XDR vs. NDR

Hvad er XDR og NDR, og hvad er deres fordele?

 

NDR (network detection and response) og XDR (endpoint detection and response) er to ens, men alligevel to tydeligt forskellige tilgange til cybersikkerhed. Antallet af cybertrusler stiger hvert år, derfor leder virksomhedsejere og it-chefer efter nye og mere intelligente måder at afværge disse trusler på, for at holde deres virksomhed kørende på fuld drift kapacitet.

Traditionel antivirussoftware er stadig effektiv og spiller en integreret rolle i at beskytte din virksomhed mod malware, ransomware og andre cybertrusler, men det er ikke længere nok til at tjene som den eneste forsvarsmekanisme. NDR og XDR er to af mange cybersikkerheds løsninger, der præsenterer sig selv som to effektive og vigtige løsninger, der bruger maskinlæring og kunstig intelligens til at forsvare sig mod en nyere og mere dødbringende bølge af cybertrusler. Men at forstår hvordan man bruger NDR og XDR i din virksomhed er ikke altid så ligetil.

Hvordan ved du, hvilken løsning din virksomhed har brug for, og hvad er deres fordele?

HVAD ER NDR?

NDR – Network detection and response er en sikkerhedsløsning, som din virksomhed kan bruge til at opdage enhver mistænkelig eller usædvanlig trafik, der passerer gennem virksomhedens netværk. NDR-software vil konstant analysere trafikdata for at konstruere en norm, der hjælper den med at forstå netværkets sædvanlige adfærd. Dette er et afgørende skridt, da man med denne information nemt kan finde uregelmæssigheder, som skal identificeres og finpudses.

Der efter sendes en meddelelse til netværksadministratorerne, som der kan tage de nødvendige skridt og handlinger for at eliminere truslen, hvis det er nødvendigt. Alternativt kan automatiserede løsninger og andre cyber sikkerhedssystemer bruges til at isolere, tilbageholde og eliminere truslen.

LogSearch tilbyder en meget moderne netværksdetektion og -respons – NDR Platform, nemlig ExtraHop. Læs alt hvad du behøver at vide om det her.

FORDELE VED NDR

At inkludere en NDR-løsning i dit cybersikkerheds system er et stort skridt fremad for din virksomhed og med det, kommer der flere vigtige fordele:

  • NDR tilbyder fantastisk beskyttelse mod nye og udviklende malware.
  • Bruger AI til at bekæmpe ondsindede cybertrusler, der udvikler sig hver dag for at finde nye svagheder og smuthuller i dit cyber sikkerhedssystemer
  • Leverer detaljerede analyser for at hjælpe med at finde ud af, hvordan truslen kom ind på netværket i første omgang, og hjælper med at sikre, at det ikke sker igen
  • Hjælper proaktivt med at strømline hændelses respons og trussels jagt processer
    NDR er fantastisk til at opdage malware gennem et netværk. Hvis en XDR-løsning ikke kunne identificere disse trusler, da de ikke er en del af organisationens netværk, kan en NDR-løsning handle hurtigt og effektivt ved brug af kunstig intelligens og avanceret teknologi.

HVAD ER XDR?

XDR – Endpoint detection and response deler nogle ligheder med NDR, men er fundamentalt anderledes af natur. XDR-løsninger fokuserer på at gennemsøge og overvåge alle endepunkter forbundet på dit forretningsnetværk. En XDR-løsning vil overvåge og indsamle disse endepunkter som en NDR og konstruere et “normalt” adfærdsmønster, der så hjælper med at identificere trusler på et øjeblik. Ligesom NDR-løsninger vil XDR-softwaren også informere jeres netværksadministratorer, at en trussel er til stede, for straks at begrænse og eliminere den.

XDR-løsninger bliver vedtaget af flere og flere virksomheder hvert år. Faktisk er der ifølge McAfee en årlig vækstrate på næsten 26% i brugen af ​​XDR-løsninger. Dette er drevet af flere årsager, men primært stigningen i antallet af endepunkter forbundet til erhvervsnetværk. Historisk set ville de eneste enheder, der er tilsluttet et forretningsnetværk, være arbejdscomputere, printere og andre stationære enheder. Men nu har hver medarbejder og enhver der besøger virksomheden oprettet forbindelse til netværket, med både mobile enheder, tablets, bærbare computere, IoT-enheder og mere.

Selvom dette er en kæmpe fordel, når det kommer til at strømline forretningsdrift og processer, er der noget som flere virksomheder skal være påpasselige med, da det åbner op for et stort antal svage punkter i en virksomheds sikkerhed. Kort sagt, med flere endepunkter kommer der flere sårbarheder. Hvert endepunkt, der er forbundet til dit netværk, er en potentiel vej ind for malware og cybertrusler.

Læs mere om vores fortrukne XDR løsning her.

FORDELE VED XDR

Ingen antivirussoftware kan nogensinde være 100% effektiv, da nye strains (stammer) bliver frigivet hver dag. En af de bedste metoder til forebyggelse er ved at tilslutte eller beskytte kilden – dvs. endepunkterne.

XDR-software har derfor flere vigtige fordele:

  • XDR fungerer som den anden forsvarslinje efter antivirussoftware
  • XDR-software bruger AI til konstant at blive mere effektiv til at identificere nye og mere ondsindede stammer af malware
  • Er god til selv at identificere trusler via endpoints, potentielt før de spredes gennem netværket.

SKAL JEG VÆLGE EN XDR- ELLER NDR LØSNING?

Der er virkelig ikke noget rigtigt svar her. Og som udgangspunkt vil vi altid anbefale at i snakker med en ekspert, for at de kan forstå jeres behov bedst muligt.

Virksomheder vil finde værdi i begge løsningerne alene, men dem der virkelig bekymrer sig om at beskytte deres virksomhed mod cybertrusler, bør undersøge holistiske strategier, som ikke kun omfatter én, men både XDR- og NDR-løsninger. Årsagen til dette er, at cybertrusler kommer i en bred vifte af former og størrelser, og én enkel løsning vil ikke være nok til at forhindre, at hver enkelte type cybertrussel ikke kan få adgang til din data og forretningsdrift.

Du bør lede efter en NDR-løsning, der giver synlighed over hele dit netværk. Da mange virksomheder vender sig mod cloud-baserede tjenester, er dette af største vigtighed – og du skal sikre dig, at NDR-løsningen er fuldstændig kompatibel med alle cloud-tjenester, du bruger.

Med hensyn til XDR-løsninger, find en, der fungerer godt sammen med dine andre cybersikkerheds løsninger. Vi anbefaler at man som virksomheder, bliver fremadtænkende og derfor forbereder sig på selv de mest avanceret cybertrusler. Find de løsninger, der arbejder problemfrit i tandem for at dække alle virksomhedens svage punkter.

