From 2005 to 2020, almost 160 million individuals were affected by data breaches in the United States alone. In April last year, more than 500 000 Zoom accounts were found for sale on the Dark Web. As if that is not bad enough, it takes an average of 228 days to identify a breach and 80 days to contain it. Just imagine the financial and reputational consequences for an organisation if a malicious user has almost seven months free reign on the corporate network. This is where breach detection becomes critical.
Unfortunately, many companies regardless of size or industry sector do not understand what this technology entails and why it is so important. For them, it is a case of prevention being better than the cure. They argue that they already have firewalls and anti-virus solutions installed that prevent breaches from happening in the first place. Sadly, the reality is a bit different.
Even the best firewalls and antivirus products in the world cannot guarantee that breaches will not occur. It really is a case of when rather than if it will happen. There are plenty of local and international examples to choose from. In May, the South African arm of fitness group Virgin Active was targeted by cybercriminals. And even though it claims that no data was removed, the company still took all its computer systems offline resulting in a disruption of services to customers.
Rewind a further two months to March and insurance and investment group PPS was hit by a cyberattack. And while they also claimed that no data had been in danger, client service was negatively impacted as systems had to be taken down for several days until cybersecurity teams could restore everything.
Simply put, the technology employed by threat agents have evolved to such an extent that traditional security defences are no longer sufficient to withstand an attack. The prevention environment is a vast one. Firewalls, intrusion prevention systems on SD-WAN, endpoint protection, and even endpoint detection and response are all focused on better safeguarding organisational systems.
And then there are the likes of Zero Trust Network Access, Secure Access Service Edge (SASE), and Cloud Access Security Broker (CASB) software that must be factored into the cybersecurity equation. But despite the availability of all this technology, breaches still occur. This can partly be attributed to the weakest link in the chain – that of human error.
People make mistakes and are prone to falling foul of increasingly sophisticated social engineering attacks. Despite having the best anti-social engineering training in place, there is an air of inevitability when it comes to the success of these attacks. It comes down to a numbers game. People not only have to be aware of those age-old 419 scams, but phishing (email), vishing (phone calls), and smishing (text messages) attacks are becoming an increasingly common occurrence.
And then let us not forget about the dangers of whaling where cybercriminals masquerade as a senior executive. They can even pose as a supplier to inform the finance team that the account details on the system have changed and that all invoices must be paid into a compromised account.
But out of all these, ransomware is still the most lucrative form of attack that companies must contend with today. By breaching a business network, exfiltrating its data, and holding it to ransom through encryption, companies are under pressure to pay as quickly as possible or have the data made public. Even though it is tempting to pay the ransom, it merely fuels the attackers’ business model and can even pose the risk of future ransomware incidents happening.
Because of this, the business focus must turn to the importance of data management. By thinking strategically about the likes of backup-as-a-service, business continuity, resilience, and even disaster recovery, a company can put in place one of the most effective last lines of defence against ransomware. This makes it critical to review existing backup policies and potentially partner with a trusted data management or cloud backup provider.
Canary in a coal mine
Detecting breaches does not have to be an onerous and complicated process. We partnered with Thinkst Canary to make it as simple as possible to do at a speed no human cybersecurity team can manage manually. Like a canary sent down in a coal mine, time is of the essence when it comes to breaches. This solution reduces the amount of time it takes between a breach taking place and it being discovered on the network.
This is the ideal set and forget solution that is easy to install and manage. Furthermore, it alleviates one of the biggest challenges when it comes to breach detection technology – that of high noise. The more frequently companies get alerted to perceived breaches (it could be something as simple as an employee accessing the network from a new location), the more blasé they become about these warnings. Canary is a low noise solution that means if an alert is received, the company must act.
Certainly, there are more advanced honeypot solutions available, but these are difficult to set up, not easy to manage, and expensive. Our approach has been to make a product available that is as easy to deploy as possible which yields the maximum effectiveness.
Understanding the importance
For intrusion detection to work, there must be a level of maturity in the organisation. Firstly, they must already have all the preventative measures in place. Secondly, they must realise why intrusion detection systems are important. Typically, this means the technology is more geared towards medium and larger companies and less focused on the small start-up.
Fortunately, there is a more cost-effective workaround to this. Canary Tokens can be used to ‘seed’ specific files on the network. These provide digital breadcrumbs by alerting managers if certain documents are opened. Say, for instance, a token is put inside a CV. The person will receive an alert every time the employment agency or potential employer opens the document. This works well if it is hidden in a document that is hidden in a secret location on the Web server. As soon as that document is accessed, signifying a breach, then the company is alerted to it.
All told, breach detection has become an integral part of a cybersecurity strategy. Having these in place to supplement defensive measures, an organisation can best deal with the rapidly expanding attack surface today.
Ian Shak, Chief Information Security Officer at Saicom