A severe cybersecurity incident is the most dangerous risk most companies face. It is the greatest threat to a company’s ability to deliver for its customers, and so it’s value. This is the seventh in a series of posts about cybersecurity risk, and how you can reduce it to give customers and investors confidence.
The all seeing eye!
Every organisation is facing a constant barrage of cyber threats; from phishing emails to sophisticated malware to employee data exfiltration (both malicious and benign), the list of attack vectors seems endless. In reality, most businesses have no idea any of this is happening at first, until they implement an XDR (Extended Detection & Response) solution.
So what is an XDR tool? Traditionally security systems have operated in silos - an email security tool, an antivirus tool on laptops and perhaps a monitoring tool on your servers; the result is gaps that attackers are all too ready to exploit. XDR tools are the modern evolution of these segregated tools and can be best thought of as networks of sensors consolidating data from across your entire environment, using advanced analytics to spot threats that would otherwise slip through the cracks. They are usually one of the biggest creators of security logs for your SIEM tool to ingest and your 24/7 SOC to review.
Identity and Device management - the foundational first steps
A robust XDR tool is going to install sensors in all sorts of places across your cloud environments, the most common example is email servers. However to really be sure that you are secure, you need to protect your staff identities and the devices they are accessing your environment from. This is not practically possible without robust identity and device management to ensure that:
-
Staff can only access work systems from managed devices that have been suitably configured.
-
Staff can only use managed web browsers on those managed devices, and they are restricted from installing unapproved browsers.
-
The right XDR sensors are in place on user devices and that these sensors are properly configured with their threat intelligence up to date.
-
Staff are unable to remove or tamper with XDR sensors on their devices.
Data Loss Prevention tools
XDR tools are often focussed largely on external threats - phishing emails, malicious downloads, suspicious links etc. To really complete the layered protection one also needs to consider insider risk - the prospect that a member of staff (or the compromised account of a member of staff) is going to maliciously steal, or inadvertently leak, sensitive corporate IP such as documents or source code. As such many XDR tools can be bundled with data loss prevention tooling that uses the same XDR sensors to detect corporate IP leaving the organisation. This is clearly particularly important if the key business risk you are concerned about is extremely sensitive or valuable IP.
Test, test, test!
So, your identity management is sorted, your devices are managed, your XDR tooling is deployed, and your DLP tools are configured. All is good right?
Sadly not. Properly configuring devices and security tools often involves a myriad of settings which need to be set correctly and not clashing with each other. When somebody says everything is configured and ready to go, regardless of how much you trust them, don't take their word for it, test aggressively!
Some of the detections that we would recommend checking are:
-
Trying to install unauthorised web browsers.
-
Trying to upload sensitive documents to file sharing sites or cloud storage.
-
Trying to copy source code into an AI tool like ChatGPT.
-
Trying to remove the XDR tool from a device.
This is obviously not an exhaustive list, but if any of these actions is doable, and you don't then see an alert flagged in your security systems, you will need to iterate on the configuration until you are confident you are detecting what you need to detect. This is another reason why it is often helpful to get a 24/7 SOC deployed as soon as possible - they will be able to help you understand the various alerts and tweak the configuration much more efficiently than you doing it on your own.
Bottom line
XDR tools are not optional. They need to be fully implemented as soon as possible and you should consider yourself to have no security until they are in place. Even once deployed, you should assume that you only have some security until they have been robustly tested in real world use over a prolonged period of time.
If you are navigating some of these challenges at the moment we can help. Our mission is to help you reduce your cyber risk, and so our help can be in whatever form is most helpful to you, from conducting an assessment of your current setup, to advising on system architecture and config, introducing trusted partners, training up staff or helping with op model development or hiring. Please reach out below 👇
