Among the chief concerns for security leaders today is a lack of visibility into risk and threats in the corporate ecosystem. COVID has only exacerbated the issue as organizations of all sizes and in all industries accelerate digital transformation plans in order to enable a mobile workforce. The ecosystem today has become expanded and fragmented due to rapid adoption of cloud and SaaS systems and the shift to a mobile workforce.
There are more opportunities for mistakes and security issues than ever before, and attackers are taking notice. First, by finding new points of entry through home networks and devices. And second, the lockdowns have provided an opportunity to hone their skills and make attacks more sophisticated.
With more endpoints on the network and a higher volume and sophistication of attacks, it’s no surprise that security teams are inundated with alerts. There are too many signals coming in, which obfuscates actual security incidents and takes time away from other critical engineering work.
These factors call for a more streamlined, strategic approach to security visibility and threat detection. At Kudelski Security, we use a four-step framework in order to help security teams gain a 360-degree view of enterprise business security, identify and prioritize relevant risks, and adapt response and monitoring capabilities accordingly.
Step 1: Determine your threat profile and business-specific risks.
First and foremost, to understand your threat profile, you have to understand exactly what’s on your network. It’s especially hard right now as IoT and BYOD has exploded since moving the workforce remote, but the more visibility you have, the better you can control and monitor it.
Similarly, patch management plays a large role in your threat profile. It’s a back-to-basics type of activity, but vulnerable systems are still one of the number one ways for attackers to get into the network. It’s critical to continually assess the status of vulnerable systems and validate that patches have been applied properly.
With a better understanding of your threat profile, you can start to identify your business-specific risks. It’s easy as security leaders to look at the latest cybersecurity news and vulnerabilities and turn our focus to that. What’s more important, however, is to understand where the risks and true threats are for your business and are and get visibility into those specific areas.
Step 2: Understand the 16 known threat categories.
As you begin to execute a threat monitoring practice, you have to know exactly what you’re looking for and why you’re looking for it. A haphazard approach may make your team feel “busy” but won’t necessarily be productive. As part of our client work in our Cyber Fusion Center, we’ve developed 16 threat monitoring use cases and identified associated attacker behavioral patterns in order to help focus and guide monitoring efforts.
Step 3: Outline the required data sources necessary for visibility.
A SIEM or log management platform is only going to be as useful as the data feeding into it. For many companies, installing a SIEM is meant to check a compliance box. For effective threat monitoring, however, you must be intentional about the data you’re collecting. Otherwise, you’re just filling up the SIEM with data that isn’t relevant to your business or the risks you face.
Take a couple of steps back and look at your threat profile and your identified business risks and then determine what type of data you need to collect in the platform. Look at the attacker behavior patterns, so you can identify and address threats before they become an actual indicator of compromise.
Step 4: Expand visibility based on threat models.
The threat landscape is constantly evolving and expanding, which means your security visibility and threat detection capabilities must expand and evolve as well. By having all the right data from the start, analysts, whether in an internal SOC or outsourced through an MSS partner, can fully investigate issues and validate their legitimacy. This reduces the number of alerts being thrown over the fence, so your team can focus response to actual security incidents.
It’s also important to be prepared for the unknown threats happening now or potential issues related to vulnerabilities or new attack vectors. This requires proactively looking for indicators of compromise through threat hunting practices. For example, WMI or PowerShell activity could just be an admin deploying some software or it could be an indicator that a bad actor is attempting to move laterally through the network. Having threat hunting as part of your visibility and monitoring practice, whether internal or outsourced, is incredibly important for preventing future attacks.
Kudelski Security applies this four-step framework for all managed services clients through our Cyber Fusion Center (CFC), a Gartner-recognized service that combines combines use case frameworks, purpose-built tools, and cutting-edge technologies with rich business and contextual data to detect threats faster, respond more effectively, and reduce risk. To request more information about the CFC, contact us here.
This blog is based on the webinar “2020 Business Agility” with Kudelski Security partners Pulse Secure, illusive networks, and F5.
