Corey Nachreiner, CTO at WatchGuard Technologies, tells us that there is no cybersecurity ‘silver bullet’. He says: “The challenging part of security is that it requires a layered approach including many protection strategies, both technical and human.”
According to the WatchGuard Threat Lab’s recent Internet Security Report, network attack detections reached their highest level since 2018 peaks in Q4 2020.
Total unique network attack signatures showed steady growth as well with a 4% increase over Q3. This shows that even as the world continues to operate remotely, the corporate network perimeter is still very much in play as threat actors continue to target on-premises assets.
Intelligent CIO spoke to Corey Nachreiner, CTO at WatchGuard Technologies, about why attackers continue to target the network.
We discussed why protecting on-premises corporate assets continues to matter and the importance of establishing a layered security posture that balances defenses from network to endpoint.
Why is it important to help the cybersecurity stance of other organizations?
In short, network protections still matter since your servers and network services reside within network perimeters – specifically your offices, data centers or private and public clouds. While endpoint protection can directly protect your users wherever they might be (home and outside your perimeter), servers need additional protections when exposed over a network.
Things like firewalling, IPS, network malware protection, etc are still critical. In fact, even though we saw malware following users into their homes during the pandemic, we also saw network attacks targeting software vulnerabilities in exposed services increasing at network perimeters (such as on-premise and in the cloud) and reaching an all-time high since 2018.
It’s also important to note that there are classes of business and operational devices (IoT and OT) that cannot add endpoint-based security controls. Network-based protection is excellent at defending these IoT and OT devices.
How can cybersecurity truly become a ‘community effort’?
Whether you’re a security company, cybersecurity authority or just a business that’s experienced an attack, there are several programs and quantifiable options for sharing indicators of compromise and attack that can benefit the overall community (such as public disclosure, bug bounty programs, work groups and more).
There are also soft methods, like sharing information about your security efforts, challenges or breaches in a corporate blog or public advisory. The more help you can provide other companies in understanding and properly preparing for potential threats, the better.
And finally, if you don’t share threat intelligence or even anecdotal tips, just improving your organization’s own security posture helps the community. For example, right now digital supply chain attacks are a concerning trend.
Almost all businesses have connections to other companies through partnerships or the products and services they choose to use. Because your security is sometimes dependent on these other companies and vice versa, simply improving your own organization’s security can help all your connected customers.
Why is it important to share threat intelligence and security awareness?
Threat intelligence (TI) – like who is attacking you (or at least the IP addresses or domains of who is attacking you) – is incredibly useful to others because often the same cybercriminals target multiple companies. The more TI the security and business community shares with each other, the more data everyone can add to their individual security controls. As far as security awareness goes, another company’s level of security may inadvertently affect yours, for example if you partner with a company and use their products and services.
Can you highlight some of the top protection strategies to avoid security incidents?
Unfortunately, there is no cybersecurity ‘silver bullet’. The challenging part of security is that it requires a layered approach including many protection strategies, both technical and human. That said, there are three types of protections people should focus on today.
First, organizations need modern advanced malware detection solutions. Some of the traditional ‘antivirus’ solutions still largely rely on reactive signatures (patterns) to detect malware.
Unfortunately, malware today is more sophisticated and evasive. Attackers proactively alter malware on a victim-to-victim basis to get past signature-based solutions. You need anti-malware solutions that use more proactive and automated techniques, such as behavioral analysis or Machine Learning, to catch brand new, never-before-seen malware. There are many next-gen EPP solutions for endpoints and networks that do this – make sure you are using one.
Second, detection and response are as important as prevention. No matter how great your preventative controls are, you should expect an attack to bypass them someday. Cybersecurity is a cat and mouse game, and you must do everything right, whereas an attacker only has to find one mistake.
Companies have a habit of investing the most in preventative security solutions, which makes sense as we’d all just prefer never to have an incident. However, the truth is even with the best preventative controls, it’s still a matter of when, not if (remember, humans can make mistakes that bypass controls).
That’s why my second tip is to also invest in security products designed to find and help remediate potential infections or incidents. For instance, endpoint detection and response (EDR) solutions aren’t designed to prevent malware (that’s what EPP does) but instead find and clean any device that seems infected. Invest in EDR.
Finally, every company today – from the smallest to largest – should deploy multi-factor authentication across all employees, not just privileged users and administrators. Identity is the cornerstone of security. All your security policies depend on knowing ‘who’ is doing ‘what’. Authentication is a crucial process in verifying identity digitally, and the only strong authentication is one that uses several factors to identify users. If you aren’t using MFA, you should expect to get breached.
How have supply chain breaches proven that we are a lot more connected to each other than we might realize?
When you pick a logging solution, CRM or other product in your supply chain, you probably don’t think that installing it inside your network may one day result in a state-sponsored attacker breaching your system. But that’s exactly what can happen as was recently demonstrated by the massive SolarWinds supply chain attack.
And we certainly don’t think about the second layer of an attack like this. FireEye was also breached due to the SolarWinds technology, which could have trickled down to FireEye customers. While it appears FireEye caught the breach early and prevented it from spreading to customers, it still highlights the risk of an inadvertent breach to a technology partner or vendor in the supply chain.
It’s like the digital version of the ‘Six Degrees of Kevin Bacon’ game. In this digital world, not only do we often use each other’s products and services, we often also share some of our data with the organizations we connect with. The latest supply chain attacks have clearly illustrated that our digital connections go several layers deep.
How has the threat landscape changed in the last 12 months?
Our data shows malware decreased at a very quantitative level at the perimeter but spread to remote and home endpoints. With most users working remotely, less malware has attacked business networks and instead focused on individual users. However, despite that change, network attacks targeting software and servers have significantly increased in offices and cloud perimeters, showing that threat actors still know where our network services live and will continue attacking them.
Anecdotally, I think the SolarWinds attack will be the attack of the decade and present serious ramifications in the security industry for years to come. Supply chain attacks have been the most concerning trend in the last 12 months – one we have only partial solutions for and that will be a main focus in the information security community going forward.