Many if not most organizations have moved to a risk management model for cybersecurity and identity management. Priorities have shifted in two major ways over the last decade:
- decreasing attack surface sizes
- focusing on detection and response technologies instead of prevention only
Reducing attack surfaces inarguably improves security posture. Achieving the objective of reducing attack surfaces involves many activities: secure coding practices, vulnerability scanning and management, consolidation of functions into fewer products and services, access reconciliation, user de-provisioning, avoidance of over-provisioning, use of Privileged Access Management (PAM), OS and app patching, API security gateways, and so forth.
The realization that some attacks get past preventive measures had led to an increase in the prominence of detection and response techniques and technologies. However, deploying EDR, NDR, or XDR products doesn’t obviate the need for endpoint anti-malware, email/web security gateways, or WAFs.
Threat Detection: Expanding Your View
In light of the Sunburst/SuperNova/Solorigate incident, the scope of detection must be expanded. For example, comms between agents on protected resources and remote sites cannot be overlooked. IT product binaries should not be excluded from anti-malware scans. Processes running signed code still need to be examined for signs of malicious behavior. Security log retention periods must increase. 30, 60, or even 90 days’ worth of logs is not enough to keep on hand when faced with investigations that need to go back 9+ months.
The SolarWinds incident highlights the need for Endpoint Detection & Response (EDR), Network Detection & Response (NDR), or their union, XDR. These tools are the best means for determining if your organization has had any compromises after the event. In the case of the Sunburst/SuperNova/Solorigate malware, most endpoint protection (EPP, or Next Generation Anti-Malware) didn’t recognize the software as malicious initially. These detection focused tools can look for Indicators of Compromise (IOCs) once they are identified and shared as threat intelligence.
No tool is 100% perfect, though. The attackers often acquire admin privileges and use them to remove or cover their tracks. XDR tools can help to automate the environment-wide searches to uncover evidence attackers may have inadvertently left behind.
XDR, SIEM, SOAR and Data Retention
Both approaches, reducing attack surfaces and increasing detection/response, remain valid after SolarWinds. In fact, this global cybersecurity event shows that most organizations, public and private sector, need to re-double their efforts on both objectives. Reducing the attack surface means additional vetting is needed on IT and cybersecurity tools, which primarily must happen at the vendors. Improving the operational effectiveness of XDR, SIEM, and SOAR tools will require that those who implement these tools to extend their data retention times significantly beyond the default periods, even if it increases the cost of services.
Addressing and mitigating risks in the IT supply chain, especially cybersecurity products and services, will be front-and-center for CISOs in 2021. KuppingerCole will continue to monitor and advise as warranted.