Cyber protection Platforms and Controls

Every business should start with assessing their risks and scanning for vulnerabilities. 

Knowing what vulnerabilities exist within the business can help prioritize what needs to be controlled and what needs to be monitored.  

Risk assessments, vulnerability assessments, penetration testing, and incident response tabletop exercises all have their place.  Risk management should be continuously managed and monitored.

Many customers want to know if they are improving or not and how they compare with others in their industry. Many solutions and service providers can be leveraged here.  The CYRISMA Risk Management Platform is one product that in our day-to-day we are evaluating from a co-managed MSSP perspective. E.g., what value beyond the tool can we generate as an MDR provider.  What value and automation can we deliver to the end customer.  Can we start to flex traditional MDR services alerting on "active threats" to start alerting on "active risks"? 

Risk Mangement platforms can help highlight risks and provide a useful road map- and with it a visual score (good visual) that the BOD is looking for.  "We are an A striving for an A+ (here is our report card) and here is the roadmap for an A+ we will tackle in 2024)".   

 Even better when paired with an MDR Provider alerting on active risks.  This is a complex project to tackle without a trusted security partner.  Risk Management Platforms are going to generate a lot of noise until the platform is dialed in.  

Every business should consider a solution here or a way to help understand and communicate risk.  For businesses that are on a native Azure journey, Microsoft Secure Score, Security Center and Purview are great tools that can help flush out risk and add some proactive checks and balances. 

 Even the top EPP products and EDR services aren't able to natively recover from ransomware.  

 Based on our SOC experience monitoring hundreds of businesses, EPP/EDR can be bypassed. Ransomware attackers are constantly evolving their techniques to evade detection by EDR solutions. This means that EDR cannot always be relied upon to stop ransomware attacks. EPP/EDR does not provide automated decryption: If ransomware is successful in encrypting files, EDR cannot automatically decrypt them. This means that organizations will need to rely on manual decryption methods, which can be time-consuming and expensive. With the amount of tech stack debt and disjointed security programs we’ve seen, hybrid AD networks have in/out of the cloud, finding an Anti-Ransomware product makes sense for everyone. 

In terms of solutions in this space, in our day-to-day, Halcyon Anti-Ransomware Platform is the product we selected to integrate into our MDR service set.  You can obtain Halcyon direct or thru a partner, but as mentioned with the risk management tools, these complimentary platforms and services are better paired with an MDR provider!  Why is that?  Well, for starters, Ransomware accounts for ~24% of the top Action types present in breaches.  So, let's say Halcyon is a silver bullet for Ransomware (which it arguably could be).  Who has your back on the other 76% Action types?  ...and who wants to be managing disparate security platforms when they can be centrally managed by an MSSP.  

We originally met Halcyon at RSA - great team.  We have experience working with Halcyon and have experience building advanced SOAR integrations that active MDR customers are leveraging today. 

Source -Verizon DBIR Report 2023.  "Ransomware continues its reign as one of the top Action types present in breaches, and while it did not actually grow, it did hold statistically steady at 24%. Ransomware is ubiquitous among organizations of all sizes and in all industries."

Many threats these days are designed to target the endpoint. We've seen some of the most successful compromises start at the endpoint.

Just because Endpoint Protection Products (EPP) may not be as effective in dealing with Ransomware does not make them any less important.  Endpoint products are designed to catch all sorts of malware and different types of threats.  Endpoint production is extremely critical in every organization.  

Many businesses have endpoint controls deployed but are not actively monitoring or maintaining a secure user/device policy.  

In terms of top performing endpoint products, we like Microsoft Defender and CrowdStrike.  In our day-to-day we lead with Microsoft given the ability to fully integrate into Identity Protection and Conditional Access whereas we integrate with CrowdStrike.  Using a different product?  We have experience with many different end point security products and the ability to integrate with 500+ other security products. 

Not much else to say about EPP, but EPP paired with and MDR provider is EDR.  Endpoint detection response is an endpoint security product managed and monitored by a 24x7 Security Operations Center. 

EDR is traditionally focused on monitoring only the endpoint.  EDR on its own will not be able to recover from ransomware and MDR/EDR response capabilities will be limited to endpoint API functions (isolate devices, etc.). E.g., if your security adviser says focus on the endpoint, we'd argue with experience that businesses need a multi-point cyber protection solution of which EPP/EDR is one critical layer. 

More than just Multifactor Authenitcaiton (MFA) is required these days!

 Two-Factor Authentication

adds an extra layer of security to your login process requiring a second factor of authentication, such as a text message or preferably an authenticator acknowledgement, to help ensure that only authorized users can access your systems.

Unfortunately, we've seen many clients get compromised that had MFA in place without other key cyber protection policies configured.  Pairing MFA with a strong conditional access policy that has both user and device policies defined will go a long way to reducing the risk of a cybersecurity breach. 

Many solutions can be leveraged here, but we like the simplicity of Microsoft's Conditional Access.  Leveraging a combination of Active Directory, Intune, and Defender a robust conditional access policy can be developed and implemented.  

This is one area that we see could be better managed in the majority of businesses. I.e. many have the technology and in many cases licensing, but no one at the organization has the necessary cyber security expertise to implement. 

Every business should be collecting and monitoring security logs and events.  

How will you ever know the extent of a cyber breach without logs to go back and review?   Every security appliance, product and service have security and event logs that should be tracked.  

A SIEM isn't just for logging purposes either- SIEMs aggregate and analyze data from various security sources, such as firewalls, intrusion detection systems, and endpoint security tools. This gives you a centralized view of your entire security posture, making it easier to identify suspicious activity that might indicate a potential attack. 

