Detection is key in combating attacks that are becoming more sophisticated and more frequent by the minute.
The pandemic, as we know it, fast-tracked digital transformation and along with the advancement of technology came the emergence of more sophisticated malwares that companies need to be ready to block.
SentinelOne’s Global Security Advocate Milad Aslaner and Director for Security Engineering Kelvin Wee spoke with Singapore Business Review in an exclusive webinar last 25 May 2021 about the changing landscape in cyberattack and how firms can secure their systems.
Changing threat landscape
Just this year, Australia’s Federal Parliament suffered a cyberattack that disrupted its IT system; whilst a separate attack was made on Australia’s Channel Nine, interrupting its live broadcast operations.
“What is happening is this evolution of the attacks is getting more sophisticated, getting more frequent,” Aslaner said.
“All in all, we can say the frequency of attack and frequency of larger campaigns are increasing and therefore, it becomes challenging for us on the defender side to really understand how we are going to approach this new world we are living in,” he added.
Outside the Asia Pacific region, Aslaner cited ransomware attacks reported by the London-based Harris Federation and the Colonial Pipeline in the United States.
He added SentinelOne is also seeing a trend in cyber attacks that ride on the pandemic by phishing health-related information.
“What we’re seeing in the industry is that attackers continue to leverage the same paths, continue to leverage the same mechanism, however they are branding their attacks under COVID-19,” he said. For one, this could be executed through invoices attached in emails that contain a COVID-19 related message.
Aslaner noted that it is critical to understand that attackers always look for the weakest link in order to invade a system.
Citing the 2020 State of SecOps and Automation report, Aslaner identified current security system challenges in alert volumes, security automation and in managing alerts.
The study surveyed 427 security stakeholders from companies around the world with at least 1,000 employees. According to the 2020 report, 70% of respondents saw the security alert volume they receive more than doubled in the past five years.
Some 99% reported the high volume of security alerts lead to problems for the IT security teams; whilst 56% of companies with more than 10,000 employees face over 1,000 alerts each day.
The survey also found 93% of respondents are unable to address security alerts on the same day, which Aslaner flagged as a concern.
“Imagine that in your environment, where you probably have high severity incidents that you just don’t have the time to handle today and you’re assuming it’s alright and that there won’t be a potential business impact by just taking care of this tomorrow or the day after,” he said.
He added it is also difficult to expect a security operations center (SOC) to be effective with such a high volume of security alerts to handle.
Around 88% of respondents have raised experiencing challenges in their security information and event management (SIEM). Most of whom reported the issue on existing SIEM solutions was caused by the high alerts volume.
Further, the survey reported that 65% of companies only partially automated security alert processing. Around 65% of SOC teams with high levels of automation were able to resolve security alerts on the same day against the 34% with low levels of automation.
Aslaner said this implies that at this time companies are not taking advantage of security automation enough, which is a lost opportunity considering it is critical in automatic remediation and in reducing alert fatigue.
“Just like what the attackers are doing, the attackers are trying to find the easiest way, faster way for them to be as effective as possible,” he said.
“We should be thinking the same – how do I turn my SOC to be super effective? Security automation is definitely an aspect to that.”
Apart from this, SOC analysts today also face challenges in dealing with too much data, too much noise, repetitive work, blind spots and bottlenecks.
Dealing with the DarkSide
Aslaner said that companies need to be able to determine how to invest in people, processes and technology to beef up their security system as much as possible.
He added it is also critical that companies acknowledge when a cyberattack has occurred because, then, it would be able to make forward-looking investments on cybersecurity.
Taking the DarkSide attack, for instance, which made use of ransomware to disrupt operations of the Colonial Pipeline in the US, leading to its temporary shutdown.
One would have thought major fuel pipelines, such as the Colonial Pipeline, could have been prepared for cyberattacks, but Aslaner said no cybersecurity framework, or policies can prevent it completely.
“There is no solution that will guarantee 100% security,” he said.
“100% security is an illusion that does not exist. What does exist is capabilities that will help you protect the technology and respond as effectively as possible.”
While this is the case, SentinelOne has developed a way to deal with the DarkSide ransomware, ensuring its customers are protected from the attack that already affected 47 victims.
The DarkSide, as reported, has already reaped some $90m from its victims since it started nine months ago. Wee, director for security engineering, said the success of the DarkSide all the more brings to light the need to find a more effective way of remediation.
During the webinar, Wee conducted a demonstration in which he showed how the DarkSide ransomware operated from profiling victims to the firing off of emails that contain compromised documents.
He then showed how their technology would detect what he called a “zero day” threat.” The zero day threat, according to SentinelOne, takes advantage of a vulnerability in a system that attackers use to interrupt operations.
“SentinelOne would have detected it as a zero-day threat,” Wee said.
“And then we would be able to confine and quarantine this particular file and have the system completely protected.”
Wee also noted that SentinelOne customers have not been affected by the DarkSide ransomware.
Aside from this, SentinelOne also features remediation and rollback, which allows it to restore files and configuration that the malware compromised. Wee noted this is a unique part of SentinelOne’s capability.
Wee highlighted it is important for SentinelOne to be in place against attacks like the DarkSide in order for companies to benefit from its rollback feature; but in cases when its customers have already suffered a breach, SentinelOne could still step in to do a sweep of its system and detect dormant and unexecuted malwares.
“More importantly a lot of my customers are using us even after a breach scenario to protect the systems that have not yet been breached,” he said.
“[They are] trying to vaccinate and inoculate the machines that are still not affected so that they can minimize the collateral damage.”
Do you know more about this story? Contact us anonymously through this link.