Saryu Nayyar | Forbes.com »
Ransomware cyberattacks have escalated to the point of posing a severe danger to people and national economies. When Colonial Pipeline was shut down for a week, fuel supplies to the Southeastern U.S. were disrupted, causing ripple effects through the national economy.
Facilities associated with the Republic of Ireland’s Health Service Executive, which oversees that nation’s health care and first responder systems, are still struggling to get back to full operation following an attack weeks ago.
And the abrupt shutdown of JBS, the world’s largest meat supplier, led to fears of meat shortages and escalating prices just as the global economy was beginning to inch its way back from the devastating pandemic.
These are just a few examples of far-reaching attacks that were difficult to prevent from successful execution with conventional security measures. Why are ransomware attacks so pernicious? Because the time from infection to complete encryption of files is only three seconds. When NotPetya hit a few years back, it took 90 seconds to encrypt and disable tens of thousands of servers worldwide.
It’s estimated that a business falls victim to such an attack every 14 seconds. Could yours be next?
Conventional Security Controls Aren’t Enough
For years, cybersecurity professionals have been trained to build their security programs around a risk-based framework such as the NIST Cybersecurity Framework, ISO 27001/27002, NERC-CIP, HIPAA, GDPR or FISMA. Companies choose their framework based on regulations relevant to their business.
Frameworks are important since they provide standards, guidelines and best practices to manage cybersecurity risk. However, they are not enough. Threat actors are changing their tactics so frequently that you need new control standards that aren’t yet part of a formal framework. This gap between controls coverage and where the new threats are is expanding and increasing your risk profile.
Along with adherence to the controls of a security framework, companies need to think in terms of building resilience to address new and emerging threats. This means adopting unconventional controls that work faster than the speed of threats (i.e., in real time). We call this model-driven security.
Can You Trust Your Users Not to Click?
While cyber threats go way beyond ransomware, let’s continue with this use case to see how model-driven security can preempt it from happening to you.
The primary vector for a threat actor to place the ransomware malware on your network is via phishing. Someone gets an email, clicks on a link, gets a malicious payload and the attack is on. Remember, you have three seconds to stop it before damage is done.
The No. 1 conventional control for this threat vector is to educate end users to discourage them from clicking suspicious links.
Other technology-based controls involve opening the link in a sandbox, quarantining messages from newly registered domains, scrutinizing the attributes of the sending domain and implementing DMARC to prevent anyone from spoofing your domain. These activities can help limit exposure to malicious links and payloads.
Today’s conventional controls for email messages typically look at the sending URL and the payload. As we have seen, threat actors continue to evolve their methods to sidestep such controls. An unconventional approach — one that is much more effective and can happen in real time — can quickly detect new types of phishing emails through automation. This approach uses AI and machine learning and automatically detects email phishing based on message headers and content analysis. Different actions can be taken based on the anomaly detected. Actions could be, for example, to strip the link from the email and let the rest of the message get delivered or to sinkhole the entire message.
The critical aspects of this process are totally automated, and the remediation is driven by the level of risk in real time.
How Model-Driven Security Works
The system collects and tracks a number of data attributes about the incoming message: the sender, recipient, route to the recipient, date of creation, ID number, encoding type, mailing address, IP address, size, subject, reputation of the sending domain, whether there is a valid return path, whether the message is part of a bulk campaign, and so on. Machine learning models are leveraged to baseline normal behavior across each of these data points, and any deviation is identified. This is further risk rated at the individual behavior level and then aggregated and normalized to generate an overall risk score.
The risk score associated with a message is sent to an orchestration engine that executes the action(s) the application should take. If the deviation score is very low, the user can see the entire message. If the deviation score is very high, the message can be discarded. A range of actions can be defined/automated based on the deviation score. Thus, the security control that gets applied is based on the real time risk. Everything happens in milliseconds.
Model-Driven Security Has Many Uses
Model-driven security can be applied to many different use cases. Considers passwords — the bane of security professionals. Either you know the password, or you don’t. Multi-factor authentication on top of passwords adds another layer of security. However, according to the password management company LastPass, only 57% of businesses around the world use MFA. What’s more, there are billions of stolen credentials available on the dark web, rendering passwords obsolete.
If we create a behavioral profile of every user in order to understand their baseline behavior, we can measure attributes of current login attempts to the baseline. The profile attributes can be factors that are difficult if not impossible for a bad actor to replicate, such as the user’s keystroke cadence or the position in which a mobile device is held. With enough profile attributes, the system can get very definitive about whether the user is legitimate or not. And, it’s granular to each person.
To get started with model-driven security, look for products that leverage machine learning (ML). Talk to your peers about what they are using to experience the adaptable controls of model-driven security. Implementing conventional security controls is important, but there’s higher value in allowing controls to adjust quickly to new threat activity or tactics.
External Link: The Importance Of Model-Driven Security