Page 76 - Cyber Warnings August 2017
P. 76

Traditional cybersecurity software isn’t perfect


               Identifying ‘key indicators of compromise’ is vital to prevent costly data
               breaches
               By François Amigorena, CEO, IS Decisions


               When you come home after a holiday and find you’ve been burgled, what’s the first thing you notice when
               you step through the front door? In the first instance, it’s probably not the missing laptop or jewellery, but
               the fact that the burglars have left your house in a complete mess.

               Your house being in a complete mess is a ‘key indicator’ to a burglary — it’s the actions that a criminal
               has taken and the clues they’ve left behind that lead you on a path to discovering what they’ve stolen and

               how much damage they’ve caused.

               Cyberattacks work in a similar fashion, albeit less brash. When cybercriminals gain access to your
               corporate network, files and folders and steals your data, they leave behind a trail of clues that lead you
               to find out exactly what they’ve done. But unlike common burglars, cybercriminals tend not to ‘ransack’
               your network because they don’t ever want you to know they were there. That means you have to look a

               little harder to even detect their presence in the first place, let alone find out what they’ve stolen.

               And that’s why focusing on breach detection is as important as prevention. Even the best burglar alarm in
               the world can be fooled — and today’s cybercriminals use an array of methods to get hold of your
               employees’ corporate logins so they don’t raise the alarm when snooping around your network.

               However, once they’ve got their hands on corporate logins, there are a number of things they’ll do that will

               indicate to you that you’ve got an intruder on your hands.

               1. Odd endpoint activity
               The first is strange activity on employee endpoints, like smartphones, tablets and laptops. These are the
               one part of a network that are constantly accessible outside the perimeter — they reach beyond the
               network to surf the web, as well as act as receptacles for inbound email (both giving malware a means of

               entry and a chance to embed itself).

               Indicators of compromise on endpoints involve some deep-dive comparison around what’s normal for
               both configurations and activity for a given endpoint. One such indicator is rouge processes. Everything
               from malware to hacker tools can be seen as a ‘process’ that hasn’t run on an endpoint before. However,




                    76   Cyber Warnings E-Magazine – August 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   71   72   73   74   75   76   77   78   79   80   81