Automation and intelligence within the security system
In the last year, the number of global businesses falling victim to supply chain attacks more than doubled from 16 to 34 per cent – in the UK the picture is even worse with a staggering 42 per cent reporting they fell victim to these sorts of attacks, writes Zeki Turedi, Technology Strategist EMEA, CrowdStrike.
This kind of attack is a powerful threat as it enables malicious code to slip into an organisation through trusted sources. What is worse is that it’s a tougher threat for traditional security approaches to account for.
Of even more concern though is that this particular attack vector doesn’t appear to be a top priority for businesses. The same survey found only 42 per cent of respondents have vetted all new and existing software suppliers in the past 12 months. While this has led to 30 per cent of respondents believing with absolute certainty that their organisation will become more resilient to supply chain attacks over the next 12 months, the increasing scale and frequency of these attacks demands a proportionate response.
The problem is that many businesses fail to understand how quickly adversaries can move laterally through the network via this sort of compromise and how much damage can be done in that short amount of time. There is an educational need for the cyber industry to broadcast the potential consequences of supply chain attacks, and to share best practices around their defence and mitigation.
Adversaries use supply chain attacks as a sneaky weak point through which to creep into the enterprise and attack software further up the supply chain rather than going straight for their final target: An organisation with funds or information they wish to pilfer, or whom they will ‘merely’ disrupt. Once an adversary successfully compromises the chain, their M.O. is to modify the trusted software to perform additional, malicious activities. If not discovered, compromised software can then be delivered throughout an organisation via software updates.
The 2017 NotPeya attacks acted as a wake-up call for many in the industry on the dangers presented by supply chain attacks. Now in 2019, UK organisations average 39 hours to detect an adversary vs. a global average of 120 hours. In fact, UK confidence appears high, yet 79 per cent of global respondents and 74 per cent in the UK reported that in the previous 12 months they had been unable to prevent intruders on their networks from accessing their targeted data, with 44 per cent (64% in the UK) pointing to slow detection as the cause.
Breakout time is the critical window between when an intruder compromises the first machine and when they can move laterally to other systems on the network. Organisations should look to follow the 1:10:60 rule. These are three time metrics designed by the security industry so that organisations can beat the average breakout times of both nation-state and eCrime adversaries. Right now 98 per cent of UK respondents fall short of meeting the time standards of this rule: Only nine per cent of respondent organisations can detect an intruder in under one minute, only five per cent can investigate a security incident in 10 minutes, and only 30 per cent can contain an incident in 60 minutes.
Time to Eliminate the Weak Links and Forge New Ones
Although most organisations take security seriously, it’s clear that measures are falling short. It’s recommended to focus on four key areas to take a more secure posture.
Firstly, behavioural-based attack detection that picks up indicators of attacks can find these attacks before they have a chance to cause real damage – faster than a human. Machine learning can pattern detect across millions of attacks per day.
Secondly, threat intelligence can tell a business when new supply chain attacks are emerging and provide the information necessary to understand a threat as well as to proactively defend against it. Allied to this, the third suggestion is the adoption of proactive services which can offer real-time attack simulations and allow organisations to identify and highlight their weak points so they can remediate them before danger strikes.
Finally, the time to respond is key. The need for speed to beat newly spreading threats is crucial and is where the other factors all play a part, as well as automation to beat ‘merely human’ reaction times.
When it comes to supply chain attacks the speed of detection and response, and the ability to understand the adversary and what they are looking for are game-changers. The technologies providing this are automation and intelligence within the security system, and trained on huge, real-world data sets via the cloud. It’s these technologies, offering automation, intelligence, the power of the crowd and all served via the speed of the cloud, that allow an organisation to stand up to the modern and evolving adversary.