Major security events focus the attention of consumers, the media, and business leaders on cybersecurity and cyber resilience. The recent breach of Solar Winds, what Microsoft President Brad Smith called “the largest and most sophisticated attack the world has ever seen,” is the perfect example. In the aftermath of Solar Winds, security professionals across the world are being summoned to answer questions from the C-suite and the board. Questions like, “what do we do now?”
The answer to that question will differ for almost every organization, but whatever internal corrective actions are taken – like patching, scanning for indicators of compromise, etc. – organizations should consider bringing in external experts to supporter-examine their defenses.
Even the best security teams can suffer from tunnel vision, and the most advanced technologies can miss signs or context. At the enterprise level, the average security team is often dealing with 10,000 security alerts per day, if not more. Technology solutions like next-generation anti-virus and endpoint detection and response (EDR) help security teams manage the fire hose of security alerts, but no technology can fully eliminate risk.
External experts bring specialized tools, expertise, and perhaps most importantly, fresh perspective to help discover malware or suspicious behavior that might otherwise go undetected. An external threat hunt is a force-multiplier for the security team that can help uncover hidden indicators of an attack, insider threat, or intentional destruction of data after a major security event.
An expert external threat hunt also provides independent validation that corrective actions have been effective and there are no persistent or additional threats in the network. But a major security event like Solar Winds isn't the only reason to conduct a threat hunt. Below are four more events when external expertise can help ensure an organization is protected:
- Your company has a high percentage of remote workers: When workers take their work and devices beyond the corporate network, they may introduce new attack vectors and vulnerabilities. A recent report indicated that consumer devices remain roughly 2x more likely to become infected than business systems. The rapid shift to remote work after COVID-19, and the persistent hybrid models that will continue after the pandemic, mean that remote work will remain a source of risk.
- You deployed or upgraded a new application in the environment: When you upgrade business applications, certain ports can become open that were not before. Role-based access control (RBAC) rules may be changed from what they were before the upgrade, and certain fields may become viewable that were not viewable before.
- You made any changes or upgraded your firewalls: A firewall upgrade is one of the most sensitive actions that can be done, and organizations want to ensure that access control lists are configured correctly. External support can help validate systems like proxy rules are in place and working properly.
- Your company experiences mass layoffs: A mass layoff event can create a large number of disgruntled insiders. It can also be an indicator of other changes that can introduce more risk than is normal and should be a trigger for extra security review.
In the aftermath of COVID-19 and Solar Winds, nearly every organization is facing at least one of the above circumstances.
External penetration testing is common to evaluate the efficacy of security controls. However, external threat hunting is just as important to identify patterns, relationships, and other possible indicators of compromise that might indicate those security controls have already been compromised. This includes insights into potential zero-day threats before they can attack the environment, both on-premises and in the cloud. Finally, an external threat hunt can help organizations evolve risk and compliance policies to close gaps in security protocols and policies.
And external support isn’t just for the enterprise. Smaller organizations, those that perhaps don’t have dedicated internal security operation centers (SOCs) or large security teams or advanced tools, can take advantage of threat hunts to help improve overall security.
In security, the most dangerous threat is the one you don’t see coming. The five events listed here can all be important trigger points, but every organization should consider what regular moments make sense to bring in external support to help eliminate as many blind spots as possible.
Kevin Golas is Director, Cyber Security Services at OpenText.