 Once a potential threat is identified, a SIEM can help you quickly investigate and respond to the incident. It can provide you with detailed information about the event, such as the source of the attack, the affected systems, and the potential impact. 

Many SIEM solutions can be leveraged here, but we like the AT&T Cybersecurity AlienVault Anywhere USM (Unified Security Management) platform because the platform bundles several critical security tools along with the logging and SIEM functions (vulnerability management and IDS for example).  This gives the Security Analyst the ability to natively cross-correlate a threat on an asset with vulnerability data to determine appropriate action (e.g., block, report, monitor). 

This is also a security product best managed by an MSSP that specializes in SIEM and SOC services.  These tools are complex, Intergrations and capabilities are always advancing, and these platforms are noisy out of the box and require initial tuning by a security analyst certified on the product and performing ongoing audits, maintenance and readouts to deliver the maximum ROI.  

SIEMs can also automate certain tasks, such as quarantining infected systems or blocking malicious IP addresses. This can help you contain the damage from an attack and reduce the time it takes to remediate the issue.  

With all of the disparate security platforms, endpoints and services, businesses need some way to monitor, cross-correlate, and orchestrate security activities. 

Many businesses already have already invested in many security products but aren't in a position to bring it all together to build a cohesive defense against today's cyber threats.   

Many solutions can be leveraged here, but we think that D3 Security SMART SOAR Platform is a step above many in the SOAR space.  D3 SMART SOAR is best suited for large businesses or MSSPs, but the product is very powerful and effective in the right hands.  

It will be cost prohibited for most SMBs to implement and manage an enterprise-grade SOAR platform, but the benefits of partnering with an MSSP/MDR provider that has the maturity and DevSecOps resources to deploy SOAR into their overall Security Operations Center (SOC) platform and customer experience can provide customers a better overall outcome.  Advanced Intergrations, Threat Intel Enrichment, Advanced Reporting and Dashboards, SOC SLA transparency, Action/Response Capabilities, Automated Cyber Protection Playbooks (with human-break points), etc.  

*Some advanced MSSPs embed tools like SOAR in their MDR offerings and leverage it to automate and enrich security operations activities that can quickly translate into added value for the customer. 

Pros:

• Direct control over data: On-premise environments provide complete control over the physical location and security of your data. 
• Customization: You have complete control over your data and infrastructure, allowing you to customize security measures to your specific needs.
• Security and compliance: Easier to meet strict data privacy regulations for industries like finance and healthcare.
• Performance: Can offer better performance for local users with minimal latency.

Cons:

• Hardware and software sprawl: On-premise environments often involve managing a physical infrastructure of servers, storage, and networking equipment.
• Manual provisioning and configuration: Setting up new resources or applications in on-premise environments often involves manual processes, such as installing hardware, configuring software, and integrating different components. 
• High cost: Requires significant upfront investments in hardware, software licenses and maintenance contracts.
• Limited scalability: Scaling up or down resources in on-premise environments can be challenging and expensive.

*Single biggest risk we see is unpatched vulnerabilities in On Premise environments. 

Pros:

• Tailored resource allocation: Hybrid Cloud environments allow you to allocate resources strategically.
• Flexibility: Combines the benefits of on-premise and cloud security, offering greater scalability and agility.
• Cost-effectiveness: Can reduce upfront costs compared to on-premise while still offering some level of control.
• Faster development and deployment: By leveraging the cloud's scalability and rapid provisioning, businesses can develop and deploy new applications and services faster.

Cons:

• Fragmented tools and processes: Managing a hybrid environment often involves using a mix of on-premise management tools and separate cloud provider tools. This creates a disparate landscape, requiring IT teams to switch between interfaces and potentially juggle different processes.
• Skillet complexity: Managing hybrid environments adds complexity and requires expertise in both on-premise and cloud security.
• Security visibility:  Many times we see that security integrations are not well designed, thought out or fully integrated in hybrid environments. 
• Inconsistent security policies: Ensuring consistent security policies and configurations across both on-premise and cloud environments can be challenging. 
• Security dependencies: Relies on both your own security measures and those of the cloud provider.
• Potential data siloing: Data spread across different environments can make it harder to manage and secure.

*Single biggest risk we see is inconsistent security policies in Hybrid Cloud environments. 

 Pros:

• Increased agility and scalability:  Cloud-native applications and services are designed for rapid development, deployment, and scaling.
• Cost-effective: Pay-as-you-go model reduces upfront costs and eliminates infrastructure management expenses. Helps flatten the IT budget/expenses.
• Automatic updates: Cloud providers handle security updates and maintenance, ensuring you have the latest protections.
• Built-in fault tolerance: Cloud-native architectures are designed with fault tolerance in mind. 
• Simplified management:  Cloud-native solutions simplify management through integrated tools and dashboards. 
• Security stack consolidation: With so many cloud native integrations, customers  can reduce overall IT spend while significantly increasing their security posture and ability to meet compliance. 

Cons:

• Limited control: You have less control over your data and infrastructure compared to on-premise solutions.
• Reliance on vendor: Security ultimately depends on the vendor's practices and infrastructure.  
• Complex management:  You need resources that have specialized Cloud configuration and security expertise. 
• Security configuration:  Managing Cloud services typically requires special knowledge of the cloud provider platform which in many cases leads to insecure configurations.

*Single biggest risk we see is misconfigurations in Cloud Native environments.