“CISOs need to find tools that help eliminate the burden of manually checking configurations, detecting material changes and looking for artifacts of sophisticated attacks through the breadcrumbs of settings that may have been changed in the past,” says Aaron Turner, Vice President of SaaS Posture, Vectra AI, in an exclusive interview with ITSecurityWire.
ITSW Bureau: How do you suggest organizations prepare for current and future threat scenarios?
Aaron Turner: With the massive shift from on-prem collaboration systems to Microsoft 365, relatively few security teams have actually run a threat-hunting scenario within their M365 tenant. As is the case for many years in cybersecurity, the first threat hunt starts with an incident, which then teaches the security team on the fly how to search for data to help in the investigation. Unfortunately, many M365 tenants were not properly configured from Day 1 to have the appropriate hardening and logging settings in place.
Preparation starts with red teaming your M365 tenant, and that’s why we built the Siriux scan engine. To help security teams exponentially increase their effectiveness at finding those security settings that are material to hardening the tenant and logging activity in a meaningful way.
I have spoken with many business leaders who don’t believe that investing in security has any measurable return. I usually counter their observation with one from the insurance industry.
Every year that a business pays for some form of fire, casualty, or auto insurance but makes no claim, it could be argued with the same logic that there is no measurable return for that expense. As we’ve seen in the major ransomware attacks over the last year, such as the Colonial Pipeline incident, failure to invest in a structured and well-funded security program will eventually result in some form of incident. Structure security programs like insurance strategies.
ITSW Bureau: With the surge in the number of cyber threats, especially since the adoption of the remote work model, what steps CISOs should take to reduce the workload associated with threat detection and analysis? What tools do you recommend them to have in place?
Aaron Turner: We know that the bad guys have invested heavily in automation to evaluate targets in highly-efficient ways and then attacking at speed with additional Robotic Process Automation to exploit vulnerabilities at scale.
CISOs need to find tools that help eliminate the burden of manually checking configurations, detecting material changes and looking for artifacts of sophisticated attacks through the breadcrumbs of settings that may have been changed in the past. We designed the Siriux scan engine to be the RPA tool to identify poor security posture in an M365 tenant and facilitate the rapid protection of the tenant through our prioritized Remediation Action Plans. This moves security teams from having to go out and educate themselves to having a trusted partner who is constantly looking for new attack vectors within a platform like M365 and helping our customers find those problems through our scan engine.
Organizations dependent on Exchange Online for their email must review their anti-malware policies configured in their Microsoft 365 Defender portal. Alternatively, if there is a high risk of attack that needs to be addressed outside of the Defender policies, specific attachment file types can be blocked in a dedicated .ppam blocking policy as an Exchange Online mail flow policy.
Security also depends on business leaders’ ability to avoid the fallacy of sunk costs when it comes to IT systems. Very rarely is there a good reason to stick with legacy technologies from a total-cost-of-ownership perspective when measuring the potential financial impacts that incidents like ransomware can have on the organization.
It can be costly and disruptive to constantly be moving to new systems and platforms, but if a system that is a critical component of business processes cannot be secured to meet cyber insurance requirements or to utilize strong identity controls like multi-factor authentication, move on quickly to something that exceeds today’s requirements to avoid even higher incident-related costs in the future. Sunk costs don’t matter to hackers.
ITSW Bureau: How can CISOs bring their SOC to full maturity and prepare it for the threat hunt?
Aaron Turner: Very rarely has a SIEM platform ever really helped a security team. The people operating the SIEM were the workhorses of threat hunting as they could correlate data, look for anomalies, etc. Yes, the SIEM is a very valuable data storage mechanism, but the art of threat hunting requires active intelligence gathering that can be difficult for the internal security team to accomplish.
Our approach has been to work with security researchers, do root cause analysis of the worst M365 attacks that are known, and then automate the process of looking for the weaknesses that led to those attacks. We then help customers harden their environments to avoid similar problems in the future.
ITSW Bureau: What steps can organizations take to stop ransomware that originates in one domain and pivots to another such as cloud, data center, and enterprise networks?
Aaron Turner: So few organizations have a cross-domain correlation of security events. This is one of the reasons why it is essential to harden each domain as if it were just an eventuality that one domain is used to attack another within an organization’s IT infrastructure (whether on-prem or in the cloud).
I believe that security teams need to begin investing in cloud posture scanning capabilities that provide timely insight into these types of misconfigurations to help development teams avoid the pitfalls of default data storage configurations at the PaaS and SaaS levels.
Security sometimes lies in simplicity. Business leaders need to have the discipline to focus their teams’ use of technology platforms to the fewest as possible and then make an effort to use best-in-class security tools to secure the smallest IT footprint possible. Simple is secure.
Aaron Turner, Vice President, SaaS Posture, Vectra AI
Aaron has been hacking and defending systems for three decades. He is a cybersecurity innovator and entrepreneur, IANS Faculty Member, and RSA Conference Program Committee Member. He resides in Salt Lake City, UT, is a split-window VW Bus fan, has been married for 27 years, and is a father to three wonderful daughters.