Whitepaper

Making your enterprise resilient to APTs

Whitepaper

2 / 8Making your enterprise resilient to APTs

By now, all businesses should be aware of the threat posed by cyber attacks and hackers. If it’s

not repeated warnings from professionals in the sector about the evolving nature of threats, it’s

story after story in the media about yet another high profile company experiencing a breach.

It’s enough to make any IT professional feel weary, but what these stories demonstrate is that no

business is immune from the risks posed by cyber threats. Whether it is major healthcare insurers

such as Anthem, banks like JPMorgan Chase, retailers like Target or even online dating websites

such as Ashley Madison, if your business holds sensitive data - whether this is intellectual property,

customer and employee information or business details - it will have value to an attacker.

This is not restricted only to large enterprises either. According to research conducted by PwC

on behalf of the Department of Business, Innovation and Skills, 90 per cent of large business and

74 per cent of smaller enterprises reported that had fallen victim to a security breach in 2015.

These numbers were up from 81 per cent and 60 per cent respectively from 2014[1].

What this shows is that every business, regardless of size or sector, is likely to become a target for

criminals in the coming years, or may even have already been targeted without the company

realising. And while the average number of breaches has fallen slightly - down from 16 to 14

for large firms and from six to four for smaller companies - the sophistication of these attacks

is growing.

A cyber attack can come in a range of forms, and it may be the case that even seemingly

innocuous incidents could have serious ramifications. For example, Distributed Denial of Services

(DDoS) attacks have in the past been treated as an inconvenience by many businesses - often

eliminating their ability to operate effectively - but not as a long-term problem.

However, a study by Neustar suggests that more than a third of companies (36 per cent)

discovered malware on their systems in the wake of a DDoS attack[2], suggesting that many

such incidents are being used as a cover in order to distract IT professionals from something

more sinister.

What’s more, with so many employees reusing login credentials across multiple accounts -

including business applications - all it could take is one successful social engineering attack

against an individual, such as a spear phishing email, and a criminal could find themselves with

access to highly sensitive company details.

Introduction - a target-rich environment

A cyber attack can come in a range of forms, and it may be the case that even seemingly innocuous incidents could have serious ramifications.

Whitepaper

3 / 8Making your enterprise resilient to APTs

A shift in mindset

The result of this is that enterprises will have to re-evaluate their defences and adapt to this

constantly evolving threat landscape. While this doesn’t mean old ideas should be abandoned,

solutions such as firewalls and anti-malware software alone are not enough to protect a business

from today’s threats.

One factor that must be considered in today’s interconnected environment is that it is not only

a firm’s own defences that need to be assessed. An increasingly popular strategy for many

cyber criminals is to target smaller suppliers, partners or subsidiaries of a target company, which

may well have access to certain parts of their network. In many cases, these smaller suppliers

will not have the same advanced levels of security as the parent firm, and so are seen as a soft

target that can be used as a backdoor to bypass more advanced protections.

The consequences of this can be disastrous. For instance, one of the largest retail data

breaches ever recorded was that which affected US department store Target towards the end

of 2013, in which around 70 million customers had personal and financial details stolen.

The entry point for this attack was eventually traced to credentials stolen from a third-party

HVAC vendor that had a data connection with Target for electronic billing, contract submission

and project management[3]. As the breach was estimated to have cost Target $162 million

(£111 million)[4] in direct expenses - not including later settlements with credit card providers -

it’s clear how costly it can be if businesses fail to consider the security of their supply chain.

This illustrates how technology is only part of the solution when it comes to protecting businesses

from cyber attacks. Businesses also need to ensure that staff are aware of the risks they face

and are taking adequate steps to minimise their exposure.

Raising the ‘security IQ’ of employees will be the key to success, as far too many individuals still

fail to follow simple advice and best practices to ensure their safety, such as creating strong

passwords. For instance, in its annual ‘Worst Passwords’ list for 2016, SplashID found the most

common passwords are still ‘password’ and ‘123456’ - as they have been every year since the

survey began in 2011[5].

Training users in best security practices, such as how to recognise phishing attacks, needs to

take place across all levels of an organisation, from entry-level users all the way up to the board.

It is only by giving users the knowledge and confidence to understand threats that businesses

can avoid some of the most common causes of cyber attacks.

An increasingly popular strategy for many cyber criminals is to target smaller suppliers, partners or subsidiaries of a target company

Whitepaper

4 / 8Making your enterprise resilient to APTs

Managed solutions for new threats

A major challenge for any firm trying to build defences against today’s advanced persistent

threats (APTs) is that the nature of attacks is changing all the time, as hackers uncover new

vulnerabilities and strategies for gaining access to networks and exfiltrating data.

This poses difficulties for many companies, particularly those without large amounts of resources

to devote to their cyber security. As a result, demand for experts in this field is higher than ever,

and shows no signs of slowing down any time soon.

