Cybersecurity: Automation of Detection

One aspect of the cybersecurity landscape that has become brighter for defenders is that it has become easier to detect attacks that would have otherwise only been apparent through expert analysis of information system’s event log telemetry. While some attackers are overt and do little to hide their presence on the network, competent attackers often spend quite some time performing reconnaissance once they have established a beachhead on the organization’s network. These attackers leave only subtle traces of their presence that you might not be alerted to unless you have sophisticated intrusion detection systems that can recognize signs of the intruder’s activities. If an organization can detect attackers while the attackers are still performing reconnaissance, they can reduce the amount of damage done.

In the past, Security Information and Event Management (SIEM) systems would analyze information and detect suspicious activities based on heuristics developed by the vendor. While these systems are effective in discovering suspicious activity, they are only able to detect suspicious activity if the vendor recognizes the characteristics of that suspicious activity. To recognize new types of suspicious activity, the SIEM system must be updated with new signatures that allow it to recognize the characteristics of that activity.
Cloud-based services, such as Azure Security Center, Azure Advanced Threat Protection, and Windows Defender Advanced Threat Protection, provide organizations with more effective threat detection functionality than traditional methods, such as manual telemetry analysis. These cloud-based services have access to Microsoft’s Security Graph. Microsoft’s Security Graph centralizes the security information and telemetry that Microsoft collects across all its sources. This includes telemetry related to attacker activity across all of Microsoft’s customers, as well as information from Microsoft’s own ongoing security research efforts.

Through machine learning analysis of this vast trove of data, Microsoft can recognize the subtle characteristics of attacker activities. Once the characteristics of a specific attack are recognized through analysis of this immense data set, similar activity will be detected should it occur on customer networks.

The cybersecurity landscape has also changed now that defenders increasingly have access to tools like Azure Security Center that can highlight and, in some cases, remediate security configuration problems on monitored information systems. In the past information security professionals would have to work through configuration checklists when hardening servers, clients, and other equipment. Today services such as Azure Security Center can provide recommendations as to what configuration changes should be made to on-premises and cloud-hosted workloads to make them more secure. Security configuration recommendations provided by these services can also be updated as new threats emerge. This helps ensure that an organization’s security posture remains up-to-date.

Defenders also have access to breach and attack simulation tools. Rather than relying on experienced penetration testers to perform red team exercises to locate known vulnerabilities in an organization’s information systems configuration, breach and attack simulation tools simulate an attack and locate known vulnerabilities. While such tools won’t find every possible vulnerability, they are likely to detect the vulnerabilities most often exploited by attackers. If defenders remediate all vulnerabilities found by such tools, their engagement with penetration testers performing red team exercises is likely to be more valuable. Using such tools before engaging a red team will certainly reduce the likelihood of expensive penetration testers discover a list of obvious configuration vulnerabilities that should have been found by even the most cursory of examinations. When an organization engages penetration testers, the hope is that they’ll discover something that the organization’s information security staff couldn’t have seen, not something that they knew about but didn’t get around to addressing.

Click HERE to learn more about Cybersecurity Training & Development Opportunities at Babbage Simmel or call (614) 481-6555.