Assume compromise: new security fundamentals for the new threat era


In this exclusive opinion piece, Ammar Enaya, regional director – METNA, Vectra AI, discusses the importance of advanced threat detection & response.

Is it fair to say that CISOs across the region are feeling under siege? Over the past two years, many have had to contend with jarring shifts in business practices, coupled with a heavy uptick in employees working outside corporate bounds on devices that may not be secure, while more of their vendors are now enmeshed in the enterprise technology stack. And if that’s not enough—threat actors continue to relentlessly march towards their environments. Under siege might not be a stretch.

In May 2021, Dubai Police disclosed it had received 25,000 official complaints of e-crime in 2020. Consider this: that is just one emirate in the UAE, and many cyber-incidents go unreported. A KPMG study from 2020 showed that, globally, not only were ransomware incidents on the rise, but the average payout had increased by 60% across the first two quarters of the year. And in the UAE, 98% of respondents told KPMG researchers they were concerned about escalations in the regional threat landscape in 2021—yet only 78% made any moves to strengthen their security postures.

In fact, these concerns were shared around the world. And as we know, 2021 confirmed everyone’s fears. The Colonial Pipeline, SolarWinds, Kaseya, Microsoft Exchange—a list of devastating attacks that just seems to keep going. When we combine the demonstration of the threat landscape seen in the headlines with our own experiences and fears and add our lack of readiness—the scale of the problem starts to become clear.

Prevention is no cure
Today, CIOs and CISOs agree that a strategy of prevention at the perimeter will fail. Indeed, popular new methodologies such as zero trust are founded on the principle that every single access, no matter where the user or system is located, needs to be authorized. Zero trust is a great concept, but the journey to achieve it may take a decade or more.

By instead, assuming that a compromise will occur, organizations will be well positioned to find it and then take the proper mitigating action. And while the process and idea seems simple and even obvious—legacy tools are just not equipped to execute it. For example, legacy tools like IDS and SIEM do not cover credentials theft like the one that led to the ransomware attack on the Colonial Pipeline. A Verizon report claims 80% of breaches involve compromised credentials. Meanwhile, Microsoft posits that 99.9% of all attacks can be blocked through MFA, however, this also suggests that bad actors will not pivot to other forms of attack methods that can circumvent the traditional login.

None of this means preventative controls are obsolete. What it does mean, is that we need to go further in 2022 given the growing complexity of IT environments. So—assume compromise, detect, and respond.

Reactive to Proactive
If we assume compromise, it means we are already on the offensive. We have switched mindsets, from reactive to proactive. While it’s still important to prevent incursions where possible, we instead go on the hunt and prevent the threats within our walls from carrying out their mission. To do this, CISOs and their teams need clear and far-reaching visibility of the entire environment. The more nooks and recesses they can peer into, the more likely they are to discover suspicious behavior. Once they have found it, acting on it is a matter of the right tools and policies.

Zero trust is an important part of the “assume compromise” approach. When there is no such thing as a trusted user, device, or process, an organization has taken an important step towards effective detection and response. Digital transformation won’t stop, so the right security to protect cloud, AI, IoT, and other technologies must be in place. There is no point innovating oneself into a costly ransomware attack.

Cause becomes solution
With the rise of RansomOps, threat campaigns have become more sophisticated. Today, we see more exfiltration of data rather than on-site encryption. Lateral movement and privilege escalations are also common. The assume-compromise mindset helps mitigate these kinds of assault. Cloud infrastructure — albeit an initial cause of the escalation in the region’s cyber-incidents — is now part of the solution, as it has the potential to scale and automate security processes.

AI-based Driven Threat Detection and Response (network detection and response) is one solution that fits neatly into the assume-compromise paradigm. It automates threat detection through machine-learning behavior models that allow threat hunters to pin down attackers in real time. This enables swift, effective action that mitigates the incursion and can prevent the dropping of a payload such as ransomware.

Now is the time to empower the region’s threat hunters. They are already overworked trying to come to terms with the changing shape of their domains. Shouldn’t we equip them with the means to delve deeper and launch broader investigations of incidents? AI-based driven NDR solutions provide ranked lists of the suspicious activity detected, so that human specialists can quickly go after the most serious threats.

The solutions’ automation and triage capabilities are supplemented by a comprehensive real-time collection, analysis, and storage of network metadata, logs, and events from premises to cloud. This enables a high degree of visibility of all workloads relevant to the organization, regardless of where they are hosted.

Welcome back to the driver’s seat
Finally, after two years of relinquishing control of their environments to WFH employees and third-party vendors, those responsible for securing the digital estate can take back control. By assuming compromise and deploying high-visibility tools like AI-driven NDR—they can stop bracing for a failure of preventative measures and go on the offensive. Threat actors will have nowhere to hide.

Leave a reply