Who Benefits from Threat Intelligence?

Threat intelligence benefits organizations of all shapes and sizes by helping them to better understand their attackers, respond faster to incidents, and proactively get ahead of an adversary’s next move. For SMBs, intelligence helps them achieve a level of protection that would otherwise be out of reach. On the other hand, enterprises with large security teams can reduce the cost and required skills by leveraging external threat intel and make their analysts more effective.

From top to bottom, cyber threat intelligence offers unique advantages to every member of a security team. Here’s how it can benefit each position, and the specific use cases that apply to each:

Function	Benefits
Sec/IT Analyst	Optimize prevention and detection capabilities and  strengthen defenses
SOC	Prioritize incidents based on risk and impact to  the organization
CSIRT	Accelerate incident investigations, management,  and prioritization
Intel Analyst	Uncover and track threat actors targeting the  organization
Executive Management	Understand the risks the organization faces and what the  options are to address their impact

Function	Use Cases
Sec/IT Analyst	- Integrate TI feeds with other security products - Block bad IPs, URLS, domains, files etc
SOC	- Use TI to enrich alerts - Link alerts together into incidents - Tune newly deployed security controls
CSIRT	- Look for information on the who/what/why/when/how  of an incident - Analyze root cause to determine scope of the incident
Intel Analyst	- Look wider and deeper for intrusion evidence - Review reports on threat actors to better detect them
Executive Management	- Assess overall threat level for the organization - Develop security roadmap

Cyber Attack Trends

In its mid-year report, Check Point Research provides analysis of the year to date, looking at global cyber attack trends in malware overall, ransomware, and mobile and cloud malware.

TREND 1: Software supply chain attacks on the rise

In software supply chain attacks, the threat actor typically installs malicious code into legitimate software by modifying and infecting one of the building blocks the software relies upon. As with physical chains, software supply chains are only as strong as their weakest link.

Software supply chain attacks can be divided into two main categories. The first includes targeted attacks aiming to compromise well-defined targets, scanning their suppliers list in search of the weakest link through which they could enter. In the ShadowHammer attack, attackers implanted malicious code into the ASUS Live Update utility, allowing them to later install backdoors on millions of remote computers.
In the second category, software supply chains are used to compromise as many victims as possible by locating a weak link with a large distribution radius. One such example is the attack on PrismWeb, an e-commerce platform, in which attackers injected a skimming script into the shared JavaScript libraries used by online stores, affecting more than 200 online university campus stores in North America.

TREND 2: Evasive phishing cyber attacks

Phishing is a popular cyber attack technique and continues to be one of the biggest cyber security threats. Advanced socially engineered evasion techniques are bypassing email security solutions with greater frequency. Check Point researchers noted a surge in sextortion scams and business email compromise (BEC), threatening victims into making a payment through blackmail or by impersonating others, respectively. Both scams do not necessarily contain malicious attachments or links, making them harder to detect. In April, one sextortion campaign went as far as pretending to be from the CIA and warned victims they were suspected of distributing and storing child pornography. Hackers demanded $10,000 in Bitcoin.
Evasive email scams include encoded emails, images of the message embedded in the email body, as well as complex underlying code that mixes plain text letters with HTML character entities. Social engineering techniques, as well as varying and personalizing the content of the emails, are additional methods allowing the scammers to fly safely under the radar of anti-spam filters and reach their target’s inbox.

TREND 3: Clouds under attack

The growing popularity of public cloud environments has led to an increase of cyber attacks targeting resources and sensitive data residing within these platforms. Following the 2018 trend, practices such as misconfiguration and poor management of cloud resources remained the most prominent threat to the cloud ecosystem in 2019. As a result, subjected cloud assets have experienced a wide array of attacks. This year, misconfiguring cloud environments was one of the main causes for a vast number of data theft incidents and attacks experienced by organizations worldwide.
Cloud cryptomining campaigns have increased with upgraded techniques capable of evading basic cloud security products. Docker hosts have been exposed and competitors’ cryptomining campaigns operating in the cloud shut down. Check Point researchers also witnessed an increase in the number of exploitations against public cloud infrastructures.

TREND 4: Mobile device attacks

Malicious actors are adapting techniques and methods from the general threat landscape to the mobile world. Banking malware has successfully infiltrated the mobile cyber arena with a sharp rise of more than 50% compared to 2018. In correlation to the growing use of banks’ mobile applications, malware capable of stealing payment data, credentials and funds from victims’ bank accounts have been pushed from the general threat landscape and became a very common mobile threat too.

