May 3, 2021 | 4 minute read
Figuring out if your organization is under attack is typically a time-consuming, labor-intensive affair. Analysts must gather data across multiple security tools and perform careful analysis, a process that can take hours, days, or weeks. Unfortunately, time is the most precious resource when responding to incidents. The longer adversaries linger in an IT environment, the longer they have to deploy footholds, move to other machines, and access more data.
Compounding this issue for the financial sector is the fact that they present a high-value target to both cybercriminals and in some cases, nation-state threat actors. When the potential return on a cyber operation is great, adversaries will invest more time and resources to maximize success. Attackers are bolder than ever, as we’ve seen with attacks on critical infrastructure, multi-stage ransomware, and the willingness to sell stolen data and access to the highest bidder.
This is why recent developments in Extended Detection and Response (XDR) are critical for financial organizations who are under tremendous pressure to not only secure critical customer data, but their own employees and business reputation in an industry where trust is essential.
So what’s keeping financial organizations from detecting and responding to attacks early enough to prevent them from becoming major breach events?
On paper, knowing what activity is occurring across an organizational network should be at the top of a security team’s priority list. But financial companies often struggle with endpoint visibility because they operate incredibly complex and diverse IT environments.
Security teams use an array of tools to gain endpoint visibility, but many of them aren’t specifically designed for the task. Tools like antivirus software and firewalls fail to stop modern attacks -- even malware -- and have limited context into machines that aren’t connected to the corporate network.
Financial organizations are using XDR solutions to gain important visibility and detection capabilities both on and beyond the endpoints on the network, bringing protection to mobile devices, BYOD, cloud workloads, and even cloud productivity suites.
Even if a company is using a solution designed to provide endpoint and extended network visibility, the security team is likely flooded with low-context alerts, instead of insight into important incidents. This creates less visibility where there needs to be more.
Security tools that collect reams of endpoint data from a bank’s hundreds of thousands of servers and computers, but do not provide root cause analysis or cross-machine correlations just create more work for security teams, not less.
They simply do not provide security analysts with any context on root cause, attack scope, and what to do about the alert, triggering a time-consuming process of manually querying across data sets to answer foundational questions. When analysts can’t distinguish important alerts from false positives, the entire organization can be impacted. Alert fatigue leads to human errors and delayed responses, making it harder to spot a stealthy threat that is impersonating legitimate user or machine behaviors.
XDR solutions should provide security teams with not only visibility into potentially malicious activity on endpoints and throughout the network, but also deliver the most salient details on malicious activity that are correlated across all platforms, devices and users that are monitored by the solution.
The result: security teams can focus on remediation efforts for actual risks and threats, instead of spending valuable time trying to sort out which alerts are valid, how they might be related, and whether a threat is imminent. An effective XDR should make answering the question “are we under attack” easily answerable, and provide the response capabilities to end the malicious activity, in real time.
The typical approach for detecting attacks entails looking for indicators of compromise (IOCs). Common IOCs include virus signatures, malignant IP addresses, MD5 hashes of malware files, and URLs or domain names linked to botnet command-and-control servers. If any of these are observed on either a network or operating system, a breach has most likely occurred.
But today’s more advanced malicious actors either create custom tools to target specific organizations or uniquely compile existing malware code to make sure it doesn’t match with any known file hashes or malware signatures. This renders the IOCs detection approach completely ineffective. Signature-based anti-malware solutions are simply not an effective approach against today’s threat actors.
The advent of XDR means security teams are not bound to protecting organizations using IOCs alone. They can turn to what’s known as Indicators of Behavior (IOBs), the more subtle chains of malicious behavior that can reveal an attack at its earliest stages, which is why they are so powerful in detecting advanced campaigns such as the recent SolarWinds attacks.
Most solutions are collectors of security telemetry - and occasionally some behaviors - but what’s needed is more behavioral instrumentation and analysis if we expect to be able to detect and stop post-compromise activity as seen in the SolarWinds and ProxyLogon supply chain attacks.
Leading XDR solutions provide an operation-centric approach to detecting and remediating attacks by automatically hunting for specific and anomalous behaviors that other solutions miss. By looking at IOBs, it’s possible to not only gain actionable visibility into an active attack chain, but to also use that same progression of threat behaviors to protect organizations against similar attacks in the future.
XDR is the key to eliminating obstacles for effective threat detection and response, including log management and data collection tasks, agent deployment and maintenance cycles, and complex, never-ending query building for data extraction and behavioral detections. XDR breaks through data silos and unifies device and identity context in a single, visual investigation experience.
XDR can be an effective tool for financial services organizations to reverse the attacker advantage by extending detection and response capabilities across the broader IT ecosystem that makes up modern enterprise environments. XDR allows defenders to pinpoint, understand and end malicious operations across the entire IT stack whether on premises, mobile or in the cloud.
Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
Eric Sun is a Product Director at Cybereason, focused on helping security teams measure and improve their resilience against modern threats. Eric works closely with the Nocturnus research team and global SOCs to understand emerging attack campaigns and evolving best practices. He brings a layer of behavior analytics and risk management from his many years in Asia as a professional poker player.All Posts by Eric Sun