MFGS, Inc. Blog - Cybersecurity and DevSecOps Resources for the DOD

The Three Phases of Keeping Burglars and Cybercriminals Away

Written by Gene Marrero | Oct 19, 2022 8:57:40 PM

This blog is part of a series for Cybersecurity Awareness Month 2022. You can find the other blog posts here:
What DOD Agencies Can Learn from Baseball…for Talent Management  
Best Practices for Passwords and Multi-Factor Authentication within the DOD
Devalue the Data and Secure Your Agency through Encryption

Protecting your agency from cybercriminals is not unlike protecting your home from intruders: it requires a layered approach that addresses several what if scenarios.

  • What if they try to get in?
  • What if they do get in?
  • What if they get in and wreak havoc?

While some strategies might pour all resources into only one of these phases, assuming it will solve all of the problems, the reality is a successful cybersecurity strategy requires adequate investment to prevent each and every one of these three scenarios.

What if they try to get in?

This first category is about making your home and software undesirable and difficult to breach. The fix starts with a strongly built, well-lit house and an upgrade to locks that are harder to pick, coupled with reinforced doorframes that cannot be rammed through.

Many homeowners simply rely on an alarm system to deter break-ins, rather than taking the extra steps outlined to protect and secure their homes – intruders can always find ways to circumvent that system. Rest assured, cybercriminals know there are equally as many ways to get around traditional endpoint security controls like firewalls, IPS, and anti-malware tools.

 

How do you know someone or something tried to get in? It might not even be an intruder, it could be a family member in possession of a key. But is it really them - or did someone steal their access? If you aren’t quite sure who is supposed to be in the house, or on the network, how do you keep the wrong people out?

For starters, our Universal Discovery offering can continuously discover all of the devices present on the network and match them against the assets that are authorized to actually be on the network. In addition, our NetIQ Identity Governance solution manages access to applications and data across the most diverse enterprise landscapes. By automating your access review and recertification processes, you know who and what is on your network at all times, while still ensuring the right parties retain the appropriate accesses.

By next incorporating tools like the ArcSight Enterprise Security Platform, you will be alerted in real time to any attempts by cybercriminals working to enter or attack your organization – before they might get in. This platform can be fed by a continuously updated Threat Intelligence that assists in identifying known attacks and techniques from around the globe, leveraging the MITRE ATT&CK framework.

When it comes to software, writing secure code from the outset is critical. Unsecure software is vulnerable, including to the old SQL injection technique, in which the hacker manipulates the intended execution of a database interaction. The result is the ability to steal sensitive data, leave malware on the network, corrupt data, and more.

Our Fortify solution augments your agile process, offering live review and feedback – similar to a spell checker function – for any vulnerabilities that might exist. The feedback is provided in real time, allowing the programmer to take immediate action instead of having to reevaluate the section and amend it days or even weeks later. This security data is captured in the CI/CD pipeline and recorded into the ALM (Application Lifecycle Management) Octane solution for tracking remediation, providing history and the metrics of overall risk management.

What if they do get in?

While writing secure code is the first layer of protection, the reality is, like burglars entering a house, software breaches do still happen. If your first layer of defense did not keep the burglars away, the next best thing to do is to ensure there is not anything accessible or valuable to steal. That might mean keeping all your valuables hidden away behind the towels of your linen closet or locked in a safe. It might also mean locking all of the individual rooms in your house, making it harder for the criminal to get around.

Again, how do you know an intruder got in? How do you know for sure it wasn’t your own child that just entered your house? Did they bring someone else with them? Going a step further, how do you go about getting the intruder out? You might call your security company or the police to remove someone from your house, but what do you do about an intruder inside your IT environment?

First and foremost, a properly managed network should be constantly monitored - and when an unknown mac address is detected or a particularly talkative traffic flow is found, it should be instantly quarantined. Our solution: Network Operations Manager (NOM). NOM will detect any device not authorized to be on the network and immediately shut down the physical or virtual port being used for communication, to prevent further damage.

Unfortunately, most breaches are caused by insiders, either due to malicious intent or negligence. On the side of negligence, it is most likely the result of a phishing attempt – even security professionals are not immune to these. The good news is these actions are only possible through a lack of proper security controls and access.

