The word “cyber-criminal” conjures up a picture of a computer nerd, sitting alone in their basement, iterating through passwords in an attempt to gain access to some top-secret files. However, these days, the reality is that many “cyber-criminals” are actually just automated bots seeking vulnerable systems to exploit. If we are to tackle the issue of cyber-crime, we need automated solutions in order to stay ahead of the game.
As it currently stands, there is a serious shortage of cyber-security professionals. Automation will no doubt improve this situation; however, we would still need security professionals to install, configure and maintain these systems. Most IT environments make use of a wide variety of different technologies, from different vendors, each generating event logs that are vast and unintuitive. Even using advanced SIEM solutions, IT teams are often faced with a barrage of alerts, which they have to sift through and try make sense of.
Automation can be used to aggregate and correlate large data sets which frees up resources, allowing security personnel to focus on other important tasks. Not only does the data need to be correlated, but there needs to be way to make predictions and provide actionable steps. Naturally, in order to prevent a cyber-attack, we need to move faster than the attacker. Once an attack has been identified, we need to be able to predict the attackers next move and implement the necessary security controls to prevent the attack from spreading across our network, endpoints and cloud-services. It is often the case where we need to identify threats that have already infected our systems. Once infected, it is only a matter of time until a breach occurs. We need to be able to analyse both the present and historical state of our data in search of a combination of actions that may indicate a threat.
These days there are a number of advance threat detection technologies that provide tools for automating the detection, correlation and response to security threats. For example, we have perimeter-focused solutions such as Intrusion Detection and Prevention Systems (IDPS) which use advance threat intelligence to identify and protect against known threats. We have Data Loss Prevention (DLP) software, which uses automation to prevent unencrypted sensitive data leaving our network. We also have solutions which can automate the discovery and classification of sensitive data, as well as solutions which monitor and respond to changes made to our sensitive data in real-time.
Given that the majority of security threats are caused by either malicious or careless employees, our main focus should be on automating the detection and response to suspicious user behavior. An automated change auditing solution can help you with this by monitoring in real time who is making what changes to your critical data stored on Files Servers or in the Cloud. Such solutions can easily answer the following questions:
- Are your users misusing their privilege access?
- Are there any suspicious activities happening to your sensitive data and systems during odd hours? (E.g. Unwanted changes in user permissions to access sensitive data, frequent failed logon attempts, unauthorized mailbox access and much more).
LepideAuditor, an automated change auditing solution, comes with some unique features to ensure the continuous security of your data and IT systems. Its threshold alerting, for example, can be used to identify and respond to cyberattacks. For example, if an unusually large number of a certain event occurs over short space of time, a custom script can be executed which can disable a user account, stop a specific process, change the firewall settings, shut down the server, or anything else that might help to contain the threat.
In the event of a ransomware attack, as soon as a designated number of files have been encrypted within a specified time window, a response can be initiated to prevent it from spreading further. Using threshold alerting in conjunction with AI/machine learning, we can customize the response on the fly based on learned patterns of behavior or known threat indicators. Doing so will provide us with a solid defense against any security threat that comes our way.