Automation of detection, Internet of Things, and Transition to the cloud

Automation of detection

One aspect of the cybersecurity landscape that has become brighter for defenders is that it has become easier to detect attacks that would have otherwise only been apparent through expert analysis of the information systems’ event log telemetry. While some attackers are overt and do little to hide their presence on the network, competent attackers often spend quite some time performing reconnaissance once they have established a beachhead on the organization’s network. These attackers leave only subtle traces of their presence that you might not be alerted to unless you have sophisticated intrusion detection systems that can recognize signs of the intruder’s activities. If an organization can detect attackers while the attackers are still performing reconnaissance, it can reduce the amount of damage done.

In the past, Security Information and Event Management (SIEM) systems would analyze information and detect suspicious activities based on heuristics developed by the vendor. While these systems are effective in discovering suspicious activity, they are only able to detect suspicious activity if the vendor recognizes the characteristics of that suspicious activity. To recognize new types of suspicious activity, the SIEM system must be updated with new signatures that allow it to recognize the characteristics of that activity.

Cloud-based services, such as Azure Security Center, Azure Advanced Threat Protection, and Windows Defender Advanced Threat Protection, provide organizations with more effective threat detection functionality than traditional methods, such as manual telemetry analysis. These cloud-based services have access to Microsoft’s Security Graph. Microsoft’s Security Graph centralizes the security information and telemetry that Microsoft collects across all its sources. This includes telemetry related to attacker activity across all of Microsoft’s customers, as well as information from Microsoft’s own ongoing security research efforts.

Through machine learning analysis of this vast trove of data, Microsoft can recognize the subtle characteristics of attacker activities. Once the characteristics of a specific attack are recognized through analysis of this immense data set, similar activity will be detected should it occur on customer networks.

The cybersecurity landscape has also changed now that defenders increasingly have access to tools like Azure Security Center that can highlight and, in some cases, remediate security configuration problems on monitored information systems. In the past information, security professionals would have to work through configuration checklists when hardening servers, clients, and other equipment. Today services such as Azure Security Center can provide recommendations as to what configuration changes should be made to on-premises and cloud-hosted workloads to make them more secure. Security configuration recommendations provided by these services can also be updated as new threats emerge. This helps ensure that an organization’s security posture remains up-to-date.

Defenders also have access to breach and attack simulation tools. Rather than relying on experienced penetration testers to perform red team exercises to locate known vulnerabilities in an organization’s information systems configuration, breach and attack simulation tools simulate an attack and locate known vulnerabilities. While such tools won’t find every possible vulnerability, they are likely to detect the vulnerabilities most often exploited by attackers. If defenders remediate all vulnerabilities found by such tools, their engagement with penetration testers performing red team exercises is likely to be more valuable. Using such tools before engaging a red team will certainly reduce the likelihood of expensive penetration testers discovering a list of obvious configuration vulnerabilities that should have been found by even the most cursory of examinations. When an organization engages penetration testers, the hope is that they’ll discover something that the organization’s information security staff couldn’t have seen, not something that they knew about but didn’t get around to addressing.

Internet of Things

Another big change in the cybersecurity landscape over the past decade has been the rise of the Internet of Things (IoT). The IoT. is the network of physical objects, devices, televisions, refrigerators, home climate systems, cars, and other items, that are increasingly embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data. While consumer operating systems, such as Windows 10, OS X, iOS, and Android have increased security features with every release and update, the operating systems of Internet of Things devices rarely receive long-term security update support from their vendors.

The IoT presents an ongoing challenge to the cybersecurity landscape in that these devices are likely to remain insecure. This is because even when vendors do provide updates unless those updates are installed automatically, few owners of these devices will bother to apply those updates. While people will apply software updates to their computers and phones when reminded, most are less diligent when it comes to applying software updates to their refrigerator, washing machine, or television.

How does this impact the cybersecurity landscape? Botnets, comprised of IoT devices have already been used to perform distributed denial of service attacks. While the processing capability of IoT devices is much less significant than that of desktop computers or servers, it’s likely only a matter of time before an enterprising attacker works out how to get rich using a botnet of refrigerators to mine cryptocurrency.

Transition to the cloud

The cybersecurity landscape has been substantially altered by organizations moving on-premise workloads to the cloud. Important to note though is that moving infrastructure, applications, and data to the cloud doesn’t mean that the responsibility for information security shifts from organizational personnel to the cloud provider.

As has been amply demonstrated by developers leaving cloud storage containers globally accessible, the security of deployment in the cloud is only as good as it is configured by the cloud tenant to be. Just as with on-premise information system security, the settings to secure workloads are present, but they must actually be configured by the information technology professionals responsible for those workloads.

For example, a cloud storage container used by a major US newspaper to host website code allowed read access to anyone in the world. Attackers used this access to inject coin mining code into the web pages delivered by the newspaper to its readers. Each time a reader visited the newspaper website, some cycles of their computer’s CPU worked on generating cryptocurrency for the attackers who had modified the contents of the cloud storage container.