Identifying Data Threats Early

If you work in the information security field long enough, eventually you come to the understanding that you have a job that means – at some point in your career – you will make a mistake or overlook something that will lead to data being compromised. The failure could be a small, fleeting moment with little to no harm done, or it might be catastrophic and lead to public scrutiny and lawsuits.

That may sound like a bold statement, but I believe this is true. That’s why I am trying to draw your attention to the fact that no matter how much time, brainpower, or money you throw at your network and systems, threat actors can and will eventually wreak havoc in your enterprise environment.

Let’s look at a couple of statistics from 2019.

- In 2019, the average time to identify a network breach was 206 days (IBM)

- The average lifecycle of these network breaches persisted for 314 days (IBM)

- 64% of Americans have not verified whether their networks have been compromised (Veronis)

In 2014, Marriot-Starwood suffered a data breach that began by compromising the reservation systems, which gave the culprits unfettered access to Marriot’s data. While you most likely have already heard about this attack, keep in mind the breach was not found until 2018. The threat actors had access to the personal data of more than 500 million customers for four years.

Imagine having to deal with the fallout from all these customers and helping them in the wake of this breach. From informing those individuals and fielding the customer support queries to battling reputational damage to your brand, the impact is massive. Follow that with a fine of $123 million from E.U. regulators for privacy violations, which is the cherry on top.

Yet learning lessons can be hard, apparently: last month Marriott disclosed that it once again was victim of another data breach, this time affecting around 5.2 million user records.

As cybersecurity professionals, where does the realization that compromises will happen leave us? Should we all quit and decorate cupcakes for the rest of our lives? No! There is already a shortage of cybersecurity professionals in this world. Instead we need to focus our understanding on how we can learn what is going on in our networks, what should not be on our networks, and what tools we must have in place so we can uncover compromises as early as possible.

Let’s address some of the main challenges that IT and Security teams run into.

- IT is getting more complex, with a growing mix of containers, cloud, devices, agile deployment, SDN/SDWAN, etc.

- Many consoles means it’s not simple to apply one protection plan across the whole organization, let alone orchestrate or audit it all from one console

- Disaster recovery plans are either nonexistent or they are never tested

- There is never enough (skilled) resources and budget

- Misunderstandings persist of how threat intelligence works or how to utilize it most efficiently

- There’s a lack of proper malware remediation and internal network hunting

- Backup systems may run, but there’s no way to check if you have been backing up an already compromised system.

- When you do have backup files, they are often the first things deleted by attackers

- Not updating OS and software packages leads to vulnerable VPN software, CMS, etc.

- There’s often a lack of Data Loss Prevention (DLP) or data management control for cloud applications

- Many lack unified secure password management capabilities

Each of these struggles come with their own issues that can cascade into an overwhelming workload for even the most seasoned professionals. Each comes with a list of requirements as well: be it the headcount to support or the expertise to build and configure it according the compliance platform your company uses. MSPs are a great example of how these struggles can affect the company’s ability to be both profitable and expandable.

MSPs offer services to businesses who cannot afford to create and house their own 24/7 security operations center (SOC). Usually they have either a service level agreement (SLA) or service level objective they must meet for their customers. For the MSP, the goal is to bring on more and more clients and deploy their SOC monitoring software as quickly as possible, supporting each customer with as few analysts as possible. This keeps their overhead low and income up.

How can MSPs handle all of these attack surfaces from each client, as well as quickly respond to incidents and ensure they have their clients’ backs without losing data?

- Some MSPs work with automation platforms like Phantom and Demisto to offer automated incident response (IR) solutions.

- Some create proprietary systems using open-source software.

- Still others run a SOC that’s a mix of separate solutions, each addressing one of these struggles: one for patching, one for endpoint detection and response (EDR), one for backup and recovery, and still others for remote desktop access and management. Unfortunately, that patchwork approach is costly, is not integrated (creating gaps in your defense), and is difficult to manage.

Rather than rely on a patchwork approach or outdated solutions that were never designed for today’s IT needs, using a unified, integration platform like Acronis Cyber Protect Cloud enables service providers to deliver backup, disaster recovery, AI-based anti-malware, security and management tools, file sync and share, and blockchain-based file notarization services – all managed from a single console.

Because Acronis Cyber Protect Cloud includes a single deployment agent that installs on the client’s endpoints, once the SOC analyst adds it to a plan in their console, it is ready and reporting in. The console provides auto-discovery for vulnerability management, so if a machine is running outdated software or is missing an emergency patch, the analyst can detect and deploy immediately.

Endpoint protection and disaster recovery policies are managed from here as well. If there are users who need different levels of access to certain areas of the network or internet (e.g. a marketing creative needs access to YouTube, but you don’t want to white list it across the whole network), you can set this in their machine policy right from the machine view.

If a machine gets compromised, you can quarantine if from the network in this console as well. Once you do your investigation, you can set a rule to search all other machines to look for this signature to identify other machines that may be infected.

Ransomware protection is also state-of-the-art, utilizing AI to detect and stop ransomware from making changes to a machine in real-time. Acronis Cyber Protect Cloud then uses the backup and recovery capabilities to recover any infected files that were changed prior to halting the attack.

While Acronis provides real-time, full-image, file system backup, more importantly it allows these backups to be scanned for threats as well. That means if the malicious file that infected the machine was backed up in the last run, you can scan the backup and remove the threat prior to recovery. These capabilities will allow your incident response team to not only see a compromised machine very early on, but also allow you to remediate it from the same console.

Even multimillion-dollar companies that have global cyber operation centers and dozens of security analysts monitoring these systems 24/7 can’t seem to keep these events from happening. Perhaps these companies are either not paying enough attention or they are using the wrong tools. Maybe it’s both.

By combining a single pane of glass with a rapid, single-agent deployment, MSPs can cut down on customer onboarding time, which is their bread and butter. Empowering MSPs and small businesses with the must-have capabilities needed to handle these incidents easily – without requiring countless hours of training to master multiple products – can be extremely valuable.

So when a SOC analyst claims their biggest struggle is “getting lost in multiple consoles,” you can say “I have a solution to that.” By installing the Acronis Cyber Protect Cloud agent on endpoints, you’ll stop searching logs for the anomalous event so you can write a new alert. Instead, you’ll start actively seeing your network and know what is happening in real-time, making it easy to spot threats early.

If you would like to try Acronis Cyber Protect Cloud, get a 30-day trial or request a demo here.