The answer to this question is always ‘Immediately!’ and certainly never ‘After the horse has bolted’.
Everyone has security products but what happens if even the most sophisticated system doesn’t stop the bad actors from getting in? What do you do next to mitigate an attack?
Cyber Security is the hottest topic for company CEOs in today's uncertain climate. This puts huge pressure on IT leaders to ensure that in the event of an attack it is not just the company data, but also the company’s reputation and the business itself that survives.
We talk to our Cyber Resiliency Expert Matt Bayliss in a Q&A session about Active Threat Detection and how new sophisticated technology can detect suspicious activity and makes the long road to recovery of your data become a mere step.
What is Active Threat Detection?
“Threat Detection is a proactive approach to monitoring server infrastructure for active threats to stop them before they get serious. It constantly watches your server infrastructure and pulls signals from external sources, including integrations with other security products to give more context and colour to the events and storyboarding that you then see.”
How does it work?
“The technology is powered by a Continuous Attack Graph Engine, a very powerful engine that does lots of things quickly. This is called infrastructure-wide event detection, based on causal event sequencing, where we apply events to the MITRE framework, and can score those events via a system of machine learning and traditional SIEM rules. To understand the severity and the maliciousness of the attack. Finally, we mitigate the threats by applying recommendations autonomously and automatically to capture and clean up all the events that have taken place.”
Why do companies need it if they have already got secure backups in place?
“Even though you may be protected with secure backups, that doesn’t let you know an attack is happening and won’t alert you to restore your backups. You also need to know whether those backups are being poisoned by a malicious attacker, who is quiet on the system, quiet in your network and not doing overt disruption to your network, other than encrypting your data in the background. We’ve seen this with a malware attack, which allowed that encrypted data (which the attacker was the only person with the keys) to get backed up into your backups. Backup simply provides points of recovery but doesn’t tell you what or when you need to recover.”
What happens if you don’t have Active Threat Detection in place?
“Many companies don't have sufficient protection or sufficient visibility and those that don't have anything in place get hit hard. We see it in the news all the time with organisations that have been subject to a ransomware attack and the reason they are targets is because an attacker can get into the system, poison data and exfiltrate critical sensitive corporate information to disrupt that company. If you can’t see that attack taking place, then you can't respond.”
“As a traditional mitigation partner, we deal with customers who are undergoing loss of service and outage to their networks, we are increasingly seeing our customers contact us when they are suffering an outage as the result of a cyber-attack, malware, or ransomware. Our Active Threat Detection solution is powered by Confluera. We chose their platform as it provides a real-time forensic system where we can help customers in understanding the attack that's taking place or has taken place in their network.”
Why did Assured Data Protection decide to partner with Confluera?
“There are several reasons, but we found them to be the perfect fit to compliment our current offerings. They have developed their technology from the ground up, to target specific things such as tactics that adversaries use. One of those is a slow-moving attack or advanced persistent threat. This is where an attacker gains access to a system and establishes a command and control connection to a command and control network, and then goes quiet for many hours, if not weeks, until the worst possible time for their opponents. They use that time to progress the attack further, such as waiting until a big holiday like Fourth of July, Black Friday or Christmas, when IT support staff levels are low and use that time to advance an attack, and exfiltrate or disrupt a system.”
“The most obvious, stand-out feature is the real-time storyboarding. This is extremely powerful as we can, in real-time, stitch together events from all sorts of different sources across the customer's network, and present it instantly in a visual storyboard form, which is easy to understand and clearly shows what the remediation steps need to be.”
"We have always been an early adopter of disruptive technology. We have worked with Rubrik for six years, since the beginning of their journey and we have seen huge successes in making a real difference to our customers with their backup and recovery. We were introduced to Confluera by Rubrik and wanted to get on board from the beginning because the technology is so game-changing for Cyber Resiliency.”
What examples have you seen where this type of technology could have made a significant difference?
“We have seen different scales of attack, large and thankfully some on a smaller scale. In most cases, the recovery points were unknown at the time. Had these organisations had a system like this in place prior to an attack, this would have given them the intel and the information that they needed to be able to pick their appropriate recovery points. With Active Threat Detection we can see an attack coming in and spreading through a network, we can present that information visually, in real-time into a storyboard. And the customer can use that to make business decisions on when and how to recover their network.”
Why choose Assured’s Active Threat Detection as a Service solution?
“It’s all about the service. We host it and monitor it 24/7, so if anything comes through that doesn't look right, we can inform the customer straight away and we work with them hand in hand to resolve those threats. We also work with customers to create any necessary whitelisting rules and can provide “hand-holding” support when working with the system.”
“But it’s also about having peace of mind. Knowing that they're working with a managed service partner, who knows what they're doing when it comes to protecting data which is what we already do and have vast experience with.”
What is the benefit of being able to offer Active Threat Detection on-prem compared to cloud-only?
“Some businesses are not able to move to the cloud and use a SaaS-only model for various reasons including compliance, GDPR, etc. or some organisations are simply not ready to move to the cloud. Our solution offers an excellent cloud-only platform and we can add to that service by switching into on-prem, and private networks which we have got tons of expertise in dealing with. The fact that we can offer this as a hybrid solution offers much more flexibility for our customers.”
What is your favourite feature of Threat Detection?
“The Real-Time Storyboarding is, without doubt, the best feature. Traditionally, an intrusion report is done after the fact and that report is written to determine what happened and piece together a report which can typically take weeks and months after the event to produce, whereas we can present that in real-time. Being able to pull events from disparate systems spread across the network, tie them together into a single attack progression then stitch that together automatically, in real-time to be presented visually to the user is just an amazing piece of technology. We haven’t seen another solution that can do that and that’s why we use it.”