There are three information security strategies that are key to evening the odds between attackers and enterprise defenders, according to aerospace and defence firm BAE Systems.
First is to use threat intelligence to understand the latest attack group activities, their motivations, their tools, techniques and who they are targeting.
This can help organisations to prepare for the real threat they face and can empower both the strategic and tactical, according to Simon Goldsmith, Middle East head of commercial cyber security at BAE Systems.
“For example, security architects and network engineers can make infrastructure changes to mitigate against specific types of attack, while security operations teams can tune their detection tools to look for specific indicators, data scientists can train their analytical models to identify new types of risky behaviour, and response teams can plan their remediation actions in advance and better understand the spread of infection,” he said.
Goldsmith admitted that security intelligence can add to the security data swamping many security operations teams if it is done poorly.
“But done well, threat intelligence translates the cyber threat from the language of technology to the language of business risk to drive sensible decisions during security incidents and in making policies,” he said.
Segment networks to limit attacker access
A second key strategy is network segmentation to ensure that when defences are breached, attackers do not have unfettered access to the entire network.
“Grouping together similarly valuable systems, and separating them from the rest, is a fundamental security architecture principle,” said Goldsmith.
Segmentation limits the routes by which an attacker can reach production systems, he said, and by ensuring that gateways between network segments have strong verification of every packet of data, cyber risk is greatly minimised.
An attack can be further hampered by security measures deployed at every layer within each segment.
“This is especially important in process plants where safety management systems prevent malfunctioning control systems from causing devastating physical harm,” said Goldsmith.
However, there are many measures available to do this. The challenge is ensuring that controls are strict enough to block an attack, but are not so strict as to impede business operations.
“Every organisation is different, so there is no single correct answer, but using threat intelligence to understand the level of risk posed to each layer, and matching the right network segmentation solution to that risk, will make the attacker’s job much harder,” said Goldsmith.
Combine system monitoring for holistic view of threats
The third key strategy advocated by BAE Systems is to combine the monitoring of operational and information technology, because attackers will exploit any system vulnerabilities to achieve their goals.
“When pursuing an industrial organisation, an attacker may use enterprise systems to attack operational technology (OT), and OT systems to attack the enterprise, but it can be difficult for an organisation to see such an attack as a whole,” said Goldsmith.
While a growing number of organisations monitor their enterprise IT networks and use analytics to identify and investigate unusual behaviour that may signal an attack, and more advanced industrial organisations also monitor their operational technology networks for the same reason, Goldsmith said organisations that monitor both their OT and their IT will often do so separately.
“As such, they risk seeing two halves of the same attack, but failing to join them together. But by consolidating their IT and OT monitoring into a single capability, organisations can achieve a single holistic view of network activity,” he said.
According to Goldsmith, by combining monitoring activities, organisations will be able to detect, track and defeat the activities of an attacker wherever they are active.
A growing number of information security professionals regard continuous monitoring as a way of regaining lost ground and boosting their defence capabilities.
According to the US National Institute of Standards and Technology (Nist), the aim of continuous monitoring is ongoing awareness of information security, vulnerabilities and threats to support risk management decisions.
But most information security professionals simply see it as a way of identifying the security gaps and hit back at advanced persistent attackers.