On October 12, 2021 Noord hosted a virtual boardroom in association with Darktrace. The event consisted of a brief introductory Q&A between Andrew Tsonchev, Director of Technology, and a Darktrace client. Following this, senior IT professionals were invited to discuss defending the dynamic workforce of tomorrow.
Case study: Darktrace client
Andrew noted that in the shift to remote working, traditional network perimeters have arguably been rendered obsolete. Many organisations have siloed security tools and are increasingly relying on SaaS applications. Introducing Darktrace’s client, a manufacturing company based in Belgium, he asked whether it is still necessary to build security operations around a SIEM solution.
In response, the client noted that while first generation security involves ensuring that no one enters your perimeter, second generation security involves assuming breach and looking for signs of unusual behaviour in your network to detect hackers. A SIEM can be used to correlate all those events. While the company had implemented an EDR tool, it had neglected to install auto-remediation. When an attack subsequently hit, it received the alerts but wasn’t able to auto-remediate. As the service team was only working on high and critical alerts at the time, the two medium alerts had been missed. Ultimately in its proof of concept, the company failed to account for a hacker moving laterally. To implement an additional line of defence, the company installed Darktrace ahead of reopening after the hack.
When asked how the company is dealing with the convergence of OT and IT, the client noted that as a manufacturing company, OT is business critical and must be protected at all costs, not least because it is much harder to recover when encrypted or damaged. As part of its third generation security roadmap, the company is making sure its IT/OT network is completely closed and impenetrable. It is air gapping a lot of those environments and implementing a PAM solution so that vendors can only enter when they are allowed to. Darktrace offers visibility of what it should allow on the network, and everything else is restricted.
Reasons for attending
Attendees represented a range of sectors, including industrial manufacturing, water management, insurance, financial services and textiles manufacturing. They brought expertise in IT infrastructure, regulatory compliance, digital transformation and cyber security. Many were keen to share experience and learn from common challenges.
One attendee noted that “more is less” is becoming an industry trend, in that companies are recognising that they should focus on properly configuring the tools they already have rather than accumulating more and more software. This was echoed by another participant, who noted that while organisations can invest in an array of tools, the information they correlate is meaningless if there aren’t enough skilled analysts to interpret it. What companies need is workable insights that they can act on — in other words, the “low hanging fruit” of cyber security mitigation.
Are SIEMs still relevant?
Andrew recapped that SIEMs work by detecting and reporting on low-level events, such as password lockouts, but aren’t so good at interpreting context, which needs to be configured in advance. However, doing so is time-consuming and labour-intensive. SIEMs can thus help organisations to reconstruct an incident after the fact but aren’t great as incident detection tools.
Darktrace believes that SIEMs offer three key functions: log collection, management and forensics; continuous monitoring and detection; and incident and event management (i.e., stichting together the outputs from different tools). The first is essential but can be achieved with free or inexpensive tools. For the second, EDRs and NDRs are often better in terms of driving rule-based detection. The third is increasingly relevant and poses a challenge for vendors like Darktrace. Companies typically approach Darktrace saying that their SIEM is inefficient and doesn’t offer good detection. Ideally, they would like Darktrace to integrate their product with other security tools.
One attendee said that they were struggling to convince their company to invest in a SIEM solution because they haven’t yet been hacked. Another participant felt that while companies generally do take cyber threats very seriously, the difficulty lies in measuring the level of risk and ascertaining a reasonable level of investment to mitigate that risk. In essence, any security tool is like an insurance policy: it is a waste of money until an attack occurs. To justify the cost, companies need to prove that their chosen tool will actually detect and eliminate hackers in the event of a breach.
The aftermath of a hack
One attendee was keen to learn whether being hacked had had a positive impact on employee behaviour. Darktrace’s client alluded to their annual phishing campaign: the first year, 20% of users had clicked on the email scam; the second year, 15% of them had clicked on the email; and after the hack, 5% of users had clicked. This 5% is seemingly standard across the board, meaning that organisations have to assume breach and have the mitigating tools in place to detect abnormal behaviour.
Andrew explained that Darktrace can offer risk-balancing calculations based on machine learning. For example, if a trusted third party starts using unusual language in an email, this might be designated as slightly suspicious and an organisation might want to limit that user’s behaviour slightly. As it gets more suspicious, it can restrict that user’s behaviour more and more. This is known as dynamic risk management. Darktrace’s client added that this behaviour analysis is the only way to prevent cyber attacks. For example, the company has added a DLP function to restrict the volumes of data employees can send via email, which helps to detect suspicious behaviour and notifies employees when they are resorting to unsecure practices.
Protecting remote workers
One attendee stated that there is arguably no need for VPNs or direct access to data centres if companies are going cloud native for business apps and have cloud storage. However, a couple of participants had infrastructure across lots of small sites which needed to be able to function independently, meaning that they often have to find pragmatic solutions to vulnerabilities which out-of-the-box solutions can’t offer. Andrew explained that Darktrace’s solution is to offload a lot of the machine learning analytics to the network edge of each site to ensure that each site can function independently as well as upwards to a central layer.
The move towards solutions integration
Andrew noted that many clients are looking to consolidate their solutions on one platform rather than using five independent best-of-breed solutions. One attendee noted that orchestration tools can be useful, though only if companies have their own SOC and enough analysts to work on them. Another limitation of those is the various and often conflicting data protection standards between jurisdictions. As for endpoint agents, Andrew noted that many of Darktrace’s clients want out-of-the-box solutions while others want solutions to complement their own technology — demonstrating that a one-size-fits-all approach is rarely realistic.