What is Cyber Resilience? (Part 3 of a 3 Part Series)

Don’t miss out on the rest of our What is Cyber Resilience blog article series! Explore our previous articles to deepen your understanding, gain valuable insights and recommendation about strengthening cyber resilience.

Cyber Hygiene

Cyber hygiene at a high level refers to the practices and measures taken to maintain health and security in an organization’s digital environment. This can include:

  Patch management programs.

  Implementing secure architecture

  Correctly configured policies on security controls

  Properly implemented policies related to cybersecurity

  The result of good cyber hygiene usually makes you “expensive to attack” as an organization because an attacker has to spend a tremendous number of resources looking for a weakness to exploit to get in.

Poor cyber hygiene can lead to you becoming “cheap to attack” as an organization because attackers may have to perform trivial tasks to obtain a way into your organization.

  1. Organizations are getting compromised through internet facing vulnerabilities.
  2. Organizations are getting compromised through compromised credentials that are single factor
  3. Patch vulnerabilities for systems connected to the internet.
  4. Implement multi-factor authentication.

If you have been around in cybersecurity, #1-#4 are common sense; however, it answers the question “am I cheap to attack?” Using single factor authentication only and not patching critical internet facing vulnerabilities is a good indication if you’re low-hanging fruit for threat actors.

Beyond evaluating the threat landscape from sources of intelligence for what to focus on for cyber hygiene, it is good to evaluate your maturity on if you have good cyber hygiene.  Organizations that prioritize cybersecurity and consistently implement best practices often achieve strong cyber hygiene.

Check out our Cyber Resilience ondemand webinar here to learn more…

Response

Microsoft emphasizes  “how fast can you kick them out when they get in?”

We believe Microsoft is onto something here as well by emphasizing measuring Mean Time To Remediation (MTTR) as a key metric to detail how effective you are at eliminating attacker presence in the environment.  A high level definition of MTTR is is your mean time it takes to remediate security incidents or vulnerabilities.

If you have a low mean time (which can be in hours, days, or weeks depending on if you are dealing with security alerts, security incidents, or security vulnerabilities) to remediate, you’re taking proper action fast. As a result, if you do identify attacker activity, proper remediation actions are to kick them out. That’s the first step.

Beyond the manual aspects of performing mean time to remediation, automating playbooks around remediation also exist. Proficio has worked with clients to automate response either around the isolation action or remediation action. The most common responses we’ve seen being network perimeter, endpoint, and identity. Each is unique and requires its own approach.

Here is our approach we have found with implementing automated remediation steps for each:

Type Network
Common Actions Block IP, Block subnet
Frequency of Actions Frequent
Common Situations of Action
  • Access from IPs with poor reputation
  • Activity from IPs doing obvious attack activity
  • Activity from IPs doing activities outside of normal user application usage
Effects of False Positives Block legitimate activities such as business partners, business applications, customers, cybersecurity      vendors, or employees.
Value
  • Disrupt attacker reconnaissance of public facing services
  • Reduce noise of network security controls such as network intrusion prevention systems on the NGFW
  • Disrupt credential attacks such as extended brute force attacks and password sprays

 

Type Endpoint
Common Actions Quarantine Endpoint
Frequency of Actions Rare
Common Situations of Action
  • An endpoint exhibits multiple unique EDR detections increasing the likelihood of compromise
  • An endpoint triggers a rare high / critical severity EDR detection with no known false positives
  • The endpoint is one of the endpoints involved in lateral movement
  • The endpoint is suspected of potentially being compromised with ransomware
Effects of False Positives Block legitimate activities of end users on endpoints. Block legitimate business activities of servers if targeted.
Value
  • Isolate an endpoint to prevent spread of compromise through lateral movement
  • Isolate an endpoint to disrupt any command and control channels currently owned by the attacker
  • Isolate an endpoint so proper forensic investigations can take place if an insider threat is the cause of the activity.

 

Type Identity
Common Actions Disable user, clear sessions, reset password with 2nd factor
Frequency of Actions Disabling User – Rare
Common Situations of Action
  • User account triggers multiple cloud threat detections
  • User account performs an authentication from a known bad IP address
  • User account triggers a cloud threat detection that is a critical threat with no known false positives
Effects of False Positives Block legitimate activities of end users that own those accounts.
Value
  • Limit attacker access if they do access an account
  • If requiring a password reset, this often eliminates the information the attacker has that allows access into the environment.
  • Kill active sessions the attacker has to client data

Closing Thoughts

Some vendors offer robust cyber resilience strategies that can assist with a cybersecurity management strategy.

For cyber resilience…have you thought about if your organization has the right mindset, has adapted key technologies, has good cyber hygiene, and can kick attackers out when they get in?

We think it’s a valuable investment.

Learn how our Proactive Protection Bundle builds cyber resilience.  Request a demo

 

Bryan Borra, Vice President, Product and Content Management, Proficio

Bryan is responsible for leading Proficio’s product roadmap and managing our Threat Detection Engineers. He specializes in SIEM content engineering, network intrusion analysis, operational use case development, and threat intelligence.

 

Recent Blog Posts

Stay Ahead of Evolving Threats

Sign up for our free newsletter and receive invaluable threat notifications from our Threat Intelligence team.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.

REQUEST A DEMO

Experience Tomorrow’s
Security Today

Request a Demo and Experience Proficio's
Innovative Solutions in Action.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.