V2Security messen 2023!

Mød os sammen med ExtraHop på V2Security Messen 2023!


Danmarks største messe om cybersikkerhed og databeskyttelse.

10.-11. maj i Øksnehallen i København, har du mulighed for at møde nogle af landets skarpeste NDR-eksperter.

Vi får også besøg af vores venner fra ExtraHop, som glæder sig til at komme og fortælle de danske virksomheder, om de superkræfter som et af verdens førende NDR produkter besidder.  

Det er gratis at deltage på V2 Security, men det anbefales at du tilmelder dig, så du kan sikre dig en plads, før alle keynotes og seminarer bliver fuldt booket.

Du kan tilmelde dig her: https://www.v2security.dk/2023/sponsor/308260/exclusive-networks-denmark-as?ref=Google

SentinelOne Expands Firewall and NDR Capabilities

SentinelOne Expands Firewall and NDR Capabilities

Leading XDR platform announces integrations with key industry players, taking network security to new heights

MOUNTAIN VIEW, Calif., April 13, 2023–(BUSINESS WIRE)–The increasing complexity of distributed networks and remote workforces has made network visibility more challenging than ever for companies to gain. SentinelOne (NYSE: S), is making it easier. The autonomous cybersecurity platform company and leading XDR platform today announced integrations with key industry players Aruba, Checkpoint, Cisco, Darktrace, Extrahop, Fortinet, Palo Alto Networks and an enhanced collaboration with Vectra AI which expand the company’s firewall and network detection and response (NDR) capabilities, and will allow organizations of all sizes to gain the insights they need to rapidly identify and respond to attacks across all vectors.

“The integration of firewalls and NDR capabilities perfectly complements our XDR solutions,” said Akhil Kapoor, Vice President, Technology Partnerships, SentinelOne. “In expanding our world-class partner ecosystem, we can deliver purpose-built, joint solutions that provide the complete and accurate view companies need to push their security posture to new heights and protect against tomorrow’s threats today.”

Enriched Signal Analysis with Vectra AI
By incorporating additional context from Vectra AI into the SentinelOne Singularity™ XDR platform, security operations teams can make better-informed decisions during incident triage and investigation. SentinelOne channels correlated alert data from Vectra AI into its XDR feed, offering enriched context for security analysts. This enhanced alert data enables analysts to assess the scope of an incident, evaluate its severity, and prioritize remediation efforts, ultimately reducing mean time to response (MTTR).

“We are thrilled to announce our new partnership with SentinelOne,” said Kevin Kennedy, SVP Product, Vectra AI. “By joining forces, we can provide the best attack signal for enterprise SOC teams by combining endpoint and network telemetry. This new partnership enables customers to achieve greater speed in investigation and triage, as well as more reliable visibility into unknown threats.”

Log Ingestion with Aruba, Checkpoint, Cisco, Darktrace, ExtraHop, Fortinet, and Palo Alto Networks

While NDR solutions are critical to limiting lateral movement, firewalls are key to preventing initial infiltrations. SentinelOne’s integrations with Cisco, ExtraHop, Fortinet, and Palo Alto Networks allows its XDR platform to detect network-borne threats and attack techniques like command and control (C2) beaconing and data exfiltration. With effective network security and the telemetry SentinelOne automatically collects and delivers from cloud and endpoints, customers can identify suspicious behavior or potential threats that could have gone undetected.

“At Cisco, we are excited to announce our new integration with SentinelOne,” said Jessica Bair Oppenheimer, director of strategic alliances, Security Business Group at Cisco. “Combining the power of the Singularity Platform with Cisco’s leading firewall and access management solutions will mean superior protection for joint customers. Working together, we are creating a more secure digital future for everyone.”

All integrations are available today via SentinelOne’s Singularity Marketplace. To learn more about SentinelOne’s partner ecosystem and the trusted and validated solutions that can be layered across your security stack to deliver premium protection, click here.

What is XDR?

Defining the Value in Security’s Hottest Buzzword

 

Ever watch the old ’80s cartoon the Smurfs? If you did, you may recall a quirky pattern in Smurf language, where everyday adjectives, verbs, and nouns were replaced by the word smurf: “I smurfed into the smurf for a smurf!” It’s a fun word, but without context, the word smurf means everything—which ultimately makes it mean nothing. In cybersecurity, we’re doing the same thing with XDR.

With tech acronyms growing exponentially, anytime we use a new acronym in cybersecurity, we should do our best to explain it clearly. We already have EDR, SIEM, SOAR, and NDR, to name a few, and as I walked the RSA Conference floor earlier this year, it looked like the acronym XDR was everywhere. The term is applied to many products and features in a vague, high-level fashion, making it truly hard to understand what it means. I feel really smurfed out thinking about it.

Defining Extended Detection and Response (XDR)

Extended detection and response (XDR) is a security solution based on the concept of correlating and analyzing data from multiple sources, including machine data, log data, and network data into a single, unified stream.

The concept leans on the Gartner-coined SOC visibility triad, which advocates for the use of SIEM, EDR, and NDR solutions to close visibility gaps and enable effective response times and investigations by using diverse data sources. The SOC visibility triad offers comprehensive security, but can also create data silos, which XDR—at least in theory—aims to solve.

The Reality of How XDR Works

XDR is typically marketed as a single tool that encompasses SIEM, EDR, and NDR capabilities—but this definition hinges on the belief in a perfect security system across all data sources that detects and responds to any threat from anywhere, in any environment.

The reality of XDR typically goes one of two ways: Security organizations scrambling for the top of the security solution food chain have started to repackage any expanded detection capability as XDR to jump on the trend, or an approach that may offer aspects of SIEM, EDR, and NDR, but hands control to a single vendor.

The first pitfall isn’t exclusive to XDR. Throughout my career, I have seen vendors chase the latest buzzword. For example: When NDR first hit the scene, a number of products claimed NDR capabilities, despite offering nothing more than the top websites visited and basic NetFlow data. Similarly, the offerings under the XDR umbrella vary widely in the depth of capabilities. The XDR label has allowed even the most basic solutions to try to capitalize on the halo-effect of the buzzword du jour without making the corresponding product investments necessary to make those claims a reality.

The second pitfall is more accurate to the promise of XDR, but risks serious shortcomings in other areas. Single vendor solutions fail by diluting their offerings across the security spectrum. All too often, when a security vendor attempts to build solutions beyond core competencies they spread precious development resources thin. The end result is underwhelming solutions. There are of course occasional exceptions to this: Companies that acquire leaders in other security categories for integration into their product framework (such as SIEM & firewall solutions purchasing SOAR solutions) can do so more effectively, but customers can still lose flexibility if they get locked into products with limited integrations.

