Velocity: The New Currency of Cybersecurity

As a society the price we collectively pay for cyber-attacks continues to grow, not only in the obvious financial and operational impacts, but other physical and social hazards as well.? The August cyber attack on Clorox has led the company to warn of likely supply shortages as we roll into flu season and the predictable and cyclical increase in COVID cases. ??The cyber attack on St. Margaret’s Health resulted in the hospital chain shuttering its doors leaving area patients stranded.? Attacks on other healthcare organizations such as Prospect Medical have resulted in ambulances re-routed away from the closest hospitals and surgical procedures delayed, placing patients in serious risk.? With every new story the societal penalties seem to rise while the solution seems almost hopeless for many…almost.

?

In her talk at the Trellix Ransomware Detection & Response Virtual Summit in August 2023, the “Friendly Hacker” Keren Elazari highlighted some data points around how threat groups have begun cataloging and highlighting their exploit speeds.? Additionally, in an October 5th Recorded Future article , the author highlights how cybercrime gangs have begun deploying ransomware (late stage of an attack) in as little as 24-hours; down from 4.5 days a year ago.? With the broad availability of tools such as ChatGPT and Bard providing new capabilities for everyone, including the threat actors, you can rest assured the velocity of attacks is going to increase in the near term.?

In the race to build resiliency into our cyber architectures, a concept the security community must keep focus on is that same concept of “velocity.”? Velocity in cybersecurity comes in several forms: velocity of comprehension, velocity of response, and velocity of recovery.? Velocity before, during, and after an attack.

In the cybersecurity marketplace we see and hear a loud and steady stream of media on solutions, approaches, frameworks and other cyber practice recommendations; most having at least some merit, but few holistically revolutionizing the work at hand and helping solve the adjacent challenges such as resource shortages.?

Enter Extended Detection and Response (XDR).? In a recent blog post, Trellix CISO Harold Rivas explains how true XDR has gone from just “marketechture” to a reality and, more importantly, a necessity for CISOs today.? XDR becomes the critical linchpin for creating cyber resiliency in your organization, regardless of your philosophy or approach.? Most importantly, XDR brings velocity to your program.?

?

Velocity of Comprehension

Comprehension refers to the speed at which your organization can observe, interpret, and understand the modern and ever-changing operating environment and threat landscape in front of them.? This comprehension becomes the driving force for effective (and automated) response and remediation of threats.? Poor comprehension means organizations do not understand the goals and motives of the threat actors at their door leaving key resources inadequately defended, that the organization may see part of an attack but miss the bigger picture of a multi-staged threat, or the organization may miss the subtle changes made by a stealthy threat actor in the larger noise of a dynamic enterprise.? ??????????

• Understanding the Dynamic Threat Landscape:? As new systems and services come and go from our environment, we must be able to dynamically assess the associated risk and apply real-time intelligence and insights to understand the actors, trends, and types of threats we face.
• Shift From Reactive to Proactive:? An understanding of the tactics and techniques exploited by threat actors, the real-time posture of your individual assets, and the actions you can take to prevent exploitation of specific TTP’s before an incident allows organizations to shift from a reactive posture to a proactive one. The proactive approach helps organizations take cumulative action to reduce the risk of entire classes and groups of threats at once.
• Ubiquitous Threat Intelligence:? To be successful, organizations require comprehensive threat intelligence, continuously updated, carefully curated and validated by teams of experts, and consumable across their entire security stack to ensure complete visibility.
• Broad Integration Capabilities:? Organizations have significant investments of time and money in existing solutions and services to defend their enterprise.? Thus, they should look to an XDR platform with broad integration capabilities that allows them to pull in the critical insights from all of their investments, and yet remain flexible enough so the organization can swap out technologies and capabilities as their needs evolve.?

Velocity of Response

When responding to incidents, organizations must have clear, consistent, and holistic steps that are taken with speed and precision to minimize potential damage while ensuring complete eradication.? Organizations must acquire the capabilities that will allow them to identify, classify, and respond the threats across their complete operating environment.?

• Threat Interpretation and Prioritization:? As events occur within the environment, analysts must be presented with actionable alerts, correlated and consolidated across vectors, providing a clear understanding of the complete attack chain, the users, devices, and data at risk, and the next steps.?
• Automation and Orchestration:? Automation and orchestration significantly extend analyst capabilities by automatically performing tasks to enrich, contain, block, or other actions as needed.? These capabilities must occur quickly, in a consistent and repeatable fashion, and reduce the mean-time-to-resolution.?
• Act Globally: ?XDR gives security teams the ability to act globally across their organization, responding to and eliminating threats across their stable of assets and across vectors.?
• AI-Guided Investigations:? AI-guided investigative playbooks dynamically evolve for the incident at hand, providing analysts expert guidance derived from security experts and machine learning.? This ensures a consistent approach and a complete response to the incident.

Velocity of Recovery

In the event an incident does occur, swift recovery is paramount to allow the organization to resume normal operations and minimize the any financial, operational, or reputational damages.? An organization’s resiliency is measured by their ability to recover quickly.?

• Rollback Remediation:? Even with the best defenses, new threats will arise. Defenses such as Rollback Remediation to identify unauthorized changes caused by threats like ransomware, kill the processes, and rollback the file and registry modifications to their original state. This provides a painless and rapid recovery for targeted systems.?
• Minimizing Business Impact:? Swift threat identification, containment, and recovery ensures that business operations are restored quickly, minimizing potential financial losses and ensuring trust is not eroded.
• Learning and Adapting:? One of the most important parts of an incident is the lessons learned that come out of that incident.? The right XDR solution highlights the areas for improvement following an incident to show how an organization can improve their posture and prevent similar incidents from re-occurring in the future.?

?

In conclusion, while technology, tactics, and strategies are essential components of a robust cybersecurity posture, the speed at which we comprehend, respond to, and recover from threats holds paramount importance. As cyber threats continue to evolve, the velocity will undoubtedly remain a defining factor in an organization's ability to safeguard its digital assets and reputation.

?

?

To find out more about Trellix XDR, visit https://www.trellix.com/en-us/products/xdr.html .