whitepaper - encode · whitepaper s 3 / 8 a shift in mindset the result of this is that enterprises...
TRANSCRIPT
Whitepaper
Making your enterprise resilient to APTs
Whitepaper
2 / 8Making your enterprise resilient to APTs
By now, all businesses should be aware of the threat posed by cyber attacks and hackers. If it’s
not repeated warnings from professionals in the sector about the evolving nature of threats, it’s
story after story in the media about yet another high profile company experiencing a breach.
It’s enough to make any IT professional feel weary, but what these stories demonstrate is that no
business is immune from the risks posed by cyber threats. Whether it is major healthcare insurers
such as Anthem, banks like JPMorgan Chase, retailers like Target or even online dating websites
such as Ashley Madison, if your business holds sensitive data - whether this is intellectual property,
customer and employee information or business details - it will have value to an attacker.
This is not restricted only to large enterprises either. According to research conducted by PwC
on behalf of the Department of Business, Innovation and Skills, 90 per cent of large business and
74 per cent of smaller enterprises reported that had fallen victim to a security breach in 2015.
These numbers were up from 81 per cent and 60 per cent respectively from 2014[1].
What this shows is that every business, regardless of size or sector, is likely to become a target for
criminals in the coming years, or may even have already been targeted without the company
realising. And while the average number of breaches has fallen slightly - down from 16 to 14
for large firms and from six to four for smaller companies - the sophistication of these attacks
is growing.
A cyber attack can come in a range of forms, and it may be the case that even seemingly
innocuous incidents could have serious ramifications. For example, Distributed Denial of Services
(DDoS) attacks have in the past been treated as an inconvenience by many businesses - often
eliminating their ability to operate effectively - but not as a long-term problem.
However, a study by Neustar suggests that more than a third of companies (36 per cent)
discovered malware on their systems in the wake of a DDoS attack[2], suggesting that many
such incidents are being used as a cover in order to distract IT professionals from something
more sinister.
What’s more, with so many employees reusing login credentials across multiple accounts -
including business applications - all it could take is one successful social engineering attack
against an individual, such as a spear phishing email, and a criminal could find themselves with
access to highly sensitive company details.
Introduction - a target-rich environment
A cyber attack can come in a range of forms, and it may be the case that even seemingly innocuous incidents could have serious ramifications.
Whitepaper
3 / 8Making your enterprise resilient to APTs
A shift in mindset
The result of this is that enterprises will have to re-evaluate their defences and adapt to this
constantly evolving threat landscape. While this doesn’t mean old ideas should be abandoned,
solutions such as firewalls and anti-malware software alone are not enough to protect a business
from today’s threats.
One factor that must be considered in today’s interconnected environment is that it is not only
a firm’s own defences that need to be assessed. An increasingly popular strategy for many
cyber criminals is to target smaller suppliers, partners or subsidiaries of a target company, which
may well have access to certain parts of their network. In many cases, these smaller suppliers
will not have the same advanced levels of security as the parent firm, and so are seen as a soft
target that can be used as a backdoor to bypass more advanced protections.
The consequences of this can be disastrous. For instance, one of the largest retail data
breaches ever recorded was that which affected US department store Target towards the end
of 2013, in which around 70 million customers had personal and financial details stolen.
The entry point for this attack was eventually traced to credentials stolen from a third-party
HVAC vendor that had a data connection with Target for electronic billing, contract submission
and project management[3]. As the breach was estimated to have cost Target $162 million
(£111 million)[4] in direct expenses - not including later settlements with credit card providers -
it’s clear how costly it can be if businesses fail to consider the security of their supply chain.
This illustrates how technology is only part of the solution when it comes to protecting businesses
from cyber attacks. Businesses also need to ensure that staff are aware of the risks they face
and are taking adequate steps to minimise their exposure.
Raising the ‘security IQ’ of employees will be the key to success, as far too many individuals still
fail to follow simple advice and best practices to ensure their safety, such as creating strong
passwords. For instance, in its annual ‘Worst Passwords’ list for 2016, SplashID found the most
common passwords are still ‘password’ and ‘123456’ - as they have been every year since the
survey began in 2011[5].
Training users in best security practices, such as how to recognise phishing attacks, needs to
take place across all levels of an organisation, from entry-level users all the way up to the board.
It is only by giving users the knowledge and confidence to understand threats that businesses
can avoid some of the most common causes of cyber attacks.
An increasingly popular strategy for many cyber criminals is to target smaller suppliers, partners or subsidiaries of a target company
Whitepaper
4 / 8Making your enterprise resilient to APTs
Managed solutions for new threats
A major challenge for any firm trying to build defences against today’s advanced persistent
threats (APTs) is that the nature of attacks is changing all the time, as hackers uncover new
vulnerabilities and strategies for gaining access to networks and exfiltrating data.
This poses difficulties for many companies, particularly those without large amounts of resources
to devote to their cyber security. As a result, demand for experts in this field is higher than ever,
and shows no signs of slowing down any time soon.
