The purpose of cyber crime is to find gaps in a wide variety of applications, systems and networks, which is why a company needs to actively seek out attackers. Namely, if the attackers stay hidden or concealed, they can cause significant corporate damage.

 

Cybersecurity is becoming a priority in companies of all sizes, as they understand that digital threats and attackers are the new business reality that needs to be defined when it comes to business risks.

 

Hacking attacks, system breaches, data theft and data misuse can happen to any company. The only difference is that some of them know how to detect and respond to such attacks, as only a timely and appropriate response can reduce the damage. If attackers remove critical information or sensitive, confidential and personal data, the companies are faced with high costs associated with the loss of goodwill, customers and competitive advantage, and must deal with system patching and penalties imposed by regulators.

 

The General European Data Protection Regulation (GDPR) has profoundly affected business transactions in all companies – fines of up to €20 million or 4% of a company’s annual turnover and the requirement of reporting cyber incidents within 72 hours cannot be taken lightly.

 

Work of the people responsible for information security in a company is getting harder by the day and only a few companies can claim with absolute certainty that they are up to the task.

 

This is why the market has developed a range of Security and Operations Center (SOC) services that constantly monitor the threat landscape and alert companies of threats, thus helping them prevent attacks or mitigate their consequences. The current offer in the SOC services on the market has not yet convinced the Slovenian companies. The question here is whether they can use the SOC example to take care of their own security. The answer is yes, they certainly can. However, they need to use advanced solutions that guarantee the detection of security threats and potential incidents in the early stages.

 

The most important thing is to detect the possibility of data theft before an incident can emerge and cause commercial damage. Hackers are known to spend months on the network without being detected, secretly waiting and collecting information about the business operations, services and intellectual property that they will eventually steal. When this happens, it is essential to take immediate action either to prevent further data theft, restore the normal functioning of the service or report the incident.

The key point is therefore an early detection of the anomalies that can grow into an incident. For such a detection, machine learning can be used to help the IT team detect threats at an early stage and provide data for a further interpretation of the attack, says Matjaž Katarinčič, Head of Cybersecurity at Smart Com.

 

Security as a platform

Most attackers enter the corporate network via the Internet or another vulnerable spot within a corporate network through what is called attack vectors. Best security practices show that attackers should be hunted and stopped as they approach the network, by means of various mechanisms such as the next-generation firewalls that can scan the performance of individual applications, online email gateways, and web content.

 

Additional advantage can be acquired by insight into traffic flows, which allows real-time visibility of the attack and gathers details of the attack, so the information security administrator can take immediate action. The Vectra Cognito platform is upgraded with algorithms in the field of artificial intelligence and machine learning, so it constantly performs automated hunts for potential attackers. The platform performs these hunts through the use of behavioural models that are constantly learning and, as a result, can quickly and efficiently detect a wide variety of anomalies as well as covered and unknown attackers before these can do any damage. After all, an attacker must first find the source of information they need for a security attack within the information system.

 

This solution also covers blind spots as it directly analyses all network traffic and can gain a detailed overview of actions performed by all devices, including the Internet of Things (IoT) devices. The Vectra Cognito thus looks after the operation of connection established among the local network, the data centre and the cloud, and makes sure the attackers are soon detected.

 

By focusing on actions specific only to the attackers, this security solution allows the company to remain one step ahead of the attackers and disable them before they cause any damage. It is a technologically advanced security system that enables content analysis of either the attackers or the functioning of malicious code through integrated machine learning and artificial intelligence technology. Such a continuous analysis of security events and large data volumes at the first level eliminates the need for security teams to be constantly searching for threats and detecting them. This removes workloads and reduces the need for additional specialised staff, thus increasing the level of security within the company.

 

Who do you trust with the keys of your own home?

The hardest task is to expose those attackers who present themselves as actual system users, i.e. authorised users. They have “the keys to the gate”, i.e. passwords, as well as the credentials enabling access to the company’s applications, systems and network. From the perspective of cybersecurity, the user accounts with numerous rights and accesses, especially those enabling full access, such as accounts of IT-administrators, maintainers, developers, certain third-party vendors and others who access or manage various mission-critical systems and applications, are exposed to the greatest risk. The question is how to control them and lock the doors behind them (i.e. deny access) if they have no business being in your digital home. With privileged user access management solutions (Privileged Access Management – PAM). These are a digital analogy to the physical equivalent of the “front door”.

 

»Every major company can guarantee physical access control, as there is a reception desk and a security guard one has to introduce themselves to before entering the premises. Companies have cameras recording what is happening. The privileged user access management solutions are a security element that provides the same services at the level of the company’s network, keeping an eye on the work of users with a large- or even full-scope access. Even if a company believes that it does not need such privileged user access management solutions, it does need an appropriate local security policy covering the area of access to the network and systems. This is, after all, an important gate into the company, the only difference being that the access here is digital,” says Pawel Rybczyk, who is in charge of the Wallix business development in the CEE and CIS regions, about the necessity of the privileged user monitoring solutions.

 

The difficulty of managing user rights is multifaceted and often concealed. Usually, users do not complain about excessive rights, meaning that system administrators often even do not know about it. The role of individuals in the company may change, which requires them to be stripped of certain rights; however, due to poor overview and decentralised control, the companies often forget to do this.

 

In practice, an investment into the PAM solution is quickly returned in companies that outsource the IT services extensively. Through these solutions, they see exactly what the contractor was doing and what they accessed and, most importantly, what they have changed. For example, the contractor might have been working for 5 minutes but charged 5 hours of work. It is a great tool for verifying whether a provider adheres to the terms indicated in their Service Level Agreement (SLA). The good news is that the company does not have to buy the PAM solution for an indefinite period. It can only be introduced temporarily, e.g. in cases of a significant migration of one part of business transactions to the cloud. While a company cannot constantly look over the shoulder of an external provider, it must also give them access, for example, to the cloud and data.

 

Furthermore, there are also the GDPR regulation and the upcoming Zvop-2 act, setting forth that a company management should adequately protect access to personal data.

In the event that the system administrators do need a full access, the PAM solution is here to properly monitor and record said access. Such a solution allows an audit trail that can serve to prove any misuse of personal data at any point in the future. Protecting the personal data of the company and its key IT resources has thus become a priority for every company, concluded Katarinčič.

 

Matjaž Katarinčič was interviewed by Miran Varga. The article was published in the Delo newspaper on 9 September 2019.