Rethinking the Value in XDR

The underlying concept of XDR is a solid reminder to look deeper and ask, ‘what’s out there that could help me be more secure?’ The ideology behind XDR is to make siloed tools and systems work together to solve the security challenges of your organization. Separate the concept of XDR from a single product, and it starts to make more sense.

I think of effective XDR as a philosophy or a strategy and not a product or solution. That philosophy is to integrate (when possible) disparate data sources to identify and investigate more threats in a simplified way.

The goal of XDR is to make security teams more effective at securing their organizations. The reality of defending against today’s threat landscape requires a massive amount of data from logs, packets, agents, instrumentation, and telemetry. These requirements are outpacing most security organizations’ ability to effectively process this massive amount of data. If we subscribe to XDR as a philosophy we can evaluate solutions based on their ability to correlate and help us understand and effectively use massive amounts of data from disparate sources.

Evaluating Strategic XDR Solutions

We should be critical but open-minded to the possibilities of purpose-built, turn-key integrations that qualify as strategic XDR. Talk is cheap; anyone can write up a one-pager claiming smurftacular capabilities, but a real-world proof of concept of each XDR competency (firewalls, NDR, SIEM, and EDR), including the fidelity of purpose-built integrations will separate the hype from reality. This will allow anyone purchasing an XDR solution to make an informed decision.

The Future of XDR?

If nothing else XDR should make you look at your framework and systems and ask, ‘what can be done better?’ The XDR concept can be used as a catalyst to examine and challenge the effectiveness of our current security toolsets: It reminds us to push forward and challenge ourselves in our current frameworks and beliefs on what is secure. The concept also asks vendors to do more to collaborate on high-fidelity integrations that support the common goal of stopping advanced threats.

I believe that ultimately the concept of XDR will push the industry forward on new innovations and challenges once competing security vendors work together to offer the integrations security teams need—we just need the hype train to leave Smurf Station and arrive in the world of reality.

SentinelOne Debuts at the Top of MITRE Engenuity ATT&CK® Deception Evaluation. See Why.

Released May 25, 2022, MITRE Engenuity ATT&CK® Evaluation Trials – Deception is an inaugural evaluation that expands the ATT&CK Evaluations landscape to evaluate vendors on their deception capabilities. The evaluation can dramatically increase analyst confidence in detection via high fidelity tripwires, causing the adversary to waste time, money, or capability, and potentially provide vendors critical new insights into adversary behavior.

What Did the ATT&CK Deception Evaluation Consist Of?

For this evaluation, MITRE chose to emulate APT29 threat group. APT29 is a threat group that has been attributed to the Russian government and has operated since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015. The evaluation seeks to answer two questions:

  1. Did the adversary encounter the deception ? (Observe)
  2. Did the adversary engage in the deception? (Engage)
  • Observe: Determining whether the adversary encountered deception is pretty straightforward. The evaluation can determine by running the adversary technique and recording whether it sees something different from a scenario that did not deploy deception. For the Observe portion of the evaluation, the MITRE Engenuity team did not interact with the Deception.
  • Engage: In order to fully capture the value of the vendor participants’ products, the MITRE Engenuity team executed a modified scripted plan that allowed deeper interaction with the deceptions. In the Engage portion of the Evaluation, the red team would go off-script and interact with deception if it was present. When the red team engaged, they would exhaust all interactions before going back to the script.

How Did SentinelOne Perform on the ATT&CK Deception Evaluation?

As evidenced from the results of all four years of the ATT&CK Enterprise Evaluations, SentinelOne Singularity XDR platform already excels at visibility and detection. With SentinelOne’s Hologram deception solution tested in this evaluation, SentinelOne also protects the enterprise against sophisticated Identity-based attacks.

According to MITRE Engenuity’s published results, SentinelOne observed and/or engaged with most detections, identifying 17 unique techniques, including 11 techniques that targeted identities specifically. SentinelOne’s Singularity XDR platform – and specifically its Hologram deception technology – was recognized for its ability to:

  1. Deliver Real-time Protection Against Active Directory (AD) Compromise.
    A security compromise of AD can essentially undermine the integrity of the entire enterprise enabling adversaries to steal credentials and gain access to critical systems. 

    SentinelOne protects AD privileged credentials from theft by hiding them from attackers and replacing them with decoys. During the MITRE Deception evaluation, when the MITRE red team tried to get access to the system to get account information and credentials (T1033 T1082 T1087), the solution returned decoy credentials to them every time.
    Console output showing the attempted credential enumeration

    This enables the security team to protect in real-time against advanced attacks targeting Active Directory.

  2. Mislead Attackers To Protect Critical Assets With Data Cloaking.Attackers steal and destroy information as part of their attacks, whether they seek to move deeper into the network or hold data for ransom. Preventing them from seeing or accessing local file and account information can prevent lateral movement, discovery, and data theft or destruction.
    SentinelOne steers adversaries away by misdirection, showing decoys indistinguishable from production assets. During the MITRE Deception evaluation, when the red team tried to monitor system activity and queried for the computer name, SentinelOne reported decoy hostname “Newburgh” instead of the actual hostname “Utica” (T1082). When the red team tried to manipulate the software and engage with the file by browsing to it, SentinelOne hid the file from the directory listing (T1560).

    Console output showing the attempted discovery activities

     

    By preventing attackers from seeing or exploiting critical data, organizations can disrupt discovery or lateral movement activities and limit the damage from ransomware attacks.

  3. Stop Lateral Movement and Privilege Escalation By Preventing Pass-The-Ticket Attacks.Pass-The-Ticket attacks, such as a Golden Ticket attack or a Silver Ticket Attack, are powerful techniques adversaries employ for post-exploitation lateral movements and privilege escalation. Using these techniques, attackers can gain unlimited access to any endpoint on the network or service, potentially causing catastrophic consequences.
    During the MITRE Deception Evaluation, when the red team created a ticket, the terminal output of klist reported no cached tickets. SentinelOne detected a Kerberos attack, and hid the contents of the klist command from the output (T1550).
    Console output showing the Pass-the-Ticket attack attempt

    SentinelOne denies the red team from using the Golden Ticket, even though Mimikatz generated and loaded it successfully. SentinelOne detects forged Kerberos Golden and Silver tickets and prevents lateral movement and privilege escalation when the red team uses the forged Kerberos tickets.

  4. Maximize Security Insight Into the Adversary Behavior.
    SentinelOne’s deception technology not only serves to detect and respond to active attackers in a customer environment but also to inform and strengthen security programs in the longer term. By misdirecting attacks using SentinelOne, defenders can gain ingestible, actionable TTP information and high-confidence, substantiated attack forensics that can support investigations and develop threat intelligence. SentinelOne even lets you visualize attacks, see how they progressed over time, and map their associated events to the MITRE ATT&CK D3FEND™ matrix.