Figures from security certification body (ISC)2 estimate there will be a need for six million security
professionals around the world by the end of the decade[6]. However, it is expected that
only 4.5 million people will possess the necessary qualifications by this time, which will leave
businesses fighting to secure the best talent, and push salaries higher.
To deal with these challenges, many businesses will turn to managed security services providers
(MSSPs) in order to help secure their networks. One of the key benefits of this will be the ability to
obtain access to tools and resources that would otherwise be beyond the reach of all but the
largest enterprises.
What’s more, getting assistance from a third party can also give enterprises peace of mind
that their systems will be protected from any new and emerging threats, as MSSPs can use their
expertise and experience to better keep up with developments and respond to new dangers.
Businesses that have high agility needs, or that have complex networks spread over multiple
sites will especially stand to benefit from such services.
With figures from Transparency Market Research suggesting that the global market for MSS
solutions is set to reach $24 billion by 2019, up from just $9.2 billion in 2012[7], it’s clear that this is
a service more enterprises will be turning to as the cyber security landscape evolves.
Whitepaper
5 / 8Making your enterprise resilient to APTs
Central to many cyber security solutions in the coming years will be analytics. This is another
area that has seen significant growth in interest recently, driven by the huge increase in the
volume of information the average enterprise has to process.
As more businesses become more digitised and adopt big data strategies, this is only set to
grow in importance. Gartner estimates that more than three-quarters of companies will invest in
big data in the next two years[8], while according to Cisco, global IP traffic is set to reach 88.4
billion gigabytes per month this year and surpass 168 billion gigabytes per month by 2019[9].
With so much data being sent around the world, and businesses having to process millions of
transactions per second, trying to identify suspicious activity within this is less like looking for a
needle in a haystack, and more like looking for a specific grain of sand on a beach.
What effective analytics offers is a way to cut through all this noise and spot key signals that
can indicate increasingly advanced attacks. For instance, analytics can highlight patterns of
behaviour, assign risk scores to users and identify potentially vulnerable parts of a network.
Over time, it can also build up a detailed picture of a business’ activity profile, which helps
improve its detection rates and cut down on false positive alerts, as it develops a greater
understanding of what may constitute suspicious activity.
This is vital, as detection speeds for cyber attacks remain poor. Cisco’s 2016 Annual Security
Report noted that the industry estimate for time to detection is between 100 and 200 days,
something the report described as “unacceptable”[10].
As the idea of 100 per cent security is - and has always been - a myth, businesses must accept
that sooner or later, they will be breached. Therefore, minimising the time to detection is one
of the best things companies can do to restrict the damage and keep themselves and their
customers safe.
Why analytics is critical
Whitepaper
6 / 8Making your enterprise resilient to APTs
The bigger picture
Ultimately, businesses must consider cyber protections not as an isolated task, but a key part of
their wider security strategy. As the world become more interconnected and more companies
rely on digital solutions for almost every activity, security needs to be factored in to everything a
company does.
Above all else, enterprises have a duty of care to both their customers and employees - just as
is the case in any other area, such as travel or physical security. If you are asking users to share
sensitive information with you, it is your responsibility to ensure it is safe.
In the years to come, the growing importance of cyber protections will see it converge with
every other aspect of the security environment. Therefore, it will be vital that all personnel
throughout a company - including the C-suite - have a strong understanding of what cyber
security entails and why it needs to be a top priority. Enterprises that are more resilient to risks like
APTs will be in a much better position in the coming years, where cyber attacks will be one of
the biggest threats to enterprises.
In the years to come, the growing importance of cyber protections will see it converge with every other aspect of the security environment.
Whitepaper
7 / 8Making your enterprise resilient to APTs
1. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/432412/
bis-15-302-information_security_breaches_survey_2015-full-report.pdf
2. http://www.itpro.co.uk/security/25288/hackers-use-ddos-attacks-to-distract-you
3. http://uk.pcmag.com/security/8113/news/hvac-vendor-confirms-link-to-target-data-breach
4. http://techcrunch.com/2015/02/25/target-says-credit-card-data-breach-cost-it-162m-
in-2013-14/
5. https://www.teamsid.com/worst-passwords-2015/
6. http://www.ft.com/cms/s/0/4cabd0fe-8940-11e5-90de-f44762bf9896.html#axzz3v9EeZVkK
7. http://globenewswire.com/news-release/2015/11/20/789153/10156979/en/Global-
Managed-Security-Services-to-Reach-US-24-127-Mn-due-to-Emergence-of-Cloud-based-
Managed-Security-Services-Transparency-Market-Research.html
8. http://www.gartner.com/newsroom/id/3130817
9. http://www.cisco.com/c/en/us/solutions/collateral/service-provider/ip-ngn-ip-next-
generation-network/white_paper_c11-481360.html
10. http://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1737810
References
Encode UKLevel 33,
25 Canada Square,
London E145LB
encodegroup.com
+44 (0) 2070388305
© Copyright Encode. All rights reserved.