Reasons Why We Need 24×7 Cyber Security Monitoring

Continuous or 24×7 cybersecurity monitoring through an experienced security services provider can drastically improve your threat alerts and help you spend more time on your security strategies. Here are five solid reasons you should consider 24×7 cyber security monitoring in the year ahead. 

Minimize Data Breaches

A team of experts that review security events and logs on a 24×7 basis can help you improve your Mean-Time-to-Detect (MTTD). The average MTTD, according to the 2017 Ponemon Cost of Data Breach Study, for a survey of 491 companies was 191 days with a range of 24 to 546 days. Imagine a hacker within your environment in that time frame. How much damage do you think one hacker or many could do during that time? Once a threat actor enters your environment, they can wreak havoc on systems and endpoints and eventually steal your data or hold your data at ransom.

In the same Ponemon report, hackers and criminal insiders were the cause of most data breaches. Companies in the U.S. and Canada also spend the highest amount per record at $224 and $201 per record on resolving a data breach. In the recent Equifax data breach with over 140 million records exposed, the company most likely saw a cost of more than $32 billion to resolve the issue. Not only did the company experience a financial loss because of the breach but also a negative brand and shareholder reputation.

Improve Your Mean-Time-To-Respond

The core metric for many security teams to measure their effectiveness is in Mean-Time-Detect and Mean-Time-To-Respond. Once your security team identifies or detect a threat and creates an alert, it then becomes a matter of how much time is spent on containing and remediating the threat. The MTTR in the Ponemon Cost of Data Breaches report found that the average for organizations was 66 days with a range of 10 to 164 days.

Some organizations have millions of dollars invested in firewalls, antivirus, endpoint security, and more but these technologies can generate thousands of alerts per day. This can cause your IT or security team to suffer alert fatigue. With 24×7 cyber security monitoring, your organization can greatly improve your MTTD and MTTR with the right alerts. A team of security analysts at a managed security services provider can leverage Artificial Intelligence (AI), automation, and orchestration to improve alerts and identify the events that matter.

Knowing Who Your Adversaries Are With Threat Intelligence

Data breaches that go on for months are a result of poor detection and response capabilities. Cyber attacks and breaches can happen to anyone which brings the need for around-the-clock awareness of your security environment. If you know exactly what’s happening and can sift through the noise of all your devices, you can start to make sense of what’s really happening.

Continuous monitoring paired with threat intelligence feeds can take your security detection and response capabilities to the next level. Threat intelligence in conjunction with 24×7 monitoring enables you to know exactly who your threat actors are, how they operate, and how likely they are to hack your organization.

Identifying threats as soon as possible is key in today’s threat landscape. As we you saw above, threats often go undetected and can result in serious fines or a damaged brand and shareholder reputation. A 24×7 cyber security monitoring service helps you overcome significant challenges in your network security. A highly certified security provider can become an extension of your team and help you offload the tedious task of filtering through hundreds and even thousands of alerts. Explore the benefits of managed security services in our whitepaper below.

What are the challenges with continuous monitoring?

For most businesses, continuous monitoring poses three primary challenges.

VISIBILITY

Interconnected systems, applications, and networks make viewing threats difficult. For example, organizations need to separate the networks on which they run their payroll applications to comply with the Payment Card Industry Data Security Standard (PCI DSS). Meanwhile, the networks on which they run their business collaboration tools - Google Drive, O365, Box, Dropbox - act as another entryway for cyber attacks.

More applications increase the number of locations that place the organization at risk. For example, most applications come with a default password such as “Admin.” These passwords are not secure, yet many IT departments and users forget to reset the passwords. Thus, this creates a visibility issue since increased applications make it difficult to monitor password security and traffic across the network.

PRIORITIZATION

Taking this further, each application added to the network also poses another potential risk. For example, security patch updates for each application and operating system need to be monitored. However, some patches provide support for application and operating system usability while others focus on security.

Prioritizing alerts burdens SMBs who have limited IT staff to respond to and remediate threats. Sifting through the alerts to determine the most important ones takes time yet fixing every problem slows down systems, networks, and staff. Thus, finding the balance between high risk and low risk alerts becomes a strategic business need.

HUMAN ERROR

Embedded within both the visibility and prioritization issues lies the risk of human error. Manual monitoring becomes untenable. For SMBs whose IT department may consist solely of a single person, rushing monitoring activities while responding to help desk tickets can lead to mistakes in prioritizing or reviewing alerts.