Mapping to MITRE Engage Matrix

The MITRE Engage Matrix is a framework for planning and discussing adversary engagement operations that empower organizations to engage their adversaries and achieve their cybersecurity goals. MITRE Engage seeks to help defenders by lowering the barrier to entry while raising the ceiling of expertise to use adversary engagement technologies. SentinelOne provides the most extensive capabilities to implement the activities outlined in the Engage Matrix, covering 38 of the 41 areas in the Operations phase.

Why SentinelOne? Why Should It Matter To You?

Top Coverage for Both Enterprise ATT&CK + Deception ATT&CK Frameworks

As a leader across MITRE Enterprise ATT&CK Evaluations for the third consecutive year and a leader in the inaugural MITRE ATT&CK Deception Evaluation Trial, SentinelOne once again demonstrate its commitment to push the boundaries to help enterprises gain control of their dynamic attack surface.

As the first and only XDR vendor to participate and lead the ATT&CK Deception Evaluation, Singularity XDR platform demonstrates the most powerful, autonomous XDR platform, reducing the enterprise attack surface across human, device, and cloud attack surfaces. The solution provides an effective combination of prevention, protection, detection, and deception capabilities to stop attackers early whether they are attempting to establish a beachhead inside the network or compromising identity data to move laterally, escalate privileges, and acquire targets.

SentinelOne is an enthusiastic supporter of what MITRE does, bringing transparent and open evaluation methodologies to the security industry and participating in all the evaluations has become an essential practice that we have used to improve our products further.

To learn more about SentinelOne’s results on the ATT&CK® Deception Evaluations, visit https://www.sentinelone.com/lp/mitre-deception/

To learn more about SentinelOne’s results on the fourth round of ATT&CK® Enterprise Evaluations, visit: https://www.sentinelone.com/lp/mitre/.

How to Stay Ahead of the Adversary in 2022 | A Cybersecurity Checklist

Rarely a week passes by without news of another company being breached, a ransomware attack crippling critical infrastructure, or a data loss event causing millions to suffer a loss of privacy. On the other hand, these same organizations are trying as hard as they can to safeguard their customers, their data and their reputations. So what is missing? Is it a gap in technology? Is it about strengthening policies and procedures? Is it simply “the cost of doing business” – an inevitable outcome of the way we work and trade today?

In this post, I will share a few of the main reasons why we are where we are, and provide some simple steps for enterprises to take to change this paradigm.

Top 5 Trends That Increase Cyber Security Risk in 2022

There are a vast number of threats and threat actors out there, and their numbers are only growing. This expansion reflects a number of major technological shifts in recent years that have contributed to the changing threat landscape.

1. Increasing Discovery of Software Vulnerabilities

Vulnerability hunting has hit the big-time in recent years, thanks in large part to the popularity of bug bounty programs and “hacker” platforms that reward researchers and share knowledge. This is not only a good thing, it’s undoubtedly a necessary thing.

However, the flipside of better vulnerability reporting is faster time to exploitation, as threat actors rapidly jump on research publications and look for victims that have failed or are unable to patch. Exploited vulnerabilities can cause serious damage to all organizations, including those running our critical infrastructure.

Phasing out unpatchable technology and obtaining visibility across the entire digital estate are imperatives. Until then, the net result is that the bar for breaching unwary organizations will keep getting lower.

2. The Hybrid Nature of Today’s Networks

Users and identity represent the new cybersecurity frontier as the world of work moves away from the office to remote or location independent. As long as users are connected, they remain part of your network, whether they are in the next office or on the other side of the world.

The new reality of a distributed workforce increases the risk to enterprises as attackers shift to targeting end users and endpoints via compromising credentials and authentication methods at any point along the entire supply chain.

Take, for example, the recent highly-publicized activities of the Lapsus$ hacker group, which among other things compromised Okta’s systems by gaining remote access to a machine belonging to an employee of Sitel, a company subcontracted to provide customer service functions for Okta.

3. The Migration to the Cloud

The new kid on the block is your cloud assets. While businesses are growing rapidly by scaling up their offering with the cloud, it makes it harder for security teams and defenses to stay on top of that risk. The security implications of AWS, Azure or other cloud assets is difficult to grasp for many businesses, even those with large SOCs.

From cloud misconfigurations and compromise through vulnerable services – think Log4J – protecting cloud workloads can be a challenging task, particularly when they are spread over public clouds, private clouds and on-prem data centers.

4. Increasing Attacks on IoT Devices

‘Smart devices’ that are connected to the internet have increased the attack surface for organizations. From networked printers to security cameras, anything connected to the public internet can serve as a backdoor into your organization.

Increased risk caused by IoT devices includes unchanged default passwords, outdated firmware with known exploitable vulnerabilities, and the lack of network discovery for many IT and security teams. As threat actors scan networks with automated tools for any sign of weakness, administrators similarly need automated tools that can identify and protect any device as it is plugged into the network.

The increasing use of unprotected or insecure Smart devices has given attackers an easy way into networks, a beachhead from which they launch attacks to steal information or commit fraud through ransomware or other techniques.

5. Increase in BYOD and Mobile Authentication

While the use of mobile devices in the workplace has been with us for a number of years now, mobiles and mobile authentication is still creating new opportunities for malicious actors to steal valuable data.

Mobile authentication, or the verification of a user’s identity through a mobile device and one or more authentication methods to ensure secure access, has opened a new stream of attacks, using recycled numbers and other new attack vectors. Recent examples include attackers using social engineering techniques against users suffering from so-called “MFA fatigue”, where multiple 2FA push notifications trick users into authenticating fake login attempts.

The Threat Landscape is Booming

The bar for compromising enterprise assets is lower than ever before. There are a few reasons for that. As one of the main operating system vendors, Microsoft plays a significant role in this area. There are too many ways attackers utilize vulnerabilities to exfiltrate secured networks. Some novel examples include ProxyLogon, Hafnium, and many others. There are growing voices in our industry criticizing the way Microsoft handles researcher vulnerability reporting, including some very vocal discussions. Other OS vendors should also improve the way they respond to vulnerabilities, and work more closely with security vendors to make their products better.

Key Takeaways – A CISO’s Cybersecurity Checklist

  • Eat Your Vegetables – Always stay ahead of best practices, ensuring you kill off any “low-hanging fruit” attack vectors. This includes enforcing multi-factor authentication and deploying endpoint protection on every computer, cloud or mobile device. Use your budget and create teams who live and breathe securing your organizations. Know your adversaries. Simulate attacks and see that you are ready for the day of a breach. Create backups. There are no shortcuts here.
  • Create a Coalition – Cybersecurity is not a challenge only for the CISO: It’s a priority for the company. This means the CEO, the board of directors and other senior stakeholders should be aware of the risks and consider them against the priorities of the business.