Contract tracing is especially top of mind given the global challenges surrounding COVID-19, and, in some cases, it’s a requirement as organizations begin re-opening their doors to employees and customers. Analyzing location-based data from network-connected devices or Bluetooth and mobile application signals can significantly reduce workplace risk and enable a safe return to work.
We recently sat down with Joel Crane, Partner Sales Engineer at Juniper, and Ron Frederick, VP of Solutions Architecture at Kudelski Security, for a webinar covering effective methods for user location data collection and how to apply the analysis of that data to reduce workplace risk through various forms of contact tracing. A recap of that discussion is below.
Three ways network-based location data can be analyzed to reduce workplace risk
Enforce social distancing guidelines with congestion alerting. Congestion alerting is the most straightforward way to use location data. It doesn’t require user-level identification, just signals from Bluetooth, WiFi, or a mobile application. Defining a capacity limit for each area or zone will allow you to identify areas that exceed the allowed number of users, at which point you may choose to alert those nearby users that they are in or entering a congested area.
Identify potential contact events with proximity tracing. Proximity tracing looks at user-level location data to identify possible encounters, e.g. the areas and contacts the user comes in contact with and the time and duration of the encounter. This type of analysis requires the user to be identified by their device via Bluetooth, WiFi, or a mobile application.
Understand the potential spread with user journey mapping. Together with proximity tracing, user journey mapping creates a map that allows you to trace a user’s journey throughout a site, floor or zone as defined by your network access points. User journey mapping also requires user-level identification, which can be provided by a Bluetooth device, WiFi connection or mobile application.
Methods of collecting user location data for analysis
The type of analysis you’re able to perform depends on the accuracy and completeness of the location data you’re able to collect. There are three primary methods of collecting location data—each with its own advantages and disadvantages.
WiFi is the best place to start for location data gathering. It’s the easiest method to deploy, only requiring an access point to be installed. In fact Juniper includes this type of tracking with all their Mist deployments. WiFi is always-on, meaning your location data is nearly real-time. It’s one limitation, however, is accuracy. WiFi location data is accurate at about 5-10 minutes, which is okay but not great.
There are two variations of WiFi data collection: connected users and unconnected users Connected users have a phone or device connected to the WiFi network. This allows you to track users at the individual level by hostname or MAC address. Collected data from unconnected users won’t give you the ability to uniquely identify a user, but it will show you how many devices are scanning for WiFi in a certain zone.
Bluetooth is a great option for collecting location data because it’s always-on. It’s easy to connect a user to a Bluetooth device, especially if you implement a Bluetooth beacon on employee badges (e.g. kontakt.io). If you’re looking at all Bluetooth devices, however, you will need to account for users having multiple devices on their person—a phone, headphones, badge, etc. Bluetooth location data is moderately accurate at about 3-5 meters.
Bluetooth also provides the most variety in terms of the methods of data collections available. Passive BLE listening, for example, can tell you where Bluetooth devices are, but not who they belong to. BLE tags, like a kontakt.io beacons, are constantly signaling and would be tied to a specific user, giving you more precise, real-time location data. Finally, BLE application-based tracking ties to a user’s device….
Using an application installed on a mobile phone is the most accurate way to collect user-level location data at about 1-3 meters accuracy. This makes it very precise, but with a caveat. You are only able to collect data from users who have the app installed on their device. For corporate devices, this won’t be a problem. You can use your mobile device management platform to push the app to all employees. For BYOD or customer devices, however, you may need to offer an incentive to entice users to install the mobile app. Mobile applications also allow for bi-directional communication, which enables push notifications, and blue to navigation if needed.
Juniper’s Mist platform now supports digital contract tracing to enable a safe, secure return-to-work. Mist customers can perform capacity analysis, proximity tracing and user journey mapping with a subscription to Juniper’s Assistant and Premium Analytics services.
For assistance in evaluating a digital proximity tracing solution, request a consultation with Kudelski Security’s Advisory Services here.
Watch the Contact Tracing webinar here.