As our reliance on technology grows exponentially, so does the need for robust cybersecurity to protect users and keep data and business operations safe from hackers.
But growth in cybercriminal activity has become a Catch 22 – the more organisations invest in data protection technologies, the more adept cybercriminals become. They change their attack methods and behaviours to blend in with normal traffic to bypass traditional network controls, infiltrate infrastructure and steal credentials.
Because of this constant edging forward by both sides, network detection and response (NDR) is now an essential line item for every leadership team. Attacks that target software-as-a-service (SaaS) user accounts are now one of the fastest-growing and most prevalent security issues encountered today. This trend began well before COVID-19 and has accelerated as more organizations make their transformation to the cloud.
The trade-offs of working remotely
When the labour force transitioned to working from home during the first wave of lockdowns, the move to online collaboration and productivity tools was fast but largely smooth. A by-product of this shift is an increased volume of considerably more sensitive data being shared across multiple devices. In many instances, that information is now vulnerable.
This is because current security approaches can lose visibility as environments expand to the cloud, which is increasingly where users are storing multiple accounts and accessing resources from both sanctioned and unsanctioned devices. When the lines become blurred between work and personal online interaction, exposure to cyber-risks increase dramatically.
Beefing up patchy defences
Traditionally, organisations have relied on tightly controlled on-premises servers where network security solutions were largely able to protect data. With many more new devices accessing corporate and cloud networks, traditional solutions have become susceptible to greater risk activity and abuse of data in cloud applications.
Today’s reality is that private and trusted networks can no longer be fully protected by legacy security that focuses on using signatures and detecting anomalies alone. Industry analysts and experts agree that NDR is better suited to identifying and stopping attacks across the modern data centre infrastructure. The adoption of NDR has gained huge momentum by correlating attacker behaviours and the progression of threats between cloud, hybrid and on-premise networks.
We know that cybercriminals are exploiting a larger attack surface and getting more advanced. As a result, simply fortifying network perimeter security no longer works, especially when it comes stopping astute attackers and speeding up detection. In fact, the notion of a network perimeter no longer exists because users can connect from anywhere.
For many organisations, security technology focuses on user behaviours when the focus should be on attacker behaviours. This requires knowledge about what attackers can do on your platforms rather than monitoring approved users and what they’re sharing while looking out for malicious insiders.
It is time to flip the narrative and look at the bigger threat – attacker behaviours.
Take a lesson from Office 365
Observing Microsoft Office 365 users shows how easy it is for hackers to gain entry into an organization’s network. The recent Spotlight Report on Office 365 from Vectra collected opt-in data from 4 million Office 365 users worldwide and found that 96 percent of customers exhibited malicious lateral movement behaviours.
This means that once a hacker gets access to an Office 365 account, the backdoor entrance to an enterprise network opens, making it vulnerable to attack. Take Microsoft Power Automate as an example. Formerly Microsoft Flow, it is designed to automate user tasks and save time. Power Automate is enabled by default in Office 365.
Unfortunately, Power Automate is a blind spot that creates hazardous security vulnerabilities in Office 365. Research from the Spotlight Report on Office 365 shows that 71 percent of customers exhibited suspicious Office 365 Power Automate behaviours.
Right now, you can set up a Power Automate script to automatically take all attachments in an email and store them in OneDrive. An attacker could then compromise an account, and use Power Automate to take these documents and exfiltrate them to a Dropbox account.
Attackers have been leveraging this feature to assume an account identity and pivot from Office 365 to a device or on-premises. They then can log in as a specific user within Office 365 and start damaging or exfiltrating data or move laterally to find high-value assets to steal.
Adapt network security for changing tactics
With NDR, organisations can identify what attackers are doing, where they are in their network, and quickly stop attacks before they become data breaches. NDR leverages AI-derived machine learning algorithms to identify early threat behaviours across hybrid, on-premise and cloud. It also automatically detects and prioritizes attacks that pose the highest risk to your organization and triggers a real-time response to quickly mitigate threats.
To protect data and reduce cyber risk, it is vital for organisations to adopt a proactive rather than reactive approach to cybersecurity. It can result in a costly mistake to rely on legacy network perimeter security alone. Today, NDR is an essential cornerstone of cybersecurity best practices.
As we start to think more about strategic security investments in 2021, it’s timely to consider where the best value and the best line of defence will come from and how organisations can better ensure they are protected. This is especially true as organisations rely increasingly on hybrid, on-premises and cloud platforms for a range of different devices in what it’s expected to be a complex and critical year.
Chris Fisher is the Head of Security Engineering for Vectra.ai in the Asia Pacific and Japan Markets.
As a leader for the APJ business Chris’s key responsibility is to ensure that our customers have the security foundation to embrace new technology and lines of business, allowing them to digitally transform whilst reducing business risk and improving their security posture.
Chris has over 15 years of cybersecurity experience from practitioner through to strategic advisor for large organizations. He has vast experience in SCADA environments working in the mining and energy sectors for several years. Recently Chris has been helping customers transition to cloud environments securely. Chris has also worked with organizations on end-to-end security strategies to ensure that cybersecurity is an enabler for the business thus allowing them to take on new innovative services without the risk of compromise.