    In 2022, there is no business without security. The CISO needs to ensure that all these stakeholders are aware of that and that they understand securing the enterprise does not happen in a silo. Share news, simulate breach responses, raise awareness. A breach can be caused by malicious actors or happen accidentally, but either way, it can cost companies millions in damages, lost revenue and reputational harm.
  • Stay Informed, and Increase Awareness of End Users – Follow the news and share with your users. While some headlines can inevitably be overblown, they can also be motivating, and there’s nothing exaggerated about the cost of ransomwareBEC, fraud and other cybercrimes to businesses today. Keep your people in the know regarding cybersecurity risks by encouraging them to be aware and interested in cyberspace. If the topic is good enough for mainstream television, we can make it good enough for our users also.
  • Get an Outsider’s Perspective – If you can run a red team, that’s great. If you cannot, work to establish periodic red team exercises to ensure there are no blind spots within your organization. If you are developing software or providing software as a service, run a bug bounty program and ensure “friendly eyes” are discovering your vulnerabilities before attackers do.
  • Know Your Enterprise Assets – How well do you know the security implications of your AWS, Azure or other cloud assets? What are the security implications of running Docker and Kubernetes? Cloud-focused attacks are a rapidly growing area of interest to opportunistic and targeted attackers alike.

    While the techniques used in such attacks are vast and varied, they typically rely heavily on the fact that cloud networks are large, complex, and onerous to manage. This makes agent and container security solutions critical for the defense of any organization against all cloud platforms. Look for and deploy security solutions that make this complexity simple.
  • Remember Supply Chain Attacks – Be in the know to reduce the risk of supply chain attacks. Although it is difficult for any security team to monitor and approve every business application entering the enterprise, visibility into every device can provide good insight into applications that may be more vulnerable than your end users believe.

    The previous year in cybersecurity showed us all how easy it is for adversaries to compromise widely-used applications. The SolarWinds and Kaseya compromises were unfortunate but timely reminders that software dependencies are a massive blindspot. When organizations rely on shared modules, plug-ins, and packages from open-source or non-security focused developers, the chance of such components being secure out-of-the-box is low.

    Attacks tend to seek the easy way in, and compromising relatively weak applications that are used by many is all an attacker needs. Technology can help to maximize visibility across the entire cyber estate.

Conclusion

There are no magic bullets, and cybersecurity remains a challenge that requires focus, knowledge and the right solutions that fit your business needs. SentinelOne is here to help CISOs with the challenge of securing the enterprise. To learn more about how to defend and protect your organization from today’s adversaries, contact us for more information or request a free demo.

Singularity Cloud

Simplifying security of Cloud VMs and containers, no matter their location, for maximum agility, security, and compliance.

Read more about Cyber Security

Email Security and XDR | Simple Integration, Powerful Results

The State of Email Security

As tactics change, the sophistication of threat actors increases, and new vulnerabilities are constantly discovered, security operations teams are stretched to the limit investigating and remediating each incident. Email remains one of the most highly leveraged attack vectors. A staggering 79% of respondents to Mimecast’s State of Email Security 2022 study reported an increase in email volume at their organization, while 72% reported the number of email-based threats had risen during the past 12 months. Organizations today seek integrated defenses to protect email and improve incident response capabilities, while helping to reduce complexity, minimize risk, and decrease the demand on an already over-extended and under-staffed security team.

The State of Threat Intelligence

As email-based cyber attacks continue to rise, security teams are stretched and suffering from alert fatigue. They are still challenged by decision making and find themselves relying on limited data found during the investigation, accepting decisions will be made based on incomplete knowledge because they do not have time to investigate further.

Another common challenge: Security teams spend so much time gathering data that they do not have time to solve the problem. Organizations have to reduce complexity, minimize risk, and decrease the demand they put on already overtasked security teams. In the meantime, threats can move laterally throughout the organization before they are properly identified and remediated.

The Cybersecurity Skills Gap

And while the volume, intensity, and intelligence of cyberthreats increase, the world is simultaneously seeing a shortage of skilled cybersecurity talent that continues to widen. Tight job market or not, SOC analysts remain fatigued with the collection, normalization, and prioritization of data, unable to focus on cybersecurity incident response and resolution. Organizations face challenges hiring and retaining skilled security professionals. The deluge of alerts from security tooling and repetitive nature of the Tier 1 analyst position makes burnout one of the leading contributors to this shortage.

A New Solution Has Become Necessary

Security teams look to automation to help alleviate some of the repetitive tasks of incident response to focus their limited resources on the highest impact and most critical incidents, increasing throughput and reducing the time to respond. Integrating automation tools can help alleviate some of the alert and decision-making fatigue, data gathering woes, worker burnout, and pain caused by a lack of skilled workers, but we can leverage technoogy to do much more than that. As threats become more complex and organizations face worker shortages, a more advanced method of detection – XDR – has become necessary for most organizations.

What Is XDR, and Why Is It So Critical?

In an era where there are essentially no network perimeters, and disastrous breaches can come from anywhere at any time, security teams must sharpen their focus on threat detection and response.

In many organizations, earlier approaches such as first-generation security information and event management (SIEM) systems have proven unwieldy. They can be difficult to deploy and integrate, and are too costly and too susceptible to false positives. Linking SIEM to security orchestration and response (SOAR) systems has helped some organizations build response playbooks for automating responses to certain threats, but creating these has often been more complex and difficult than anticipated.

Cloud-native XDR solutions promise to overcome each of these problems, providing more focused and actionable data, better integration, more relevant insights, fewer false positives, and easier automation of responses. As XDRs move beyond endpoint-only EDR solutions, they promise to provide the fuller visibility and faster response that couldn’t be achieved with earlier tools.

Integrated Solutions Stop Threats

Strategic integrations lessen SOC teams’ pain by using automation between email and endpoint security solutions to prevent the lateral movement of threats throughout the organization.

Mimecast and SentinelOne provide an integrated solution that stops threats and streamlines response across the organization. Customers can be confident their devices will be protected from zero-day threats across each endpoint. By  correlating response between email and endpoint security solutions, analysts automate repetitive tasks for faster and more comprehensive incident response. When integrated, the two solutions deliver accelerated incident response and reduced mean time to response.

How the Mimecast and SentinelOne Integration Works

SentinelOne Singularity XDR provides AI-powered prevention, detection, and response across endpoints, cloud workloads, and IoT devices. When a threat is detected in SentinelOne, SentinelOne StorylineTM correlates detections and activity data across security layers, including email, endpoints, mobile, and cloud. Analysts can streamline the organization’s response by automatically suspending email for a given user, blocking the user email, or quarantining them. Upon detection of the threat, SentinelOne can automatically suspend the last logged-in user’s ability to send an email, helping secure a critical lateral movement path.

