Imagine a Security Operations Centre (SOC), and you probably think of technology that detects threats and generates incident alerts. But as the cybersecurity landscape becomes increasingly complex, and businesses begin to see it not as a technology problem, but a business risk issue, the SOC is evolving into something more akin to a ‘business risk analytics centre’.
The real value of the modern SOC lies in understanding the potential impact of each of the hundreds of risks your business faces every day, triaging responses accordingly, and providing you with actionable intelligence that you can use to continually improve your defences where it matters most.
Triaging threats according to their potential impact on your business
Not all security threats are created equal. Of the thousands of threats the Origin Security SOC triages every month, on average 1-2 per customer will be classified as high severity, 3-5 will be elevated severity and at least 5 will be important.
Here’s what those categories mean in terms of potential impact on your business:
Most organisations would be highly unlikely to discover these threats on their own. In fact, it’s been well established that in organisations without a SOC, breaches remain undetected for an average of 200 days.
The most serious threats might not be what you’d expect
The threats that pose the greatest risk to our clients’ businesses are seldom what they imagine them to be. Let’s take a closer look at some of the high and elevated severity threats Origin Security’s SOC has mitigated in recent months.
1. Bring Your Own Device (BYOD) threats
Most businesses nowadays have a BYOD policy. Ideally, they’ll also have adequate policies around how company data is protected and isolated from everything else on the device. However, most businesses do not have the resources to effectively enforce these policies and report on compliance.
We’ve uncovered a number of cases where a particular social media and messaging app installed on a BYOD device was secretly sending all device traffic to a specific country, putting the business’ intellectual property and data at risk.
In each case, after we alerted the business to this activity, the device was removed from the network and the user was interviewed. We then helped the customer to improve their BYOD policies and processes, mitigating future risk to their business.
2. Account takeover
It’s unfortunately very common for employees to reuse passwords across personal and company devices, websites and applications. When those credentials are compromised, it’s often via breaches on public services that are outside the control of the business. What makes this so damaging is that even unsophisticated players can compromise a number of employee accounts of a single organisation with little to no knowledge of traditional hacking methodologies.
The challenge for businesses is to not only attempt to enforce password policies, but also to detect when their user’s credentials might have been stolen, and act quickly and effectively. In a recent example, we discovered that one of our clients had 179 employee credentials not only stolen, but resold on the nastiest parts of the internet. We quickly presented a business case to implement a password management solution, educate users about password reuse, and help users with complex unique passwords.
3. Shadow IT
‘Shadow IT’, or unauthorised applications used by employees, is much more of a problem than any organisation would like to think. Our SOC uncovers a staggering number of applications, SaaS platforms and products in use when reviewing our customers’ environments. Recently we found over 1,500 unique applications installed across the environment of one of our clients. It would be difficult for any business to justify the use of more than a small fraction of that number.
Unauthorised apps have the potential to leak data, and can lead to phishing attacks and theft of intellectual property or customer data. During our investigations we have found incidents where malware and ransomware infections in our clients’ environments have been traced back to overseas contractor’s machines or networks.
Just imagine for a moment if an outbreak of malware in your customer’s environment was traced back to your staff or contractors. If damages were reported, your business would be opened up to litigation, brand damage and loss of reputation.
4. Third party attack vectors
As the saying goes, you’re only as strong as your weakest link. Even if your business’ infrastructure adheres to security best practice, you could still be exposed to threats via partners and third party services. Your business must be able to detect whenever information leaves the company network in an insecure fashion.
In a recent case, one of our clients used a third party service that requested personally identifiable details of staff members, including name, position within the company, cell phone number and dietary requirements. Our SOC detected that this personal information was being transmitted via an insecure web service, and quickly advised users not to fill out the public forms. Had that information fallen into the wrong hands, it could have been used to fool employees with a targeted phishing attempt.
5. Phishing and whaling
Phishing is one of the most common threats facing any organisation. It’s a simple exercise for cybercriminals to carry out, but proves extremely challenging to eliminate and combat. A phishing attack can harvest credentials by targeting information specific to an employee’s role or by impersonating someone with authority within the organisation. We’ve also seen instances where the attack spread to the organisation’s customers, resulting in significant brand damage.
Every month our SOC blocks an average of 20,000 phishing attempts, emails from malicious hosts and emails breaching company policies. We’re witnessing an increasing number of highly sophisticated and customised attacks that are difficult to detect using technology alone. In a recent example, an attacker posed as our customer’s CEO and emailed their CFO requesting an urgent transfer of funds with a seemingly-legitimate reason. The email was given a sense of authenticity by the use of information the attacker knew about the CEO, such as his writing style and the fact he was on an overseas conference.
Your best defence against phishing attacks is a combined effort of mail protection to block the bulk of the onslaught, and user education for any that still make it through your technical controls.
We recommend our Phriendly Phishing programme to all Origin Security customers, to continually improve and measure their employees’ understanding of various phishing methods. We also raise awareness about ongoing phishing campaigns that have been detected in the wild, as they occur.
Safeguarding your intellectual property, data and reputation necessitates going beyond threat detection and traditional prevention measures. Today, your best defence is an expert understanding of business risk.
We’re giving a limited number of businesses the opportunity to get a clear-eyed view of the current state of their cybersecurity with a free one month proof of value trial of Origin's Security Operations Centre. Find out more here.