In the case of enterprise IT systems, identity access management tools (IDM) and those that use artificial intelligence (AI) to understand individual user behaviors can detect changes and automatically restrict access if something changes. For example, consider the user that only ever views three pages of data. If that user’s credentials are compromised and a cybercriminal begins trying to access other information, the AI tool would identify this odd behavior, and based on a risk assessment using machine learning (ML), could trigger a sequence of events that suspends the user account in order to prevent a wider breach.

Our ArcSight Intelligence solution can identify abnormal user behavior, either from the user or peers. This alert process works in conjunction with the included ArcSight SOAR (Security Orchestration, Automation, and Response) solution. It can suspend access before the intruder is able to perform any nefarious functions.

Additionally, leveraging IDM tools like our NetIQ solution can grant minimal, granular access to perform only the duties required. NetIQ is just one of our many tools that align with Zero Trust principles by allowing the network owner to visualize the complete identity lifecycle of enterprise assets and users. It also governs access to all services and resources, while providing minimally required privileges for users, subsequently allowing access where needed and centralizing delegation of control policies.

Even if someone is able to gain unauthorized access to your data, additional tools exist to protect the data, making it indecipherable, while preserving the data type and format and maintaining referential integrity. That is just a small sampling of the value provided by our Voltage solutions, which protect data at rest, in motion, and more importantly, in use, thereby reducing overall risk. In fact, Voltage SecureData is a suite of encryption technologies that lets you integrate end-to-end data protection into other applications.

What if they wreak havoc?

This third layer is the worst-case scenario. It is the one in which an unauthorized someone tries and successfully gains access to a system, application, or database. They may have altered code, installed malware, or taken any other number of nefarious actions.

Without software tools to monitor changes and create restore points along the way, it could take a team weeks to uncover what was modified and recover from the damages. Given a data breach costs an organization an average of $4.2 million, according to a 2021 Cost of a Data Breach Report, the risks are high.

Fortunately, just like insurance policies will repair your home and repurchase anything that may have been destroyed or stolen, software solutions exist that will document any changes made by a cybercriminal and allow you to return the compromised system to its original state.

Our Data Protector solution does just that. It provides secure, comprehensive backup protection for business-critical data and applications whether virtual, physical, or online in the cloud. It turns weeks of arduous work into a far more manageable task.

Further, our Information Management and Governance (IM&G) solutions allow you to protect, manage, archive, and gain strategic insight from your data. Solutions like our content management tool provide governance-based enterprise content management, enabling you to supply the right content to the right user at the right time - from any device. Considering most enterprise data is unstructured, solutions like our IDOL offering delivers unstructured data analytics from text, audio, video, and image data, using AI and ML for exact results.

At the end of the day, an enterprise should be able to quickly and efficiently recover its IT environment to the best known and most stable configuration. Solutions like Network Operations Management and Data Center Automation can provide you with current and historic device configurations, allowing you to quickly get all your systems back to that last known good configuration.

Conclusion

With each successive layer entered, the more potential there is for damage and risk to an organization. A breach of the third layer means the intruders were able to get through the first two layers and may already have access to sensitive information. They may have successfully interrupted your daily operations, thereby inhibiting you from achieving your mission.

Given the myriad ways a breach might occur, and the unknown damages a cybercriminal might create once inside, there isn’t a silver bullet that will solve all security challenges. There is a clear need for multiple tools protecting each layer.

While it is nice to dream about a world where breaches never happen, the reality is they do, almost constantly. Whether it’s by someone from inside your organization with existing access, or a stranger peeling back the layers, the amount of work and financial resources spent to discover what they did, how they did it, and how to fix it – without the right tools – is an inordinate sum.

It is far better to reinforce at each successive layer than to put all of your cybersecurity eggs in a single basket. Further, this means going beyond just getting tools. There is also the critical need for a strong commitment from leadership to lay out policies and steps, as well as the requirement for qualified, well-trained individuals to address your enterprise security threats and maintain a strong security posture. Yep, these are the old, yet still very relevant, PPT framework principles from the 60’s!

This blog is the result of a collaborative effort of the subject matter experts of the sales engineering team.