Figures from security certification body (ISC)2 estimate there will be a need for six million security

professionals around the world by the end of the decade[6]. However, it is expected that

only 4.5 million people will possess the necessary qualifications by this time, which will leave

businesses fighting to secure the best talent, and push salaries higher.

To deal with these challenges, many businesses will turn to managed security services providers

(MSSPs) in order to help secure their networks. One of the key benefits of this will be the ability to

obtain access to tools and resources that would otherwise be beyond the reach of all but the

largest enterprises.

What’s more, getting assistance from a third party can also give enterprises peace of mind

that their systems will be protected from any new and emerging threats, as MSSPs can use their

expertise and experience to better keep up with developments and respond to new dangers.

Businesses that have high agility needs, or that have complex networks spread over multiple

sites will especially stand to benefit from such services.

With figures from Transparency Market Research suggesting that the global market for MSS

solutions is set to reach $24 billion by 2019, up from just $9.2 billion in 2012[7], it’s clear that this is

a service more enterprises will be turning to as the cyber security landscape evolves.

Whitepaper

5 / 8Making your enterprise resilient to APTs

Central to many cyber security solutions in the coming years will be analytics. This is another

area that has seen significant growth in interest recently, driven by the huge increase in the

volume of information the average enterprise has to process.

As more businesses become more digitised and adopt big data strategies, this is only set to

grow in importance. Gartner estimates that more than three-quarters of companies will invest in

big data in the next two years[8], while according to Cisco, global IP traffic is set to reach 88.4

billion gigabytes per month this year and surpass 168 billion gigabytes per month by 2019[9].

With so much data being sent around the world, and businesses having to process millions of

transactions per second, trying to identify suspicious activity within this is less like looking for a

needle in a haystack, and more like looking for a specific grain of sand on a beach.

What effective analytics offers is a way to cut through all this noise and spot key signals that

can indicate increasingly advanced attacks. For instance, analytics can highlight patterns of

behaviour, assign risk scores to users and identify potentially vulnerable parts of a network.

Over time, it can also build up a detailed picture of a business’ activity profile, which helps

improve its detection rates and cut down on false positive alerts, as it develops a greater

understanding of what may constitute suspicious activity.

This is vital, as detection speeds for cyber attacks remain poor. Cisco’s 2016 Annual Security

Report noted that the industry estimate for time to detection is between 100 and 200 days,

something the report described as “unacceptable”[10].

As the idea of 100 per cent security is - and has always been - a myth, businesses must accept

that sooner or later, they will be breached. Therefore, minimising the time to detection is one

of the best things companies can do to restrict the damage and keep themselves and their

customers safe.

Why analytics is critical

Whitepaper

6 / 8Making your enterprise resilient to APTs

The bigger picture

Ultimately, businesses must consider cyber protections not as an isolated task, but a key part of

their wider security strategy. As the world become more interconnected and more companies

rely on digital solutions for almost every activity, security needs to be factored in to everything a

company does.

Above all else, enterprises have a duty of care to both their customers and employees - just as

is the case in any other area, such as travel or physical security. If you are asking users to share

sensitive information with you, it is your responsibility to ensure it is safe.

In the years to come, the growing importance of cyber protections will see it converge with

every other aspect of the security environment. Therefore, it will be vital that all personnel

throughout a company - including the C-suite - have a strong understanding of what cyber

security entails and why it needs to be a top priority. Enterprises that are more resilient to risks like

APTs will be in a much better position in the coming years, where cyber attacks will be one of

the biggest threats to enterprises.

In the years to come, the growing importance of cyber protections will see it converge with every other aspect of the security environment.

Whitepaper

7 / 8Making your enterprise resilient to APTs

1. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/432412/

bis-15-302-information_security_breaches_survey_2015-full-report.pdf

2. http://www.itpro.co.uk/security/25288/hackers-use-ddos-attacks-to-distract-you

3. http://uk.pcmag.com/security/8113/news/hvac-vendor-confirms-link-to-target-data-breach

4. http://techcrunch.com/2015/02/25/target-says-credit-card-data-breach-cost-it-162m-

in-2013-14/

5. https://www.teamsid.com/worst-passwords-2015/

6. http://www.ft.com/cms/s/0/4cabd0fe-8940-11e5-90de-f44762bf9896.html#axzz3v9EeZVkK

7. http://globenewswire.com/news-release/2015/11/20/789153/10156979/en/Global-

Managed-Security-Services-to-Reach-US-24-127-Mn-due-to-Emergence-of-Cloud-based-

Managed-Security-Services-Transparency-Market-Research.html

8. http://www.gartner.com/newsroom/id/3130817

9. http://www.cisco.com/c/en/us/solutions/collateral/service-provider/ip-ngn-ip-next-

generation-network/white_paper_c11-481360.html

10. http://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1737810

References

Encode UKLevel 33,

25 Canada Square,

London E145LB

encodegroup.com

+44 (0) 2070388305

info@encodegroup.com

© Copyright Encode. All rights reserved.