November 5, 2018 • Published by Mark Carl
Endpoint Security • MDR • Ransomware
Here at ControlScan, a big part of our day-to-day lifestyle is knocking down threats and cyberattacks for our customers’ businesses as well as our own. It’s easy for us to understand what’s going on and why, because cybersecurity is where we live.
But, sometimes we lose sight of the fact that none of this makes any sense to a non-technical person who’s just trying to run their business. In many cases, they are calling us because another business owner they know was attacked with ransomware and they’ve decided they simply don’t want to be next.
When these calls come in, we begin with a base-level discussion about modern monitoring and alerting technologies that can help businesses respond to security threats and prevent intrusions. Questions surrounding the significance of event correlation usually surface during the conversation.
In cybersecurity, the term “correlation” is used to describe how security events relate to each other. There are literally millions of mechanisms by which these events can be correlated, and it is a job that requires both human and artificial intelligence (AI).
Here’s how I typically explain it:
Let’s say we install endpoint protection on the point-of-sale system as well as all PCs and servers in a retail customer’s environment. A month later, one of their employees receives a sophisticated email phishing attack and clicks on that link they shouldn’t have clicked, triggering a ransomware download to their PC. Thankfully, the endpoint protection stops it from executing…
So, did we prevent the attack on the business? The answer is we don’t really know yet, because some of our success relies upon the customer. For example, did they install a new PC yesterday, and forget to install the endpoint protection on it? It’s certainly possible, and it happens. This is where event correlation comes up to bat.
The endpoint security that stopped the ransomware reports up to our secure cloud, and ControlScan security analysts at the Security Operations Center (SOC) review what it found. It also sends the malware to our secure environment. In that secure environment, we “detonate” the malware and see what its characteristics are.
Now let’s say that malware is trying to communicate out to three different servers in a foreign country. How it’s behaving is what we call Indicators of Compromise, or IOCs. The security analysts will then take these IOCs and review every other system and all of the network logs that we have to see if any other systems in the customer’s environment are demonstrating similar behavior or trying to talk to those same three systems in a foreign country. The act of searching for IOCs is “event correlation.”
In summary, the endpoint security told us what we could see, and the event correlation told us what we may not have seen on any of the systems we’re not protecting (for whatever reason).
This is a very simple description of a very sophisticated group of systems working together to prevent cyberattacks. It’s quite a bit more complex than one might think. In many cases, the attacks are being perpetrated by a known cybercriminal organization or nation-state actor. The truth is, many of these organizations have their own unique IOCs.
In a lot of cases, we actually know who attacked the customer, and how severe it’s likely to be based on the history of the adversary we’ve identified. We call this “threat intelligence,” and we derive it from many public and private sources. It fulfills the age-old recommendation that we’ve all heard many times: Know your enemy!
Assets need protection from risk, but it’s not always obvious for smaller businesses. If you have anything of value whatsoever within your data environment, then you are certainly at risk. Even if you think you have no data of any significant value, attackers will simply hijack your systems and hold them for ransom until you pay.
So here’s another analogy for you: It’s very important to lock your doors. Your IT network is no different, and your firewall is the door. Use the correct configurations and apply whitelists to ensure that the door is locked, then monitor the door to make sure nobody unlocks it.
You should also be completely prepared for someone to kick the door down or, as it happens in most cases, for an employee to unlock the door and invite the attackers in by clicking on a link. Preventing that requires endpoint protection and event correlation. Yes, the activity is complex, but we work with our customers to make implementation simple.