Cyber Security Monitoring Importance

Cyber security monitoring is essential in today’s work environment due to the wide range of cyber threats and the significant costs of downtime. A managed security services provider plays a critical role in keeping your network well protected by offering around the clock monitoring services.

Ultimately, these services reduce downtime, increases productivity, and limits the damage of cyber threats. Keeping your systems protected is always a top priority in today’s workplace, and an IT service provider is essential to give your small business much-needed peace of mind.

Limits Damage of Cyber Attacks

Cyber-attacks can devastate the reputation of any small business and can also cause significant data breaches. Many of these cyber threats focus on penetrating the network to steal valuable information and wreak havoc on the entire operating system.

However, you can limit the damage of cyber-attacks by partnering with a managed service provider that offers cyber security monitoring services. Any cyber security organization will automatically detect any unusual activity within your network and prevent a cyber threat from spreading to other areas and causing widespread damage.

Conclusion

New attack vectors and vulnerabilities are discovered every day. Your organization likely has firewalls, IDS/IPS, and AV solutions installed that look for malicious activity at various points within the IT infrastructure, from the perimeter to endpoints. However, many of these solutions are not equipped to detect zero-day attacks and advanced persistent threats.

Your organization may already have SIEM technology that aggregates data from all of your security controls into a single correlation engine,  but it may also create hugely amounts of alerts including false positives.  Our security experts can tune your SIEM and provide insightful analysis for real-time threat detection and incident response.

How does cyber security monitoring work?

Cyber security analysts utilize a range of technologies to achieve visibility of threats at network and endpoint levels.

Cyber Security Monitoring

Cyber security monitoring tools include Security Information and Event Management and Intrusion Detection Systems.

SIEM systems collect, manage and correlate log information from a range of sources to provide a holistic view of security posture and generate alerts for investigation by cyber security analysts. IDS combines network (NIDS) and host (HIDS) based methods to analyze network traffic and identify anomalously.

Endpoint Security Monitoring

Endpoint detection technologies provide visibility of activity such as file executions and registry changes across desktops, laptops, and servers. This empowers cyber security analysts to inspect deeper into IT infrastructure to hunt for, detect and terminate threats.

What is Cyber Security?

Cyber security

Cyber security is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. It's also known as information technology security or electronic information security. The term applies in a variety of contexts, from business to mobile computing, and can be divided into a few common categories.

·         Network security is the practice of securing a computer network from intruders, whether targeted attackers or opportunistic malware.

·         Application security focuses on keeping software and devices free of threats. A compromised application could provide access to the data its designed to protect. Successful security begins in the design stage, well before a program or device is deployed.

·         Information security protects the integrity and privacy of data, both in storage and in transit.

·         Operational security includes the processes and decisions for handling and protecting data assets. The permissions users have when accessing a network and the procedures that determine how and where data may be stored or shared all fall under this umbrella.

·         Disaster recovery and business continuity define how an organization responds to a cyber-security incident or any other event that causes the loss of operations or data. Disaster recovery policies dictate how the organization restores its operations and information to return to the same operating capacity as before the event. Business continuity is the plan the organization falls back on while trying to operate without certain resources.

·         End-user education addresses the most unpredictable cyber-security monitoring factor: people. Anyone can accidentally introduce a virus to an otherwise secure system by failing to follow good security practices. Teaching users to delete suspicious email attachments, not plug in unidentified USB drives, and various other important lessons is vital for the security of any organization.

The scale of the cyber threat
x

The global cyber threat continues to evolve at a rapid pace, with a rising number of data breaches each year. A report by RiskBased Security revealed that a shocking 7.9 billion records have been exposed by data breaches in the first nine months of 2019 alone. This figure is more than double (112%) the number of records exposed in the same period in 2018.

Medical services, retailers and public entities experienced the most breaches, with malicious criminals responsible for most incidents. Some of these sectors are more appealing to cybercriminals because they collect financial and medical data, but all businesses that use networks can be targeted for customer data, corporate espionage, or customer attacks.

With the scale of the cyber threat set to continue to rise, the International Data Corporation predicts that worldwide spending on cyber-security solutions will reach a massive $133.7 billion by 2022. Governments across the globe have responded to the rising cyber threat with guidance to help organizations implement effective cyber-security practices.

In the U.S., the National Institute of Standards and Technology (NIST) has created a cyber-security framework. To combat the proliferation of malicious code and aid in early detection, the framework recommends continuous, real-time monitoring of all electronic resources.