Sam Woodcock, senior director Cloud Strategy at 11:11 Systems, tells us that, according to Sophos, 83 percent of organizations that experienced a breach had observable warning signs beforehand and ignored the canary in the coal mine. Further, 70 percent of breaches were successful and threat actors encrypted the data of the organization to prevent access to it.
11:11 Systems offers on-premises and cloud backup services. For example, it has storage of customers’ unstructured, on-premises data using SteelDome’s InfiniVault storage gateway for on-premises data storage, protection, and recovery. For Azure, it has 11:11 DRaaS (disaster recovery as a service) and for AWS, 11:11 Cloud Backup for Veeam Cloud Connect, 11:11 Cloud Backup for Microsoft 365, and 11:11 Cloud Object Storage.
We asked Woodcock about these signs and what affected organizations should do about them.
Blocks & Files: What warning signs were these?
Sam Woodcock: Warning signs come in a variety of forms that can be observed independently or in various combinations. Some examples of typical warning signs would be unusual network activity such as excessive or unusual network traffic, spikes in failed login attempts, unusual system activity, unusual file access patterns, and alerts coming from security tools and endpoint device solutions.
Blocks & Files: Why weren’t they seen?
Sam Woodcock: Typically warning signs can be missed for a variety of reasons – however, one of the most common reasons is “alert fatigue.” Forty percent of organizations receive over 10,000 security alerts on a daily basis. This sheer volume of information results in organizations simply being unable to properly process and respond to every indicator generated from their security solution set.
Secondly, organizations often realize the need to invest in security technologies. However, often the vital security expertise needed to interpret and react to alerting and information coming from these tools is in low supply and high demand. This can result in a lack of expertise within an organization to triage and respond to vital alerting and monitoring information. Also, organizations may not have full 24x7x365 coverage to monitor, react, and triage security incidents; therefore missing vital signals and opportunities to prevent attacks.
Blocks & Files: How could they have been seen?
Sam Woodcock: Detecting and responding to threats requires a combination of security tools, monitoring, security expertise, 24x7x365 coverage, robust processes, and proactive and reactive measures. The best practice is to have a multi-layered approach combining preventative security solutions, and reactive data protection and cyber recovery solutions.
It is also critical for organizations to perform proactive vulnerability assessments and penetration testing to understand gaps and risks that may exist within their application and security landscape. An essential part of any approach is to centralize logging and telemetry data into a Security Information and Event Management (SIEM) system; aggregating log and real-time alerting data across application and workloads running across a wide variety of platforms and physical locations. With an effective SIEM solution in place, organizations must also invest in security expertise and coverage to observe and react to patterns and information coming from such a system.
Blocks & Files: What should enterprises do when they see such signs?
Sam Woodcock: Organizations need to react immediately in a structured and strategic manner to mitigate threats and prevent further growth of threats. Due to the immediacy organizations must invest in first or third-party security expertise that is 24x7x365 in nature so as not to miss or let threats grow in scope.
The first step of any approach should be to investigate the alerts or logs created by security tools and validate whether the threat is an actual threat or a false positive. If the threat is a true positive, affected systems should be isolated and quarantined immediately to prevent the spread or movement of the attack. Having an incident response team and plan is essential to coordinate the required response and to resolve and remediate the issue. Having a combination of people, processes, and technology working in partnership is essential to swift resolution and recovery.
Blocks & Files: Can 11:11 Systems help here?
Sam Woodcock: 11:11 was formed to ensure organizations can keep their applications and systems always running, accessible, and protected. As previously mentioned, preventative security solutions are essential to preventing attacks or limiting scope. 11:11 provides a combination of security technology (MDR, XDR, Managed Firewall, Real Time Vulnerability scanning) aligned with a global 24x7x365 Security Operations Center with a robust process.
This is to ensure that we understand threats in real time and react accordingly, providing actionable remediation information to resolve incidents. In combination with our Managed Security services approach, 11:11 has a deep heritage in data protection, disaster recovery, and cyber resilience with capabilities to provide end-to-end Managed Recovery of systems, workloads, and applications.
This Managed Recovery solution set is essential to ensure vital data assets are protected in real time, with a tested and validated recovery plan to ensure swift recovery of a business’s most essential assets.
***
Comment
It seems that a generative AI security agent could be used to look for IT system warning signs, scanning network traffic and IT systems for “excessive or unusual network traffic, spikes in failed login attempts, unusual system activity, unusual file access patterns” and the like. This agent could also receive alerts from “alerts coming from security tools and endpoint device” systems.
A precondition here is that the agent understands the usual network traffic rate, file access patterns, and login attempt levels.
Such an agent could put these inputs together and analyze them in a false-positive or real-positive assessment process, so helping a security team or person defeat “alert fatigue,” make more sense of the threat environment, and deal with threats more effectively.
The notion that “affected systems should be isolated and quarantined immediately” is sensible, of course, but can have far-reaching effects. For example, having your ERP database attacked and needing to be quarantined means that you have no ERP system. It seems to be a very, very good idea that malware attack detection and response should be carefully and thoroughly planned, tested, and rehearsed to prevent a real attack causing chaos and panic.
Having reliable, clean data copies and restartable IT system components would seem to be a precondition for effective malware attack response.
Such a malware threat agent could likely do even more and we’re certain that cybersecurity suppliers, such as Rubrik, are thinking along these lines already.
