Fortunately, information security professionals still have a range of tools and techniques they can use to
            help prevent breaches and to mitigate them when they do happen.



            Many attack scenarios, especially ones involving remote access attacks, start with targeting the users
            themselves.  Many penetration testers will tell you the users are the easiest target and the first thing
            they’ll go after.  But this also gives an organization the opportunity to convert their user base from part of
            the attack surface into their first line of defense.  Making sure you have trained them on best practices
            and  have  enabled  a  strong  multi-factor  authentication  scheme  can  go  a  long  way  to  preventing
            unauthorized access.



            For  many  organizations,  the  Security  Operations  team,  rather  than  their  users,  is  the  main  line  of
            defense.  Even when the services are provided whole, or in part, by a third party, they are the ones who
            have the ultimate responsibility for the organization’s security well-being.  Which means assuring they
            have the correct tools and the right training is as important as making sure the users are trained and
            equipped.  The question becomes whether they have the right tools and training to identify and mitigate
            attack profiles that have now shifted to target the remote workforce.



            The threats they have been historically focused on have not disappeared, but they may no longer be the
            primary attack surface.  Likewise, the tools they use to identify and mitigate attacks may not be the best
            ones now that the attacker’s focus has shifted.



            Threat actors have become increasingly skilled at compromising systems and then hiding their activity
            “below the radar” to avoid detection, which makes their activity harder to detect.  More so now that they
            have a remote workforce to both target for attack and use for concealment.  That means the SecOps
            team will need to look at the situation holistically rather than relying on single indicators of compromise.



            To that end, an advanced security analytics platform that can consolidate all the organization’s security
            data into a single place and then perform AI-based analytics the entirety of the data may be in order.  By
            looking at all the information, it is possible to identify anomalous behavior that differs subtly from what’s
            expected,  or  accepted,  for  a  normal  user.   That  can  be  the  first  indication  of  a  compromise.   Using
            machine learning techniques, the system can adapt to the changing threat surface and present a risk-
            based assessment to the SecOps team.

            Combined with their existing tools and efficient automation, security operations personnel can get ahead
            of an attack to keep a single compromised account or remote access system from escalating to a serious
            data breach.




            Cyber Defense eMagazine – August 2020 Edition                                                                                                                                                                                                                        68
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.