Sample Attack Timeline Without XDR Integration


Sample Attack Timeline With XDR Integration

Stopping Attacks Like LAPSUS$

Integrated solutions like the one from SentinelOne and Mimecast can stop prominent and damaging attacks like the recent LAPSUS$ attacks.

Threat actors such as LAPSUS$ take the time needed to research employees at a company they have decided to target. They first compromise the employee’s personal network and search for credentials that can be used to access corporate systems. This is particularly easy if the employee uses the same passwords for both their personal and private credentials. Even if the attacker does not find the credentials they are looking for, they can use the information they have already obtained to reset passwords and complete account recovery actions. Attackers like LAPSUS$ have even been known to call a company’s IT Helpdesk to attempt to get credentials reset.

The SentinelOne and Mimecast integration can stop attacks like LAPSUS$ by preventing them from moving laterally. The two solutions share information about threats that have been identified, reducing the likelihood that an attack will be successful. Security Awareness Training can also play an important part in thwarting attacks like LAPSUS$, giving employees an edge in identifying potential threats that can arrive in either their personal or work email.

The Bottom Line

Email security and XDR are the ideal pairing for security teams that are overtasked and struggling to keep up with alert volume and a never-ending stream of threats delivered via email. For more information about how your organization can benefit from this joint SentinelOne and Mimecast solution, read our joint solution brief.

4 Steps Toward Successfully Measuring the Effectiveness of Your Security Controls

In the past, organizations might have been able to get away with firewalls and antivirus software as their primary defenses against cybercriminals. Unfortunately, those days are long gone. Defending against today’s threats requires a more active approach capable of evolving alongside attackers and their ever-changing tactics. “Set it and forget it” security tools are no longer an option. Today’s organizations need to continuously evaluate the effectiveness of their security controls, identifying potential weaknesses, vulnerabilities, compliance issues, and other problems.

Determining the effectiveness of these tools isn’t always easy, though. What’s more, company leaders are generally interested in knowing more than just how security solutions deal with threats. They want to understand the value the tools provide and whether they are generating enough ROI to justify continued use, which can be difficult to measure in specific, quantifiable terms. Fortunately, there are options available. Organizations seeking to understand the performance of their security solutions better should focus on a few key areas.

1. Gauging Attack Surface Awareness

Building a wall to keep attackers at bay isn’t sufficient in today’s threat landscape. Eventually, one or more will get in. It simply isn’t possible to stop 100% of threats, meaning that security should shift from focusing on perimeter protection to in-network detection. To be successful, organizations need awareness of things like exposed credentials, misconfigurations, potential attack paths, and other vulnerabilities that attackers are likely to exploit.

There is a wide range of tools available that can help. Endpoint Detection and Response (EDR) tools provide visibility into attacks on endpoints, while Extended Detection and Response (XDR) tools expand upon those capabilities by integrating with other solutions. Attackers will almost always look to compromise Active Directory (the service that handles authentication throughout the enterprise), which is notoriously difficult to secure. Detection tools capable of identifying suspicious AD queries and other potential attack activity can help prevent the nightmare scenario of a compromised AD.

Of course, identity security is also increasingly critical. While traditional EDR tools and AD security solutions don’t offer the identity protection needed in today’s environments,  Identity Threat Detection and Response (ITDR) solutions have emerged to fill that gap.

It all comes down to coverage. Organizations can assess the degree of awareness they have in the network. Identity controls without endpoint protections can leave their networks dangerously vulnerable, as can endpoint protections with AD security. And as more and more organizations embrace the cloud, new cloud environments will expand the attack surface even further. Ensuring sufficient visibility across the entire network is a critical first step in assessing the effectiveness of an organization’s tools.

2. Investigating Permissions and Entitlements

Overprovisioning is a serious problem today. IT teams generally do not want to interfere with business operations, which means it is easier to provide users and other identities with more permissions than they need rather than risk impeding someone’s job function. Unfortunately, identities often end up with entitlements that far outstrip what they actually need to do their jobs. Consequently, when attackers compromise those identities, they also have access to far more data than they otherwise would have.

Implementing a Zero Trust Architecture (ZTA) is one way of dealing with this challenge, providing identities with only the minimum level of access they need to function and continuously validating that they are who or what they say they are. To that end, organizations need tools to identify excessive permissions and other potential vulnerabilities throughout the network. Organizations should regularly audit and update these permissions to ensure they remain appropriate, and that someone can examine those audits. How many excessive permissions were detected? How many obsolete or orphaned credentials did they expunge? Proper awareness across the network can help IT teams gauge how effectively they are managing their permissions.

3. Measuring and Improving Detection Accuracy

Security alerts are good—ostensibly, they indicate that security tools are functioning correctly and detecting threats. Unfortunately, that isn’t always the case. Suspicious-looking activity often turns out to be harmless, resulting in a false alarm that wastes the security team’s time with useless investigation. These false alerts can result in alert fatigue, with excessive false alarms drowning out the actual threats needing remediation.

Tracking the false positive reporting rate (FPRR) can help security personnel understand the quality of their alerts. If the FPRR is too high, it may be time to look into newer, more accurate tools. Today’s detection technology often comes armed with artificial intelligence and machine learning (AI and ML) capabilities that allow them to learn over time and substantiate alerts before relaying them to the security team. These high-fidelity alerts reduce the overall alert volume and enable network defenders to focus on actual threats rather than chasing ghosts.

4. Understanding the Effectiveness of Automation

Automation is useful for more than reducing false alarms. It isn’t always feasible to manually remediate all threats at today’s attack volumes. Fortunately, today’s tools can automatically correlate attack information from different sources and display it on a single dashboard for assessment. By creating playbooks for certain types of attack activity, these tools can automatically remediate specific threats before even bringing them to the attention of a defender. This automation accelerates and simplifies incident response, addressing threats as soon as they are detected and stopping them before they can escalate and spread throughout the network.

Incident response volume is a good way to gauge how effective these controls are. The number of incidents reported as open, closed, or pending can provide insight into how well automated tools deal with threats. Too many open or pending incidents doesn’t bode well, but a significant number of verifiably closed cases means the system is doing its job.

Conclusion

Today’s threats are wide-ranging, and modern attackers don’t just focus on large organizations. Everyone is at risk, and organizations large and small need to have appropriate protections in place and the knowledge and resources necessary to gauge their efficacy. Fortunately, assessing things like network visibility, entitlement management, and incident and false alarm reporting can help organizations determine their overall network health and how well their defenses are faring.

This information can also help security teams generate additional buy-in from CISOs and corporate boards when enhancing and expanding their network defense capabilities. As attackers evolve, network defense tools evolve alongside them, and helping today’s business leaders understand the steps needed to stay one step ahead of the cybercriminals is essential. Given that the average cost of a data breach in 2021 rose to $4.24 million, effective security solutions have never been more critical.

