Yesterday the Wall Street Journal published a briefing for executives on “Conflict in Ukraine: Preparing for Cyberattacks,” which advises that companies “tak[e] steps to quickly detect potential intrusions.” This proactive posture is especially urgent for critical infrastructure stakeholders, as the Russian cyber threat is likely to target sectors such as Oil & Gas, energy, and finance. The growing concern is that Putin will turn to cyber as he loses on the traditional battlefield.
Detection for many companies is challenging, however, as there is a known visibility gap in cybersecurity. As McKinsey recently suggested, “Without visibility into digital infrastructure, it will be difficult for companies to recognize when, where, or why there is a problem.” Consider the reliance on third-party providers across an essential supply chain or extended enterprise, and the problem is even worse.
Fortunately several cybersecurity providers have figured out ways to see the cyberattack forest through the trees in order to paint the big-picture threat landscape. Of course I’ll say that IronNet’s way (that is, our Collective Defense platform) is the masterpiece, but that’s irrelevant here. My point is this: There are two steps to narrow cybersecurity’s visibility gap, so let’s take them.
1. Arm yourself with the capability of seeing unknown threats on your network
Detecting what’s on your network must go beyond signature-based tools. While it’s important to keep track of signature-based detections and create rules to secure the network against such threats, tools such as intrusion detection systems (IDS) that alert on only known bad hashes, domains, or other already-identified indicators miss a large swath of threats hiding in networks. In addition, firewalls and point-protection tools can’t see deep into the network should a threat get past these essential, first-pass tools.
How bad is the visibility gap? Based on a recent study of the enterprise market (companies with more than 1,000 or $1B+ topline revenue), “around 60 percent of buyers analyze and triage less than 40 percent of their enterprises’ log data.” This metric doesn’t even include third-party log data. What could be hiding in that log data? Another SolarWinds?
That’s why network defense is such a critical part of the SOC visibility triad so enterprises have a complete picture of what’s happening on the network. Network detection and response (NDR) tools that use artificial intelligence to automatically sift through huge volumes of network traffic narrow the visibility gap significantly. They can spot anomalous activity (e.g., a spear-phishing attempt or a random beacon) that may indicate a cyber attack is underway. IronNet’s NDR tool takes behavior-based detection a step further by pre-correlating detections and alerts to combat NDR’s notorious false-positives problem.
You may be asking, what if I’ve migrated to the cloud? In fact, NDR improves cloud security because it monitors network traffic to and from the cloud, thereby eliminating blind spots to provide greater visibility of “what’s in the cloud.” At IronNet, we like to say that “the truth is in the traffic.” As McKinsey points out, “The improved use of AI and machine learning provides a holistic view of an entire security program, including on-premises, in the cloud, across geographies, within business units, and from remote networks. Transparency here allows an organization to prioritize potential threats.”
2. Gain better situational awareness of attacks hitting your sector
I would argue that the biggest threat to cybersecurity is defending alone. What may signal as a benign threat individually at three organizations can take on greater meaning if the same threat shows up across the entities around the same time. We call this actionable attack intelligence. But analysts can’t see that bigger picture and gain such relevant insights if they continue to defend in isolation.
A Collective Defense approach allows companies and organizations to defend against threats together, and in real time, without the need for known indicators of behavior. By building a cyber “radar view” of network threats as they are happening, IronNet’s Collective Defense platform provides attack intelligence that serves as an early warning system for all members of the Collective Defense community. Strained SOC teams can see and rally around the same threats to mitigate them well before business impact. Why detect and defend alone when others are seeing and battling the same threat?
For example, IronNet is working with the New York Power Authority to protect the state’s expansive power ecosystem, which includes many municipal utilities and cooperatives. In the same way that utilities band together to provide mutual aid after damaging weather events, NYPA is making collaborative responses to cyber attacks possible. Leveraging the AWS cloud backbone, this Collective Defense community model is a “cybersecurity blueprint for any industry.”
We know how to overcome the visibility obstacle. It’s time to take those steps — to see the cyberattack forest through the trees. Otherwise, the early stages of a blight on a single tree may infect the whole forest. We cannot let that happen. The availability of our critical services depends on Collective Defense.