another example might be having a highly vulnerable and unpatched network in place and a system suddenly performing a network discovery scan. This suspicious activity should ring alarm bells.
When it comes to user-authentication, relying on the inbuilt security of Microsoft Active Directory and its lockout policies will no longer suffice. Organisations need to dive into each digital service, figure out how that service is exposed externally, understand how people log on, how they reset their passwords and how new users are created. Then, identify the machine-generated data required to get those insights. Leveraging these data-driven insights is key to proactively detecting any outliers.
WannaCry and Petya point to the increasing trend that it’s not a matter of if your business will be hacked, it’s a matter of when. You need to think ahead to what’s the organisational process, which people do you need to involve to take action, who can help answer questions about what happened, what do we need to do to stop it and who was impacted.
You need to make decisions about taking services offline, notifying the authorities or communicating to the media. This exercise goes beyond the IT security system admin role. Mature organisations already have crisis planning for ‘cyber risks’ included within operational planning.
The designated team is tasked with finding answers to all the questions about the breach. This information can usually be found in machine-generated data – which should be stored in a centralised platform, where the team can ask any question in a flexible way. With a scalable process, you can overcome any technical bottlenecks that may evolve during a crisis.
As IT security threats continue to evolve, remember that you can’t stop a highly determined attacker from targeting your data. However, with the right security solutions, you can make your organisation an extremely difficult target. With recent security breaches in mind, Australian companies need to adopt this mindset sooner rather than later.