If you would like to learn how SentinelOne can help protect your business, contact us or request a free demo.

Top 10 Ways to Protect Your Active Directory

Active Directory (AD) is a high-value target for attackers, who frequently attempt to compromise it to escalate their privileges and expand their access. Unfortunately, its operational necessity means that AD must be easily accessible to users throughout the enterprise—making it notoriously difficult to secure. Microsoft has stated that more than 95 million AD accounts come under attack every day, underscoring the seriousness of the problem.

While protecting AD is a challenge, it is far from impossible—it just requires the right tools and tactics. Below are ten tips that enterprises can use to more effectively secure AD against some of today’s most common attack tactics.

1. Prevent and Detect Enumeration of Privileged, Delegated Admin, Service, and Network Sessions

Once an adversary has penetrated perimeter defenses and established a foothold within the network, they will conduct reconnaissance to identify potentially valuable assets—and how they can get to them. One of the best ways they do this is to target AD since they can disguise those as normal business activities with little chance of detection.

The ability to detect and prevent enumerations of privileges, delegated admins, and service accounts can alert defenders to the presence of an adversary early in the attack cycle. Deploying deceptive domain accounts and credentials on endpoints can also trip up attackers and allow defenders to redirect them to decoys for engagement.

2. Identify and Remediate Privileged Account Exposures

Users often store credentials on their workstations. Sometimes they do this accidentally, while other times willingly—usually for convenience. Attackers know this and will target those stored credentials to gain access to the network environment. The right set of credentials can go a long way, and intruders will always look to escalate their privileges and access further.

Enterprises can avoid giving attackers an easy way into the network by identifying privileged account exposures, remediating misconfigurations, and removing saved credentials, shared folders, and other vulnerabilities.

3. Protect and Detect “Golden Ticket” and “Silver Ticket” Attacks

Pass-the-Ticket (PTT) attacks are among the most powerful techniques adversaries use to move laterally throughout the network and escalate their privileges. Kerberos’s stateless design strategy makes it easy to abuse, which means attackers can easily forge tickets within the system. “Golden Ticket” and “Silver Ticket” are two of the most severe types of PTT attacks that adversaries use to achieve domain compromise and domain persistence.

Addressing this requires the ability to detect vulnerable Kerberos Ticket Granting Ticket (TGT) and computer service accounts, identifying and alerting on misconfigurations that could potentially lead to PTT attacks. Additionally, a solution like Singularity Identity can prevent the use of forged tickets at the endpoints.

4. Protect Against Kerberoasting, DCSync, and DCShadow Attacks

A “Kerberoasting” attack is an easy way for adversaries to gain privileged access, while DCSync and DCShadow attacks maintain domain persistence within an enterprise.

Defenders need the ability to perform a continuous assessment of AD that provides real-time analysis of AD attacks while alerting on the misconfigurations that lead to those attacks. Furthermore, a solution capable of leveraging endpoint presence to prevent bad actors from discovering accounts to target can inhibit their ability to carry out these incursions.

5. Prevent Credential Harvesting From Domain Shares

Adversaries commonly target plaintext or reversible passwords stored in scripts or group policy files stored in domain shares like Sysvol or Netlogon.

A solution like Ranger AD can help detect these passwords, allowing defenders to remediate the exposures before attackers can target them. Mechanisms like those in the Singularity Identity solution can also deploy deceptive Sysvol group policy objects in the production AD, helping to further disrupt the attacker by misdirecting them away from production assets.

Get a Demo of SentinelOne’s Identity Suite
Bringing Identity to XDR. Ready to experience the market’s leading identity security suite?

6. Identify Accounts With Hidden Privileged SID

Using the Windows Security Identifier (SID) injection technique, adversaries can take advantage of the SID “history” attribute, allowing them to move laterally within the AD environment and further escalate their privileges.

Preventing this requires detecting accounts set with well-known privileged SID values in the SID history attribute and reports.

7. Detect Dangerous Access Rights Delegation on Critical Objects

Delegation is an AD feature that allows a user or computer account to impersonate another account. For example, when a user calls a web application hosted on a web server, the application can mimic the user’s credentials to access resources hosted on a different server. Any domain computer with unconstrained delegation enabled can impersonate user credentials to any other service on the domain. Unfortunately, attackers can exploit this feature to gain access to different areas of the network.

Continuous monitoring of AD vulnerabilities and delegation exposures can help defenders identify and remediate these vulnerabilities before adversaries can exploit them.

8. Identify Privileged Accounts With Delegation Enabled

Speaking of delegation, privileged accounts configured with unconstrained delegation can lead directly to Kerberoasting and Silver Ticket attacks. Enterprises need the ability to detect and report on privileged accounts with delegation enabled.

A comprehensive list of privileged users, delegated admins, and service accounts can help defenders take stock of potential vulnerabilities. In this instance, delegation is not automatically bad. It is often necessary for an operational reason, but defenders can use a tool like Singularity Identity to prevent attackers from discovering those accounts.

9. Identify Unprivileged Users in AdminSDHolder ACL

Active Directory Domain Services (AD DSs) use the AdminSDHolder object and the Security Descriptor propagator (SDProp) process to secure privileged users and groups. The AdminSDHolder object has a unique Access Control List (ACL), which controls the permissions of security principals that are members of built-in privileged AD groups. To enable lateral movement, attackers can add accounts to the AdminSDHolder, granting them the same privileged access as other protected accounts.

Organizations can prevent this activity with a tool like Ranger AD to detect and alert on the presence of unusual accounts within the AdminSDHolder ACL.

10. Identify Recent Changes to Default Domain Policy or Default Domain Controllers Policy

Within AD, organizations use group policies to manage several operational configurations by defining security settings specific to the environment. These often configure administrative groups and include startup and shutdown scripts. Administrators configure them to set organization-defined security requirements at each level, install software, and set file and registry permissions. Unfortunately, attackers can change these policies to achieve domain persistence within the network.

Monitoring changes to default group policies can help defenders quickly spot these attackers, mitigating security risks and helping to prevent privileged access to AD.

Putting the Right Tools in Place

Understanding the most common tactics adversaries use to target AD can help enterprises defend it. When developing tools like Ranger AD and Singularity Identity, we considered many attack vectors and identified how best to detect and derail them.

With these tools in place, today’s enterprises can effectively identify vulnerabilities, detect malicious activity early, and remediate security incidents before intruders can escalate their privileges and turn a small-scale attack into a major breach. Protecting AD is a challenge, but it is not an insurmountable one, thanks to today’s AD protection tools.

 

Read more about Cyber Security

On the Board of Directors? Beware of These Six Common Cyber Security Myths

The days when cyber security was merely a technical or niche issue to be dealt with by some small department in the basement are long behind us. Boards now have CISOs and CIOs, and yet there is still a need for all directors to understand the impact of cyber security risk when making strategic business decisions as well as to understand what to ask when a breach takes place.

