Top Four Tips from Our SOC
Thanks to what we see in the news, we couldn’t get more worried about our cybersecurity maturity, from Senior management demanding constant updates, external regulation requiring adequate protection of personal information and intellectual property, to Insurance companies demanding a minimum-security posture before they can sell you their service.
We are all now living in an unprecedented threat landscape. Cloud adoption, third-party management, supply-chain relationship, and application development make information security broader daily.
ESI Security Operation Center (SOC) is an environment that sees it all daily. With the responsibility to protect our customers and the community, we thought we should share some advice with the community on protecting from the most relevant threat.
You are right; malware delivery, as you probably know, makes the top list. What have we seen the most thus far? The most utilized vehicle. You got it right, and it is email. Why? Because is too easy to craft a fake email that looks legit, and because it’s so easy to use expired good domains to host a malware delivery site, and most important, it’s too easy to trick the users.
So, what are our top recommendations?
Phishing/social engineering: we cannot stress this enough, we need to teach the users why it is so important that they learn about phishing/vishing, they must learn how to identify this threat, and they must have tools available to report these threats, but we also need to prepare the response team in the detection and response to these threats. After all, attackers only need one successful exploitation. The advice here is that IT-user awareness is one thing; IT-user training is another. However, you can have a single SATE (security awareness training for executives) program while keeping your focus on both objectives simultaneously.
Ransomware: a good way for attackers to make money and cause your organization embarrassment. Your reputation would be the hardest to recover. The advice is to create your incident response process and procedure specifically for ransomware. You must be looking into developing the capability to identify, detect, stop, delay the propagation, contain the propagation, eradicate, and recover. Get yourself equipped with sound technology such as EDR/XDR, and ensure your personnel are ready to use these tools. Ensure your response personnel regularly check on threat intelligence sources for early attack signs. Perform regular exercises/simulations to enhance the detection and response. Bottom line. We want this prevention and response to be a second nature throughout the organization.
Recovery ability: There is always residual risk in everything we do, and in every control we implement. There are many new vectors every day, and the notion of vendors claiming to stop zero-day is good, but the reality is we see top solutions and top vendors being bypassed daily. our advice here is always to ask, “what if.” Be ready to recover if your controls, processes & people are bypassed. The recovery ability starts with a strong mandate, requiring and assigning responsibilities to different organizational units to demonstrate recovery capability.
And remember. Responsibility without authority may be a recipe for failure.
Enforce the least-privilege concept: once a threat actor gains access, they have the same access level as the services, users, and system exploited. We have allowed users admin access to their terminal for the longest time to reduce the software installation tickets. Or we adopt the BOYD approach allowing users to bring their device and connect to the corporate network. Our advice is first to segregate and isolate your network, your BYOD devices must have a different treatment compared to your controlled devices. And for your controlled devices, remove privilege access unless its required, and when required provide on-demand privilege access.
Ditmar Tavares – SOC Manager