Authored by: Carolyn Crandall, Chief Security Advocate, Attivo Networks – There is an old English curse: “May you live in interesting times.” To call 2020 an “interesting” year is probably a severe understatement, but—thankfully—2021 shows signs of returning to “normal”. The COVID-19 vaccine rollout is well underway, and organizations are determining how best to resume business operations. Enterprises that shifted their operations to embrace remote work have had nearly a year to adjust to this new way of being. IT security teams have been working diligently to identify the latest threats that emerged amid the chaos of 2020 and deal with them appropriately.
As things continue to stabilize, security professionals are beginning to look toward the future. Recently, the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) published a blog identifying what the group considers the ‘Top Three Focus Areas for CISOs in 2021.’ The focus areas—security architecture, security operations, and risk management—represent broad but important categories that security teams and their leaders should seek to improve upon as 2021 continues. For CISOs, identifying the right set of solutions to address these critical areas should be a high priority.
RH-ISAC leads by noting that “identity and access management [has] emerged as a fundamental component to any information security program.” Furthermore, “CISOs are also looking to automate security tools and integrations to improve visibility and monitoring across the network” as a way to strengthen cloud security practices and enhance business efficiency.
Addressing identity protection challenges and migrating to an identity first security posture, as opposed to edge-based, requires a different approach to security that requires looking to new technology solutions and a shift to a “least privilege” security posture. Attivo Networks has released innovations that address identity protection needs related to visibility, attack surface reduction, and attack prevention and detection. The Attivo EDN solution addresses credential theft and misuse by hiding high-privileged local accounts and creating decoy credentials for attackers to steal. The EDN ThreatPath component reduces endpoint attack paths by remediating credential exposures and misconfigurations that allow attackers to move laterally between systems. Attivo adds Active Directory protection with the ADSecure solution to detects Active Directory attacks originating from compromised systems. Additionally, the ADAssessor solution runs an assessment on Active Directory to identify and give remediation advice on exposures and misconfigurations that leave it vulnerable to attack. Now CISOs can strengthen their security architecture with improved visibility and automated security practices, rather than waiting and reacting after attackers have compromised a system.
RH-ISAC points out that “in the spirit of doing more with less, many CISOs are working to increase detection and response capabilities while consolidating third-party solutions,” as well as that “some CISOs are starting to think beyond incident response policies and playbooks.”
CISOs are looking to consolidate vendors to make it easier to configure their security solutions and respond to alerts appropriately. This streamlining of security operations can undoubtedly help reduce complexity and improve ease of use. Still, it is vital to make sure that organizations are choosing the right tools for the job. Fortunately, RH-ISAC’s recommendation is wise: increasing detection and response capabilities represents a good place to start. Reducing metrics like dwell time by improving in-network detection capabilities, accelerating incident response through automation and integrations, and increasing SOC efficiencies with evidence-backed alerts can reduce the chances of attackers moving freely throughout the network once they breach perimeter defenses.
These capabilities are a fundamental focus for Attivo. The ThreatDefend® Platform excels at denying, detecting, and derailing attackers across the entire attack surface. The platform efficiently and effectively disrupts attacker discovery, lateral movement, privilege escalation, and collection activities early in the attack cycle—before they can do significant damage. Attivo helps organizations hide critical network assets, accounts, data, storage, and Active Directory objects from attackers while seeding the network with authentic-seeming lures and decoys designed to trick them into giving away their presence. Better still, the technology isolates those attackers in a deception environment, allowing defenders to gather and correlate critical adversary intelligence on the intruder’s IoCs and TTPs. It adds many partner integrations that can automate and accelerate incident response to increase SOC efficiencies. Visibility and protection for Active Directory through assessments and attack detection allow Active Directory teams to collaborate with security to decrease identity and credential-based risks.
When it comes to risk management, RH-ISAC points out that “many CISOs are looking to leverage risk assessments and frameworks to identify high-risk areas and align controls to standards that guide program maturity.” They also emphasize that “insider threat also emerged as a priority CISOs wanted to address this year.” The MITRE Corporation’s ATT&CK® and Shield matrices can help in this endeavor. The ATT&CK matrix helps define threat models to assist in risk assessments for high-value assets, while the Shield matrix facilitates defensive strategy development to identify control requirements to meet the identified risks.
Insider threats have become a heightened emphasis for many organizations, including securing the supply chain. Detecting insider threats can be particularly difficult for organizations with today’s distributed workforce and the transient nature of contract workers. But today, there are more ways than ever to identify and substantiate when an employee, vendor, or other unauthorized user is poking around in areas of the network they shouldn’t be.
EMA’s A Definitive Market Guide to Deception Technology report recognizes deception as a top tool for detecting insider threats. The ThreatDefend platform delivers a deception fabric for security teams to identify unauthorized network scans, credential theft and reuse, and attempts to access and steal data. The platform can create synthetic, disruptive network assets intermingled with the production environment. These decoy servers, file shares, credentials, documents, files, databases, and other elements can quickly detect policy violations or malicious activity if insider threats attempt to access or use them. The solution can also identify and misdirect credential misuse and privilege escalation activities as part of the attack. Research has shown that as many as 57% of breaches involve insider threats and that employee or contractor negligence is the leading cause of these threat incidents. With the rise in remote work, the attack surface has dramatically expanded over the past year—making a solution like ThreadDefend more critical than ever.
The Right Technology from the Right Partner
Although much of the guidance from RH-ISAC is not necessarily new, it serves as a reminder that these are universal issues among this industry segment. It is a good time to evaluate these programs and consider whether the tools, procedures, and resources that are in place are the right ones. There have been many changes in architectures as well as technology advancements in the last year. It’s an excellent time to assess the company’s security risks against the tools in place and leverage guidelines like MITRE ATT&CK to understand coverages and gaps.
Attivo Networks has demonstrated that it can improve endpoint detection by an average of 42% by providing prevention and detection for lateral movement, credential theft, and privilege escalation. Additionally, the company has released several Active Directory protection products that offer unprecedented continuous risk to exposures in AD, attack path risks, and live attack detection. For organizations looking for scalable innovations to shore up their defenses, Attivo can provide comprehensive and easy-to-manage protection for identities and detection for lateral movement activities.
Ready to see the products in action? You can request a demo here or a free Active directory risk assessment here.