No One is Immune

The threat landscape never sleeps. It is always probing. Persistent. Relentless. 

But the recent hacks of Microsoft and Hewlett-Packard Enterprise (HPE) by a state-sponsored attack group also offer important lessons on how enterprises can better and more efficiently defend themselves, now, and in the future.

What these attacks spotlight is that in today’s threat landscape, preventing threats is important but protecting data is even more important. For many, this may require a new approach to cybersecurity to ensure the safety and security of their organizations. 

Preventing threats from determined and sophisticated attackers — like the state-sponsored attack group linked to the Russian foreign intelligence service, SVR, that attacked Microsoft and HPE — is a game enterprises are destined to lose. Protecting the information that could be exposed after the attack is the real priority. This is the new approach, and the goal, of what we call data-centric security. 

More than just visibility, enforcement

Data-centric security is an approach that should be considered by every enterprise because when it comes to breaches, it isn’t a matter of if; it’s a question of when. 

All organizations need to have strong threat prevention, continually enriched by leading threat intelligence. But those are simply table stakes, and with a data-centric mindset it’s only the beginning. A strong and comprehensive data loss prevention (DLP) strategy needs to be in place to ensure that the most persistent and cleverest attacker ultimately fail in their goal - to get your data. Having strong DLP is a foundation for the zero-trust framework which assumes that an organization has been breached and therefore, needs to ensure that valuable information cannot be withdrawn. 

A world-class data loss protection (DLP) solution provides that layer of data withdrawal protection. It offers the capabilities to apply that protection to stored data, data in use, and data in motion across the web, cloud, and private applications. And to be most effective, it applies data protection consistently across all control points, deeply integrated in endpoint, Cloud Secure Web Gateway (SWG), Cloud Access Service Broker (CASB) and Zero-Trust-Network Access (ZTNA) solutions: all connected by a leading threat intelligence network. A network backed by an expert team of experienced threat hunters who track organizations like the SVR and its various aliases, like Cozy Bear, Nobellium, and Fritillary, wherever they are, hiding in the shadows, waiting to strike.

Microsoft has some of these capabilities. Were they using them? We’ll probably never know. But what we do know is that the breach happened several months before they noticed. Let’s see how a data-centric security approach could have helped thwart the attacks or reduced their impact. 

The attack strategy

The SVR alias Nobellium launched a “password spray” attack. It is not a novel or particularly sophisticated strategy — and it’s one that may have been prevented with better cyber hygiene practices. But it worked. The SVR got access to the accounts it wanted, and over several months had the opportunity to extract information it may have wanted to learn. 

DLP and detecting data loss

A robust data loss protection (DLP) system would have helped limit the loss of sensitive information earlier and more efficiently. The best DLP solutions offer API-based and inline detection for the loss of sensitive data. Using the DLP’s integration with a customer’s cloud apps can also help detect the loss of sensitive data happening through several cloud apps and flag the exfiltration. A world-class DLP solution also inspects inline traffic running through those cloud apps and looks for patterns of sensitive data that enterprises can configure based on whatever personal information is most relevant to the organization. 

In the Microsoft example, strong Cloud Access Security Broker (CASB) capabilities with integrated DLP can combine to create the data-centric security solution that could help enterprises identify the worst effects of a similar cyberattack.

Detecting invalid logins 

The attack could have been detected by a more sophisticated Cloud DLP solution that detected invalid logins. For example: the CASB functionality within Symantec DLP Cloud can configure a threshold where, if more than a certain number of invalid logins is attempted for a specific login attempt, automatically triggers an incident alert. 

Data Protection solutions with artificial intelligence (AI) and machine learning (ML) capabilities could also detect a similar attack strategy using user and entity behavior analytics (UEBA)-based techniques to detect anomalous patterns. When the solution detects an anomalous type of login activity, like too many logins or logins from suspicious locations, it triggers an automatic alert or remediating steps.

Detecting excessive data downloads

A comprehensive Data Protection solution with rich cloud application capabilities can also detect excessive data downloads. Rules can be set for thresholds that, if exceeded, automatically trigger an incident. Or, AI and ML could  use UEBA techniques to detect and trigger an alert or remediating steps when there is anomalous download or sharing activity. 

Event scenarios and sequences

An effective data-centric solution also offers the ability to configure event scenarios, event sequence and risk vectors. These options combine the two attacking strategies witnessed in the Microsoft and (presumably) HPE hacks. For example, if a sequence of five or 10 invalid logins is followed by a successful login, and then succeeded in turn by a download of more than 100 GB of data, the event  would automatically trigger that the organization was under a brute force attack.

A passion for data-centric security

The bottom line is that data security is not just about visibility. True data security requires enforcement for real protection as well. That’s what we call data-centric security. And at Symantec that’s what we offer to defend you against a threat landscape that never sleeps.