The most valuable resource a business possesses is information, and when it comes to protecting that resource, knowledge is power. In the cybersecurity world in particular, data is both the treasure attackers are after and the best weapon to defend against them.
Ultimately, you can’t protect what you can’t see. Visibility is key, which means a thorough understanding of your enterprise’s security posture is critical. Investment in visibility and monitoring technology is quickly becoming essential, and business leaders must understand the value of that network visibility—especially as attackers continue to find ways around perimeter defenses. In the event of a breach, the knowledge gained via continuous network monitoring is key, both for assessing the damage and fixing the vulnerabilities that led to it.
Understanding Security through Data and Analytics
Occasional audits and point-in-time snapshots do not provide sufficient visibility. For starters, networks are constantly evolving new devices, employees, vendors, partners, suppliers, and other entities are always connecting to it. New vulnerabilities can arise at any time, and a snapshot will only tell you your security status at some point in the past—which means continuous monitoring is necessary. Think of it like cleaning your house before your in-laws come for their annual visit, except hackers don’t visit once a year—they visit all day every day. Tidying up periodically isn’t enough. You need to be on top of things at all times.
Without continuous monitoring, the presence of a dangerous vulnerability is generally only discovered after attackers have already made use of it, which delays response time. In today’s security environment, this gives attackers an unacceptable amount of time to exploit vulnerabilities without detection. Continuous monitoring and analysis can help detect these vulnerabilities in real-time, notifying defenders as soon as possible so that the window of opportunity can be closed quickly.
Part of this means understanding not just your own security posture, but that of vendors and other third parties. You have access to your own data, but what about the other organizations you work with? Are your vendors following cybersecurity best practices? Are they sufficiently protecting their own networks, or are they exposing you? Particularly in the wake of the SolarWinds attack, a growing number of organizations are asking these questions.
Unfortunately, gathering data is only half the battle. Effective analysis is needed to make it actionable. Establishing metrics and scoring parameters will help produce true insights, providing the enterprise with a baseline against which to measure.
Network Security Is About Perception, Too
Security investments reached an all-time high in 2020, in large part due to the security concerns created by the widespread shift to remote work amid the COVID-19 pandemic. Even so, high-profile attacks continue to dominate headlines, including the SolarWinds breach, the Microsoft Exchange hack, and the Colonial Pipeline attack. The SolarWinds breach had significant fallout for SolarWinds customers, driving home the need to protect against third-party breaches. Today, gauging the cybersecurity health of vendors is becoming increasingly commonplace.
But it’s important to understand that this doesn’t just apply to vendors. Cybersecurity assessments have also become best practices for potential merger and acquisition targets, as well as potential investors. People want to know ahead of time if the company they are investing in represents a potential security risk. Verizon’s purchase of Yahoo in 2017 is a prime example of cyber risk impacting an acquisition. After Yahoo disclosed two major data breaches, Verizon lowered its offer by $350 million to offset some of these newly discovered security risks.
This underscores how critical cybersecurity due diligence is. Compliance risks represent a significant risk, not just for companies themselves, but for anyone they might work with. Breaches can impact a company’s bottom line, but they can also impact its brand image and public perception.
Using Data to Prevent and Remediate Breaches
Access to high-quality data and analytics can help before, during, and after a breach. External monitoring tools in particular can provide a much-needed new perspective, granting you the same view of your network that attackers have. This can be extremely helpful when it comes to identifying vulnerabilities likely to be seen and exploited by hackers, making it possible to develop a preemptive, proactive security stance specifically designed to defend against these known security gaps.
If you have suffered a breach, tools like NetFlow analysis can help you investigate the aftermath. These specialized tools can identify what data was stolen and where it went, which can help identify not just the offender, but other potential victims as well. Think of it as a cell phone trace in a police drama: NetFlow analysis can tell investigators more than just how long the call was, giving them a window into the full interaction between attacker and network. DarkSide’s attack on the Colonial Pipeline is a good example of a breach where NetFlow analysis was used to identify the culprit and the victims.
You can’t prevent every breach, but tools like external monitoring and NetFlow analysis can provide you with the information you need to pick up the pieces and improve your defenses before the next attack.
Protecting Data Is Key—But So Is Using It
It is more important than ever to understand the cybersecurity posture of your business and of the entire third-party ecosystem before, during, and after a breach event. To do that, you need access to as much data as possible—as well as the right analytics tools and metrics to make sure that data results in real, actionable insight. This ensures greater transparency when planning for M&As, less disruption to the IPO process, and improved safety and security for the company itself.
In the event of a breach, these insights can also help with the investigative process to discover where the breach is, how to shut it down, and who the responsible party might be. Attackers today are less interested in direct financial theft and more interested in large-scale data theft. It’s important to remember that data isn’t just a resource to be protected—it’s also one of the most effective weapons when it comes to defending your network from attacks.
Christos grew up in Montreal, Canada, where he started his career as a DBA for companies such as Matrox, CGI, Sync, and InterTrade. He moved to Silicon Valley where he built and led engineering teams for FireEye, Tenable, Netflix, and YouSendIt. He's worked on Cloud storage solutions for YouSendIt before the term "Cloud" was popular. He's also focused on solving at-scale run-time databases using sharded RDBMS and NoSQL products. He is an Apache Cassandra MVP.