Failing to grasp the nature of cyber security in today’s business environment can have dire consequences. Proper board preparedness and planning are critical both to protecting the business and to insulating officers and directors from liability.  Accordingly, directors must ensure that the business is ready to face cyber risks and the potential legal ramifications of those risks by aligning the organization’s cyber risk profile with its business needs.

Of course, there is no shortage of information out there on cyber security and cyber risk, but much of it is couched in sales and marketing jargon peculiar to one vendor or another, and what isn’t is often aimed at a technical audience with a level of detail that is rarely relevant to high-level decision makers. In this post, we cut through the clutter and cover the basics of cyber risk management for directors by dispelling six common cybersecurity myths.

Myth 1: Cyber Security Is Only Necessary for Some Businesses

Many believe that only certain kinds of companies require cyber security and that if they are not in that list, cyber security isn’t for them. Typically that list includes:

  • technology companies

  • companies that store sensitive customer data (PII)

  • Health, infrastructure and other organizations legally required by law

  • Companies of a certain size or value

Cybersecurity is critical for all organizations, regardless of their industry. The ongoing wave of ransomware attacks has shown that attackers are opportunistic and will target any organization that has valuable data or systems that they can exploit.

Even companies that don’t store sensitive data (PII) can be hacked or infected with ransomware if their systems are not properly secured, and PII is not the only thing that can be stolen or compromised in a cyber attack. Organizations can also lose money, suffer damage to their reputation, and experience other negative consequences as a result of a cyber breach.

Similarly, size is not a significant factor in risk assessment. Any organization, regardless of size, can be a target for cyber attacks. Small businesses are often seen as easier targets because they may not have the same resources to devote to cyber security as larger organizations. The level of risk increases if the business does not take the necessary precautions to protect itself.

All businesses regardless of size, industry or value should have a comprehensive cyber security plan in place to protect themselves from potential attacks.

Myth 2: Security Software Is All You Need to Stay Safe

There are so many pinpoint tools in the cybersecurity defense arsenal. Tools like SIEM, SOAR, Firewalls, Anti Virus, and many others have proven in recent years that they are not sufficient to keep businesses out of negative news cycles.

The modern working environment allows employees more freedom than ever before, with the ability to install software and to gain access to company assets from the endpoint, wherever they may be physically located.

The effort of staying safe from cyber risk may start with getting the right tool to see it all, but it does not end there. As the cybersecurity landscape continues to evolve, defense capabilities need to keep pace, too.

The idea of total protection from cyber threats is unrealistic. However, organizations are best served when their boards promote a culture of cyber awareness and integrate investments into cyber resilience with the overall strategic vision of the organization.

Myth 3: Software Vulnerabilities Aren’t an Issue for the Board

Every piece of software that an organization uses can also introduce vulnerabilities that make it easy to penetrate the corporate network.

Some recent high-profile examples include CVE-2022-30190 (aka the Follina vulnerability), which allows attackers to compromise a Windows machine simply by sending a malicious Word document, and CVE-2021-44228 (aka Log4Shell), a vulnerability in a Apache’s Log4j library that most companies didn’t even realize was in their software stack.

Unfortunately, the biggest and most likely source of vulnerabilities in your software stack is likely the operating system itself. Here’s some sobering statistics:

  • In 2020, Microsoft confirmed 1,220 new vulnerabilities impacting their products, a 60% increase on the previous year.

  • 807 of 1,220 vulnerabilities were associated with Windows 10, with 107 of those related to code execution, 105 to overflows, 99 to gaining information, and 74 to gain privileges.

  • In 2021, 836 new vulnerabilities were confirmed, 455 of which impact Windows 10 and 107 allow malicious code execution.

While patch management is certainly the responsibility of your IT team, boards need to understand that no amount of patching is going to negate the security risk presented by the operating system itself.

This means that your organizations should look to partner with security-first companies that can provide a holistic approach to security. Avoid relying on the OS vendor either to patch everything or to provide security add-ons to plug the gaps.

Develop a strategy that aims to reduce risk by decreasing dependencies while easily integrating your security solution with the rest of your software stack.

Myth 4: You Don’t Need to Worry About Supply Chain Attacks

Even if an organization manages to keep its own software safe, any other service provider can unknowingly facilitate a way into the network. In recent times, we’ve seen the SolarWinds supply chain attack, where the attackers were able to compromise organizations through the SolarWinds software update, and the Kaseya incident, in which attackers targeted Kaseya VSA servers—commonly used by MSPs and IT management firms—to infect downstream customers with ransomware.

Such attacks are highly lucrative for threat actors because compromising one weak link enables access to a complete portfolio of customers using that software.

Ensuring you have maximal protection against digital supply chain attacks is a strategic decision that needs to be taken at the board level.

Ensure your board’s strategy includes things such as deploying the right security solution, developing an Incident Response (IR) plan, ensuring application integrity policies only allow authorized apps to run, and driving a cybersecurity-centric culture.

Myth 5: You Can’t Do Anything About Cyber Security Threats

While it is true that some threats are out of your control, there are many things you can do to protect your organization from cyber attacks. Implementing strong cyber security measures can help reduce your risk of being targeted by cyber criminals.

It is also important to remember that while it may be true that you cannot secure your organization against every possible attack, there are steps that organizations can take to make themselves as secure as possible against the most likely attacks.

In the vast majority of cases, threat actors are financially-motivated, and they are looking for easy wins. Like the weakest animal in the herd, the companies that cannot protect themselves will soon be picked off by cyber predators.

Implementing a comprehensive cybersecurity plan, including several layers of security, will help to protect your organization from most attacks.

Myth 6: It’s Impossible to Train Employees to be Cyber Secure

While employees are a key part of any organization’s cyber security strategy, they cannot be expected to be experts in cybersecurity. Organizations need to provide employees with appropriate training and resources. This includes regular awareness of the kinds of threats the business faces, simple steps in how to identify things like phishing emails or unusual requests, and clear steps for reporting suspicious activity. Social engineering, more commonly known as the subtle art of convincing people to click on spear phishing emails, remains one of the most common ways cybercriminals operate today.

Think of employees as an aid to your cyber defenses, and ensure that they not only have the means to report anything suspicious but that they feel safe and confident in doing so.

Conclusion

Cybersecurity is all about managing risk as effectively as possible. There is no organization in the world that is immune to cyber threats, but in today’s threat landscape, it is vital that cyber security is understood to be a strategic factor that must be planned from the very top of the organization. The risk to the business is too great for it to start anywhere else.

If you would like to learn more about how SentinelOne can help manage cyber security risk in your organization, contact us or request a free demo.