Cyber Attacks – Give your IT a fighting chance

In August I wrote a blog on how cyber operations capability is primarily the key to a successful incident response. Normally I would switch to another subject matter for the (this) blog that followed, however, since August NG-IT have been approached a number of times by organisations asking for help with recovery from a cyber incident because they felt they had a lack of response capability. With this in mind I thought I would try to expand out on the August blog with another insight into why I feel many businesses are still easy targets. 

Increase in attacks as we return to work 

With summer over and the much anticipated September return to some semblance of normality, the UK sadly saw another huge uptick in cyber-attacks and related activity. This is no coincidence, cyber criminals carefully choose this time of year when IT teams are often at their busiest settling in returning users, enrolling new students onto learning platforms in academia and going production live with new systems that had been deployed in the quieter summer months. 

Bigger stack, bigger problem? 

With over $120B spent globally on cyber products and solutions I would say it’s fair to assume the problem with maintaining adequate defence isn’t a lack of investment. In fact, most organisations I talk to often reel off over ten different cyber-vendor solutions within their security stack (and quietly complain they definitely don’t want any more). There is an important consideration here; the administration involved with managing the security stack is without doubt a huge issue for already stretched IT teams, every solution owned needs time and time is scarce in IT. Additionally, there is another possibly bigger issue to contend with; the mind-blowing volume of security event data generated by these solutions, this data all needs to be ingested, analysed and investigated, and it is overwhelming and frequently unmanageable. False positives and security “alert fatigue” are commonplace, and this leads to analysts time being further diluted and them focussing away from what can unfortunately be the most critical event data. 

Evolving attacks 

We know cyber-attack methods continue to develop and change and their identification is another challenge for IT to meet, regular threat intelligence analysis & hunting isn’t done anywhere near as frequently as it should be and despite all the money invested; our security stack isn’t always tuned to identify the latest breed of attacks either. Alarmingly around 43% of businesses have advanced threats inside their environments that in-place security measures have simply failed to discover. The most recent UK breaches I am familiar with have involved long term latent threats where a hacker will take time to learn about their target environment. This allows the hacker to cause maximum disruption at their chosen time of strike, they will use shock and awe tactics to extreme effect, crippling production systems, encrypting data, deleting online backups and even disrupting storage snapshot regimes to force erasure of recovery points, leaving IT with very few or even zero options for starting their incident response plan never mind regaining operation. 

What can be done? 

The picture is bleak but nonetheless accurate, along with the current shortage of cyber professionals in the UK, the problems described above have us in something of a perfect storm, we are seeing unprecedented levels of hacking related activity and we know IT teams are staff and time poor, therefore we are very easy targets. The cybercrime fraternity are savvy, they know we are exposed, and the current situation encourages them to increase the frequency and ferocity of their attacks. 

My advice for businesses seeking to improve their defences and detection is first to look for security tools that actually free up IT time, solutions that decrease rather than increase admin and analyst overhead, the next generation of AI driven security tools are here and many provide these vitally important efficiencies. Secondly we should consider the issue of resource, not only is this scarce but people with first-hand experience of attack recovery are extremely hard to find. Cyber personnel who have consistently worked back through different types of attack and the kill chain to remediate, eradicate and sanitise the environment are rare indeed and probably unaffordable for most staff budgets. 

Ideally we would address the tooling and personnel challenges with one fix, a solution that both utilises and improves on our existing security stack and then effectively manages the vast amounts of security event data it creates, then combining this with expert led service to provide continuous “eyes on” our environments, seeking out threats and indicators of compromise rapidly and dealing with them using tried and tested methods and cyber-combat skilled resource. 

Managed SOC 

For all this to work properly you would not only need better protection via improved tools and capability, but you would also need it to be deployed quickly and affordably, not as a long drawn-out expensive project that doesn’t start to increase protection anytime soon. You would also want it to provide a level of continuous improvement for your environment, delivering pro-active services that would harden your systems to keep up with the evolving and more sophisticated threats described earlier in this article. It would then need to flex and scale as your business changed and also help meet data governance and compliance needs. 

By combining highly effective security event management, unique service delivery and by partnering with you in a shared responsibility model, a managed SOC can efficiently improve and scale your security operations capability, benefitting you with much needed competences to provide the protection you require at a price you can afford.  

24×7 security delivered by a managed SOC makes for levels of defence and detection most organisations would never achieve. Within a managed SOC, awareness of current and emerging threats is clearer, and remediation is planned for constantly, this is far removed from the approach taken by most IT teams who are hampered by inconsistent response plans and firefighting previously unencountered attack symptoms. There are not only detection and response experts inside a managed SOC, there are vendor specialists are on staff to investigate and identify the impact of attacks on specific manufacturer equipment, this is another necessity that is unaffordable to most who often rely on best endeavours vendor assistance for more nuanced product & solution knowledge. 

I’m a strong advocate for managed SOC, I see it as the only viable option available to us that actually steps up to meet the challenge of the scale and complexity of the threats we see today. If you are thinking about purchasing managed SOC it should provide an all seeing AI based security event management platform that leverages threat information from every available data source, this benefits you via economy of scale and access to threat intelligence you would have been without. Alongside this you should expect specialist cyber analyst knowledge for your MDR needs, these should be complemented by a selection of proactive services focussed on constant assessment and improvement of your security practices, ensuring you are in the best place to resist an attack when it comes. 

If you would like to give your IT a fighting chance, we partner with the industry leader and have a dedicated set of web pages that describe the services in a more detail, you can find them here, where there is more useful information to help you understand how we can painlessly get you better protection and some peace of mind. 

Blog written by Howard Johnson, Cyber Practice Lead – https://www.linkedin.com/in/johnsonhoward

Further Reading;

NG-IT Cyber managed SOC, click here to find out more.

For detailed information on cyber incident response from the NCSC click here.

For information from the NCSC about managed SOC click here.

To check out our other cyber security blogs click here.