From coronavirus to cyber security: The wisdoms of dealing with pandemics
In the span of a few months, the coronavirus has reached every country, every community and every neighbourhood. No nation is spared. Economy grinds to a halt. Millions have fallen sick.
In the meantime, if you take a look at the 15 biggest cyber attacks in the 21st century, you’d notice a few things. First, no country is untouched. Second, it’s extremely disruptive to business operations. Third, millions have fallen victim to these attacks.
Studying the statistics, I can’t help but arrive at this conclusion: we have been dealing with a different kind of outbreak for many years; that is, the pandemic of cyber attacks.
The world responds
By now, most countries have imposed a mixed bag of measures to deal with the outbreak.
If you look closely, the overarching strategy for dealing with COVID-19 has revolved around four quadrants: prevention, detection, response and prediction.
In cyber security, we often talk about the importance of a holistic strategy that consists of the same quadrants.
Responding to a pandemic is not a one-off event. You can’t contain an outbreak with several dramatic measures and be done with it. At its core, a good cyber security strategy should take multi-pronged approach and a long-term view.
The first pillar of the defence is prevention. In the time of COVID-19, prevention means protecting people from being infected in the first place, such as washing your hands, socially distancing yourself from others, disinfecting your phone and wallet when you get home, and more.
In cyber security, prevention means the exact same thing – protecting your IT assets from being infected in the first place, because most major data breaches can be traced back to a single point of failure that could have been prevented.
These are not the sexy toys, but they do a pretty darn good job keeping your vulnerable systems patched, blocking malware from hitting your machines, alerting you to phishing e-mails, and more.
Today, many new cyber security vendors talk of a shining silver bullet that miraculously waves away all your cyber security headaches – such as machine learning or EDR. But in reality, the concept of a single silver bullet doesn’t hold up.
A business can receive thousands of security events in a single day and a high percentage of them are false positives or commonplace malware. Imagine feeding all of them through the machine learning technology. You’re bound to have a performance issue.
You need the basic technologies – such as your humble anti-virus, application control, Web and file reputation, etc – to do the heavy lifting. These technologies can filter the majority of alerts, categorising them as either good (to let go through) or bad (to block).
Then you’re left with the threats you have never seen before. These are the unknown threats and require further studying. They can then be fed through the advanced technologies, like machine learning or behavioural analysis. This way, the software divides the load, and ensures a balance between security and efficiency can be achieved.
Detection – knowing what you’re looking for
Contact tracing is crucial during outbreaks. The longer you take to identify a patient, the more people will be infected.
In cyber security, detection is about the same thing – how fast you can detect a breach in your system determines the scope of damage.
At Trend Micro, we believe in this strategy called connected threat defence. By deploying security solutions at all the touch-points in an IT system, from the endpoints to the network to the server, you can start to connect the dots and gain visibility into every nook and cranny. If you know what’s lurking in your IT environment, you can significantly increase your chance of getting rid of it.
Endpoint detection and response (EDR) is another tool designed for the same purpose. EDR technology works like a black box in a plane. It records everything that takes place on the endpoints and threat hunters can rewind to see from which point a threat entered the system, and how it spread across the network. Based on the information, a blueprint of the malware’s infection path can be drawn.
Response – prioritising the important ones
During the outbreak, there are many false positives and false negatives. Some people may test negative now but develop the symptoms next week. Suspected cases may turn out to be totally innocuous. Because the medical supplies are limited, the healthcare workers need to prioritise. To prioritise, you need context-rich information about the patient.
It’s the same in cyber security. A security operations centre (SOC) receives thousands of alerts on a daily basis. IT security personnel widely report that working in an SOC is a laborious job. Many of them are burnt out after a while, and the two most cited reasons are increasing workload and having too many alerts to chase.
Prioritisation becomes the key in this case. Instead of 500 alerts, what if you can winnow them down to two most critical alerts that require immediate action?
At this point, you should be familiar with EDR. XDR is the natural progression from EDR. The X stands for anything you can apply detection technology to, such as e-mails, servers, or the network.
XDR is a big collector of security alerts, absorbing data from various touch-points.
Essentially, what XDR does is to break the silos between all these solutions gathering data on their own. A prominent feature of the XDR tool is a central data lake where all data will flow to eventually and be analysed as a collective. This way, data collected from the endpoints can be correlated with data collected from the cloud workloads, for instance. Breaking the silos means more attacks would become visible as more pieces of the puzzle are now stitched together.
All this data churning can minimise alert fatigue, as it produces high-priority alerts with rich context around it. SOC analysts can now focus on alerts that need immediate action instead of combing through every single one of them and manually looking for connection.
Prediction – taking two steps ahead
Wall Street Journal reported that epidemiologists were teaming up with data scientists to forecast the spread of the coronavirus outbreak in the near future. By taking into consideration a vast array of different types of data, the model is expected to predict the number of new cases to arise in an exposed population, or peak infection rates.
Likewise, in cyber security, the more accurate our predictions are, the more effectively we can deal with an upcoming data breach.
We achieve this by collecting and correlating a vast array of different types of detection and activity data from Trend Micro native sensors, deployed at different layers within the organisation, like the endpoint, network, e-mail and the cloud environment.
Combined with big data analytics, threat models, advisory-based behaviour analytics and detection rules from our security experts, we can help to uncover if an emerging or unknown threat or a threat actor is attempting to infect your organisation. On top of that, continuous risk assessment of an organisation’s cyber security posture also serves to predict impending issues.
COVID-19 will go away, just like any of the pandemics in the past. But cyber attacks will stay as long as there’s a computer connected to the Internet.
The most effective way to deal with cyber attacks is not to dream of a cure-all panacea, but to take small but co-ordinated measures that culminate in an all-rounded defence strategy.