With cybercriminals are taking less and less time to break into corporate systems, Asia-Pacific enterprises will have look to artificial intelligence (AI) and machine learning tools to better combat threats and bolster their network resilience. Businesses also need to ensure data access is given only when user identities have been authenticated and based on predetermined conditions.
It is not a matter of “if” but “when” now an often-cited adage to indicate the inevitability of security breaches, companies need to think about how they can use speed to defend themselves against attacks.
This was increasingly important as the amount of time cyber adversaries took to break into and move laterally within a network was narrowing, said CrowdStrike’s co-founder and CEO George Kurtz, speaking at the GovWare conference in Singapore this week. Specifically, the “breakout time”, or the time it took for intruders to begin moving laterally–after breaching the system–to explore other systems had clocked at 1 hour and 58 minutes in the past year, Kurtz said, pointing to research the security vendor conducted.
He said this metric revealed how fast it took for adversaries to operate within the targeted network and provided valuable information for businesses to assess their own capabilities to detect and respond. It meant that enterprises would have just under two hours to detect, investigate, and identify remediation to contain a breach, he added.
He noted that the breakout times for some state-sponsored adversary groups around the world were significantly shorter than the average. For instance, a Russian actor group codenamed “Bear” by CrowdStrike clocked a breakout time of just 18.49 seconds, he said. This was far and beyond its next competitor, a North Korean group, which managed to do so in 2 hours and 20 minutes.
To better prepare themselves as breakout times continued to shorten, CrowdStrike espoused a defense model it called the 1-10-60 rule, in which enterprises should be able to detect a breach in 1 minute, investigate it within 10 minutes, and remediate the issue within 60 minutes.
Citing its survey of 1,300 organizations worldwide including in Singapore and Japan, Kurtz said it took respondents on average 210 hours to detect an attack, 13 hours to investigate, 15 hours to remediate. This meant the average time it took for companies to return to their usual business environment was 63 hours.
He further warned that cyber adversaries had been able to weaponize techniques and vulnerabilities leaked by nation state-actors, and now were better at identifying where weak nodes resided, such as US government departments that were underfunded and limited in resources.
To better contain security incidents, he urged organizations to gain better visibility and speed.
He underscored the importance of AI and machine learning in enabling companies to more quickly detect anomalies by monitoring and assessing behavioral-based attacks. With the amount of data that needed to be analyzed, and at speed, adopting a cloud infrastructure then also was essential and the only way to analyze data at scale, he added.
According to Forcepoint’s global CTO Nico Fischbach, machine learning and data science helped enterprises better understand user behavior and map data usage patterns.
Cybercriminals’ main goal typically was to access corporate data, and it would be more difficult for them to do so undetected if organizations were able to establish normal usage patterns and data interactions, Fischbach said in an interview on the sidelines of the conference. He added that machine learning and automation then would help enterprises more quickly detect and stop security breaches.
He noted that Forcepoint aimed to integrate these capabilities into its product development efforts. The security vendor also was moving to a cloud-native architecture in which it would run security engines directly in the cloud, so organizations would not need to bring such traffic back to their networks.
Fischbach added that Forcepiont would soon launch Dynamic Edge Protection, a SaaS (software-as-a-service) native security offering that would allow enterprises to connect to the platform and access the vendor’s threat protection features and user behavior analytics capabilities.
For security’s sake, trust no one
Kurtz also recommended the deployment of a Red Team–either internally or through an external vendor–or conducting penetration testing exercises to identify, and plug, potential vulnerabilities.
In addition, a Zero Trust security strategy would ensure every workload, regardless of where it resided, was adequately protected, he said.
Fellow conference speaker Ravinder Singh, who is president of ST Engineering, concurred. He pointed to the SingHealth, Equifax, and CapitalOne breaches, amongst security breaches that were in part, attributed to human error and misconfiguration.
This demonstrated that the right hardware and software as well as adopting strong policies and design in-depth were not enough in safeguarding against attacks. Humans also were an important component in the equation, but often were the weakest link, Singh said.
This posed a growing challenge as phishing attacks were increasingly sophisticated, he noted. He, too, pointed to the benefits of a Zero Trust model as this ensured no one was granted access to corporate networks and data until they proved they could be trusted. This encompassed the adoption of identity assurance, trusted endpoints, conditional policies, and least privilege, limiting users’ access rights to the minimum they needed to fulfill their work requirements, he said.
The SingHealth breach, for instance, could have been more quickly contained if user credentials used to download the millions of patient records were denied access since the significant volume likely would have triggered as an anomaly.
Singh believed the Zero Trust concept alone, if adopted, would mitigate losses even in the event of a breach. In addition, running regular drills would be critical in preparing companies to deal with breaches, he said.
FireEye CEO Kevin Mandia, too, championed the need for simulations and drills to be included in any security strategy as this would enable enterprises to determine if their security policies were effective. It would ascertain whether they had the right responses to deal with different attack scenarios, he said, adding that a cybersecurity drill typically would take about four hours.
Like Kurtz, Mandia also advocated the importance of Red Team hunting, which the latter said would provide an “unvarnished” truth of a company’s cyber defenses and identify loopholes in its security response.
This would be critical especially since there still were several key weaknesses in how enterprises managed their security posture, including poor credential management, lack of network segmentation, single-factor access to VPN, and unarmed privileged accounts.
Some 96% of companies in the city-state admitted to experiencing a data breach over the past year, with 98% expressing security concerns involving digital transformation initiatives and 5G network deployments.