In this four-part whiteboard animation, a WWT security expert discusses lessons learned from past network breaches, how your network is penetrated, monitoring suspicious activity and what resources to invest in to protect your network.
What we've learned about security breaches
With breaches like Aurora, Night Dragon and Kaspersky Operation Red October, we’ve learned if someone really wants to gain access to your network they will. Intruders will use zero-day attacks, giving you no line of defense for your network security and reusing code to mask their identity. Once intruders are in, they are moving internally, become hard to track and are looking to export data out to the Internet. You have the skills to combat breaches, but hackers have caught on to sandboxing and virtual machines. You must consider all access points into your network to be prepared for a breach.
How the breach occurs
There are multiple ways to get into your network. Intruders can access your system through maintaining persistence and using zero days that weren’t given up. In addition, once they’re in, there are multiple ways they can move around in your network or enter your enterprise. One way to identify potential breaches is through penetration testing.
Preventing a breach with indicators of compromise
Although penetration testing can help raise red flags, there are still vulnerabilities that are not tested and left exposed. For example, is there a way to access your network through outsourced resources? What about areas that are marked off-bounds during testing or certain technologies like VoIP that we take for granted? So, what should you invest in to secure your network and monitor suspicious activity? You need to invest in big data. Having data and metrics to create indicators of compromise is key and could lessen attackers’ dwell time, if and when a breach occurs.
Leveraging big data
You need to have cyber analytics reference architecture in place for visibility into what’s going on in the network. During the breach timeline, you’ll want to compress the threat to put pressure on the hacker. This will lessen their ability to engrain themselves in your network.