Cybersecurity attacks are becoming increasingly more sophisticated. What does this mean for your company or organization? It means your defense tactics against cyberthreats need to become just as smart and sophisticated as the methods of those who are attacking you. But who can comprehend everything that’s happening right now with your network? You can — with the help of machine comprehended threat detection. By unearthing accurately tracked activity trails of malicious attackers in real-time, you can detect cybersecurity intrusions in your organization, enabling you to radically simplify your cybersecurity operations. Powerful new technologies are now coming to market that can facilitate this, such as that developed by Confluera, a company that provides cloud cybersecurity detection and response. To better understand the situation and what IT leaders can do about it, I recently talked with John Morgan, CEO of Confluera. John has more than 20 years of leadership experience spanning early-stage startups to public companies, including Microsoft, MobileIron, Nokia, and SonicWall. Most recently, he was general manager of security at F5 Networks, where he played a pivotal role in establishing the company as a cybersecurity leader.
MITCH: John, how common is it these days for organizations to have their IT infrastructure compromised and not even be aware of it?
JOHN: The average dwell time for cyberattacks continues to be in the excess of six months. That is almost a lifetime for attackers who have already infiltrated your network and are now looking for their prize, all while under the radar of most security solutions. Many modern attacks ranging from ransomware to APTs are multistage attacks following carefully choreographed steps to infiltrate and, via lateral movement, progress the attack throughout the network. Unless organizations are fortunate enough to detect the attack at the onset, they are practically blind to it. Unfortunately, the next alert or notification the organizations receive regarding the attack is when their confidential information is found in the wild, well after the breach. The fact is many organizations’ networks and infrastructure have already been breached. They simply do not have the necessary tools, expertise, and resources to accurately track these attacks once they are in.
MITCH: Are businesses that rely upon the cloud less likely to find themselves in such a position?
JOHN: In short, no. The cloud has pros and cons to overall cyber-risk. The increased frequency of service updates as well as the ability to quickly roll out patches all help to keep cloud services up to date and improve security. However, the cloud is much more complex, and often one of the biggest challenges in the cloud is simply knowing what assets and apps are even deployed, given everything is software. When visibility and inventory is an issue, then security is an issue, given it’s hard to secure what you don’t know exists. When the inventory is clear, the cloud is a complex model of IaaS, PaaS, and SaaS services with new architectures and a dynamically changing environment with a larger surface area which creates new security challenges. Security personnel needs to be trained specifically for the cloud. Naturally, some security solutions are better geared to support cloud and hybrid networks than traditional on-premises networks.
MITCH: Cybercriminals often begin by leveraging a software bug to gain initial access and then follow this with other actions to elevate privileges, gain control, and cover their tracks. Why is it important to be able to map out the steps taken in a network intrusion?
JOHN: Once a breach occurs, organizations use tools to start to piece together the story of how the attacker entered the network, progressed within the network, and ultimately reached their prize. Typically, this occurs post-breach, given the majority of tools in the market today are not real-time and not comprehensive enough to create an accurate sequence of the attack across multiple systems. The analysis provides the necessary insight into all the systems and services which could have been compromised, and it’s used to determine what was compromised and how. With this information, better security policy and protection can be implemented to stop future events, the attack spread will be understood to repair all impacted systems, and all disclosures and corrective actions can be taken.
MITCH: What sort of tools and methodologies can be used to track how an intrusion occurred step by step?
JOHN: With traditional tools such as SIEMs and EDRs, there is a challenge in correlating events. The task of correlating events is often manual, laborious, and error-prone. While some management solutions can offer aid, these solutions require active contributions by security analysts. One challenge is tracking lateral movements, and another is tracking attacks across large time intervals which is a way for the attacker to obfuscate their signal in a sea of noise. Once in, attackers can pause before making another move for hours, days, or even weeks. Many detection and response solutions offer limited windows of detection, and attackers are constantly changing their tactics to be just outside that window. There is a new breed of tools hitting the market for cloud and hybrid detection and response built on XDR technologies that help with these problems.
MITCH: Let me end by asking you about what Confluera offers in this area that brings unique value to organizations seeking to protect their infrastructure from malicious actors.
JOHN: Confluera is an advanced cybersecurity detection and response solution designed specifically for cloud, hybrid, and modern application architectures. Our unique approach will reduce the time to detect and shut down an attack while requiring less sophisticated cyber-expertise; bridging the gap between cloud security and the security operations teams. A key benefit offered from Confluera is our ability to provide real-time threat storyboarding. Organizations spend time and highly skilled cyber-analyst resources creating a threat storyboard after a breach already occurred because tools don’t do it for them. Why not create the storyboard in real-time as the attack is unfolding so, you can stop the attack in progress? That is the value we bring to cloud and hybrid detection and response. Unique value also includes multistage lateral movement visibility and the best low and slow attack detection to reduce costs and time to respond, mitigating, or stopping cyber-damages.
MITCH: John, thank you for taking time out of your busy schedule to talk with me about this important subject.
JOHN: You’re most welcome!
Featured image: Shutterstock