You know it’s going to be one of those days, when your Special Operations Manager calls you at half past midnight on a Monday morning. “We’ve got ransomware”, and so we had. By chance one of our infrastructure engineers had been working late on the Sunday provisioning some new virtual servers, the cyber team being inherently nocturnal were awake anyway, and new security tools we had commissioned over previous months were already doing their job. By 1 AM, a full major incident response was in progress, at which point you quickly learn that von Moltke the Elder’s military maxim, “no battle plan survives contact with the enemy”, similarly applies to the cyber world.
In these strange times, one of our UK subsidiaries was hit along with another major UK construction company because we were building a number of the UK’s temporary Nightingale hospitals for the NHS to treat critically ill COVID-19 patients. As the UK Government had previously warned, the agenda of these attacks was less about the money, and more about causing as much chaos as possible in order to undermine confidence in the UK’s response to the Coronavirus pandemic.
This is symptomatic of the perpetually moving & evolving threat landscape, where the bad guys are always one step ahead, ready to exploit any new angle. The COVID-19 pandemic has exasperated the situation, with tactical necessity forcing many businesses into risking rushed and unplanned transitions to homeworking and cloud environments. For many businesses both small and large this unplanned-for state has taken them beyond their existing security postures ability to monitor for and respond to attacks. While the most mature companies with the strongest postures are not immune to a compromise situation, what von Moltke was actually arguing is that what really matters is how quickly we are able to respond and adapt in any given situation.
For many businesses their IT function is not 24/7 because the business itself is not 24/7, or at least not in the true sense, yet many of them rely on information systems that are available all the time. Something breaks over the weekend, then it’ll have to wait ‘til Monday to get fixed, which could mean anything between inconvenient and catastrophic. In the same circumstances a cyber-attack resulting in a successful compromise, will almost certainly be catastrophic, particularly if ransomware is involved, and will invariably happen at stupid-o-clock in the morning, when no one is about to respond.
We are a construction and civil engineering group, not an IT services company, therefore like most organisations, IT is a support function for the business, not the business. So, here’s the dilemma, we don’t have the business need, or the budget to justify in-house 24/7 NOC’s & SOC’s, but at the same time the shifting threat landscape is demanding an ever-increasing level of monitoring and response capability.
To satisfy this requirement, many businesses are turning to the relatively simple and cost-effective strategy of;
automate, orchestrate and delegate
Over the last few years the shift to automation has been dramatic, particularly with the advent of more AI driven solutions able to detect & assess a security threat and take instant action to not only mitigate the immediate threat but then implement measures to the prevent a reoccurrence. With Zero Trust being the new norm, we’ve seen a shift of emphasis on endpoint security from traditional AV/IPS type products to more comprehensive EDR (Endpoint Detection & Response) type solutions, Microsoft’s Defender ATP being one such example. We also see in the data space, products such as Varon is DatAlert (which happens to be one of the products that helped us out), which has the ability to automatically detect and block ransomware attempting to encrypt files. With any incident, time is of the essence, effective automation can at best stop an attack in its tracks, or at least reduce the impact.
Orchestration can be the trickier issue. If you’ve chosen to go down the route of the complete Microsoft E5 Security stack, then it’s straight forward because solutions like Azure Identity Protection & Information Protection, Exchange Online Protection and Defender ATP etc, are all somewhat symbiotic by design, and can be centrally orchestrated via their Sentinel product. Orchestrating solutions from different vendors, in order to effect a wider detect and automated response capability, invariably requires yet another solution, though this has improved significantly with the advent of SOAR (Security Orchestration, Automation & Response) solution stack compatible solutions. The importance of orchestration cannot be overstated, because it facilitates the ability of one vendors solution to detect a threat, and where appropriate initiate a response from another vendors solution.
We still need the human element, which brings us to Delegate. When we think of outsourcing security, we typically think of a SIEM/SOC scenario. Outsourced SIEM solutions, the staple of most SOC’s, traditionally tell you something doesn’t look right, but won’t necessarily do anything about it apart from alert a human, who then analyses and instigates a response, which invariably will involve calling a businesses on-call IT function. In a large and technically diverse organisation effective SIEM is notoriously difficult to get right and can be very noisy and frustrating. Indeed, there is growing consensus that SIEM is dead (or at least dying) and that MDR (Managed Detection & Response) is the way forward and is the route we have chosen. MDR builds on the automate & orchestrate, and wraps it up with the 24/7 human expertise, and the ability to take control of a situation. This is more than just outsourcing which is why I prefer to use the term Delegate instead.
When we had our incident, we had already started along the journey towards Automate, Orchestrate & Delegate and our ability to respond, along with lessons learnt, reinforced that decision. Regardless of what line of business you are in, the world we live in is 24/7 and so are the threats requiring solutions that never sleep.