August 15, 2024

Chris Clements, VP of Solutions Architecture at CISO Global

High-Tech Pest Control = Threat Detection & Response

Imagine for a moment that your home has a rodent problem. To address this, you install a fancy system designed to automatically detect and trap animals before they can roam around your house and cause any damage. The system seems to work well; from time to time, you arrive home to find a mouse or a squirrel caught by the device. No big deal, right?  Lots of small critters about and the system is working as designed to catch them.

Now imagine one day you come home and find the system has detained… a polar bear. Suddenly, the fact that the system worked is not the first thing on your mind. A FREAKING POLAR BEAR IS IN YOUR KITCHEN. Something, and probably many somethings, have gone terribly wrong. This situation is definitely worth investigating: Where did it come from? How did it get in? Are there more on the way? And most importantly, how do you safely get rid of this thing? (I hear they love to drink cola).

Context is Everything

So how does this apply to cybersecurity? Unfortunately, I’ve been involved in more than one breach where the victim’s anti-malware solution (the “animal trap” in this scenario) caught the cyber equivalent of a polar bear in their kitchen, but the organization’s lack of response resulted in them getting, well, cyber-mauled.

The reality for every organization is that, sooner or later, a threat will make it through even the best preventive defenses. As such, protecting your organization with detection and response capabilities is crucial to staying resilient against cybersecurity threats. However, it’s simply not enough to acquire security tools, even good ones, without the experience and expertise to understand what they are telling you.

Let’s return to our polar bear analogy. Our hypothetical animal-catching system worked on both a mouse and a polar bear, but in context, one of these animals’ presence is a clear indicator of a larger problem. The same applies to cybersecurity detection and response.

Consider a scenario where an endpoint security tool like an EDR flags two suspicious files and “cleans” or “quarantines” them. One file is detected as “JollyWallet,” and the other is “Cobalt Strike.” Although the initial action was the same – the EDR flagged and stopped the program – the implications are vastly different. JollyWallet is simply an annoying adware package bundled with some free software downloads. Cobalt Strike, on the other hand, is a powerful offensive tool designed specifically to compromise computer systems. Its presence points to the very likely possibility that you have a cybercriminal actively running code in your environment, and the EDR happened to catch just one of the many attacks they are carrying out against you right now.

In other words, the adware is the mouse, while the offensive attack tool is a polar bear. Understanding this difference is crucial to staying safe, but it requires the experience and expertise to recognize what our detection and response tools are telling us in context.

Where Expertise Really Makes a Difference

Too many cyber breaches share a common failure: those responsible for administering the detection and response system saw the alert, but because the tool told them the threat had been stopped, and because they didn’t understand the alert in context, no additional responses were launched to investigate the cause.

This is where the power of a security operations center, or SOC, really shines. Not only does it provide robust 24/7 monitoring, but it does so with trained cybersecurity analysts. These analysts, when they see an alert for a “polar bear,” will understand that there is a bigger threat that needs an immediate response to stem a potentially catastrophic breach.

If you’re interested in having your business protected by 24/7 coverage from dedicated cybersecurity analysts and much more, get in contact with CISO Global today to get started. Don’t let a polar bear catch you off guard in your digital kitchen.

About the Author 

Chris Clements, CISSP, CCSA, CCSE, CCSE+, CCSI, CCNA, CCNP, MCSE, Network+, A+, began working in the information security field in 2001, and has a wide range of experience with information security technologies including: 

• Firewalls
• Intrusion Protection Systems (IPS)
• Intrusion Detection Systems (IDS)
• Virtual Private Networking (VPN)
• Anti-Malware
• Strong Authentication
• Disk Encryption

Chris is also an expert in information security design, security compliance, and penetration testing (ethical hacking) techniques such as: 

•  Vulnerability Assessment 
• Man in the Middle Attacks 
• SQL Injection 
• Cross Site Scripting 
• Phishing 
• Secure Environment Breakouts 
• Privilege Escalation 
• Password Interception 
• Password Cracking 

He has worked to secure hundreds of customers across North America, from Fortune 500 companies with billions in revenue to small businesses with just a few users.  He has developed in-depth security auditing and penetration testing products and service offerings and engaging end-user security awareness programs.  Chris also enjoys teaching and has led courses on information security for hundreds of students.  With his unique skill set and background in both technical operations and business management, Chris has strengths in business management, sales, and product and service delivery.  

The post The Polar Bear in Your Kitchen: A Cybersecurity Analogy appeared first on CISO Global.

*** This is a Security Bloggers Network syndicated blog from CISO Global authored by hmeyers. Read the original post at: https://www.ciso.inc/blog-posts/the-polar-bear-in-your-kitchen-a-cybersecurity-analogy/