Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Basic security hygiene blocked WannaCry – but a comprehensive defence needs more

David Braue | June 6, 2017
High-profile breaches grab headlines but there are much bigger threats to deal with.

Such realities highlight the need for a broader behaviour and network security monitoring environment to complement patching and other best practices, Smith said. Continuous data monitoring tools, which watch user and network behaviours and compare them against continually-updated baselines, offer an important complement by allowing security teams to not pick up on ransomware, malware, and other suspicious code not by its signature but by its behaviour on the network.

Held in this light, ransomware stands out like the proverbial sore thumb: as it begins surveying the victim computer all ransomware generates a surge in disk activity that monitoring solutions will pick up as a telltale sign of an unusual infection.

"If ransomware starts to encrypt data, there is an abnormal number of reads and writes," Smith explained. "In those cases that's a behavioural anomaly and you couple that with information on where the customer has been, or the new processes running on the system, and there is a high probability that you can detect it."

Poor detection capabilities can have a significant impact on the integrity of corporate data - and this can persist for a long time. DBIR analysis of 7743 incidents of insider and privilege misuse found that 81.6 percent were instigated by internal staff, compared with 8.3 percent through collusion, 7.2 percent from external sources, and 2.9 percent from partners.

The heavy weighting towards compromises by internal staff means that breaches of this sort tend to take much longer to detect than other, more obvious compromises. Some 42.8 percent of cases took months for victim organisations to detect, while 38.9 percent said it took years to spot the compromises.

These figures represent an unacceptable time-to-discovery delay that could be significantly improved by using monitoring and proactive analysis tools. "Everybody needs approaches for early detection," Smith said, noting the quick response of some well-prepared businesses to the WannaCry outbreak. "We had some customers who were able to quickly detect and deal with it before things got ugly," he said, "and it didn't do any damage."

Monitoring is also helping companies deal with the growing flood of data as Internet of Things (IoT) devices come online. With numbers of devices exploding

"There are all sorts of things coming online that need to be monitored," Smith said, "and this just exacerbates the problem. It's a big-data analytics problem, so doing these things is just a necessity."

Improved monitoring and analytics are also providing a way for businesses to compensate for the chronic lack of security skills in the market. Without skilled staff, after all, otherwise-secure businesses have no way of keeping up with, and meaningfully using, the data that's collected by monitoring systems.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.