Page 166 - Cyber Defense eMagazine April 2023
P. 166

Current cybersecurity measures are unable to close the gaps that lead to initial malware infections and
            fail  to  account  for  the  fallout  after  a  device  has  been  compromised.  While  endpoint  detection  and
            application security monitoring are being used as temporary solutions, it’s not enough.



            The Bigger Picture Involves More Comprehensive Remediation

            While  employee  education  is  the  essential  first  step  for  a  robust  security  defense,  everyone  makes
            mistakes. With the increasing frequency of malware attacks, it's getting harder and harder to entirely
            avoid infection. Instead, leaders should proactively mitigate the threat with a Post-Infection Remediation
            (PIR) approach.

            PIR is a series of steps woven within standard malware infection responses that aims to address the
            lasting threat of exposed data.

            The approach works like this: once the Security Operations Center (SOC) has identified an infected
            device, the IT team takes the standard first step of clearing the infected device. Enterprises in parallel
            use darkweb monitoring tools and human intelligence (HUMINT) teams to scan the underground for
            stolen  information.  The  solutions  and  teams  find  the  user  data  and  trace  it  back  to  the  initially
            compromised asset.

            Once armed with this knowledge, SOCs begin remediating all compromised credentials and applications
            impacted  by  the  attack.  This  can  include  third-party  workforce  applications  such  as  Single  Sign-On
            (SSO), code repositories, payroll systems, VPNs, or remote access portals. If all exposed data is reset,
            it's unlikely a full-blown ransomware attack will occur.

            By going straight to the source of the threat – the darkweb – SOCs gain insight into all exposed devices
            and applications. SOCs may not monitor personal devices, but if the stolen data is linked to said device,
            teams can act to remediate these previously unseen entry points, better protecting the organization and
            the user.

            PIR is more comprehensive than legacy, machine-centric malware response processes. Where these
            methods emphasize device remediation and neglect to consider user identity, PIR takes a more identity-
            centric approach, considering the personally identifiable information (PII) at risk.

            Using this approach, leaders and executives can equip themselves for future success against evolving
            malware practices. Regardless of whether infected devices are being monitored, IT teams will have full
            visibility into the scope of the threat, significantly shortening the exposure window for ransomware and
            other critical threats while closing previously unseen security gaps.













                                                                                                             166
   161   162   163   164   165   166   167   168   169   170   171