Flushing out Advanced Persistent Threats with EDR and ZTA
Traditionally, enterprise security systems have granted access based on strong cryptography, authentication, and key sharing, with access control based on Role Based Access Control. The latter uses user roles to determine a person’s permission. Years of cyber-attack post-mortems on organizational networks by multiple SOCs have demonstrated, however, that the bulk of security breaches occur deliberately or inadvertently owing to personnel within an organization who were blindly trusted and given inherited access.
Modern, SaaS-based organizations rely on various layers of security to protect their data assets from both internal and external threats. By monitoring all security ecosystems in real-time, like with tools from docontrol.io, for example, SOCs are placed in the driving seat along with superior AI analytics to safeguard the organization against cyber security risks.
The dangers Advanced Persistent Threats Pose
It is hard to believe that security scientists have only recently agreed on a comprehensive definition of what exactly Advanced Persistent Threats (APT) are. In 2011, The National Institute of Standards and Technology in the United States (NIST) published a definition, stating: “An adversary with sophisticated levels of expertise…to generate opportunities to achieve its objectives which are typically to establish and extend its presence within the information technology infrastructure of organizations for purposes of continually exfiltrating information…or place itself in a position to do so in the future; moreover, the advanced persistent threat pursues its objectives repeatedly over an extended period, adapting to a defender’s efforts to resist it…”
This threat is significant since threat actors could have access to sensitive information for decades if not detected. In the aftermath of Hidden Lynx APT, for example, security analysts clearly outlined that threat actors used social engineering to gain access to endpoints that were only governed using Role Based Access. Unfortunately, by the time the threat actors were discovered, the malware had been silently harvesting data for some time.
Endpoint Detection and Response
Endpoint detection and response is an integrated endpoint security solution that collects a wide number of attributes across machines, or end nodes, within an organization’s network or cloud. This provides organizations with real-time transparency into connections and traffic on their SaaS infrastructure based on predetermined characteristics. As a result, EDR offers rule-driven analytics that may be utilized to trigger automated reactionary cyber security processes.
Essentially, EDR can consistently scan, identify, and deal with suspicious behaviors in real-time. The analytics engine, which utilizes collected data to generate behavior chains, is at the core of this tool. Modern EDRs are especially useful since it replaces traditional anti-malware software, utilizing known signatures to evaluate and eliminate possible malware risks. While having an automated guardian as the gatekeeper to your organizational networked ecosystem is ideal, EDR can provide live feedback and event chains to SOCs about end node activity.
Zero Trust Architecture
Zero Trust is a security model that dictates that implicit trust should never be granted to any user, device, or application, as Role Based Access Control model used to do.
The following are principles of ZTA
- Never Trust, Always Verify
- Implement Least Privilege
- Assume Breach
Zero trust is especially important today since so many organizations are changing their business model from running the business from the confines of a shielded network at the office to corporate SaaS environments. These SaaS environments support remote users accessing organizational data assets from insecure or even public networks. Zero Trust Architecture enforces the zero trust principles for every user, every service, every hybrid cloud node, or endpoint.
A combination of both ZTA and EDR has the capability of effectively screening every connection into a SaaS ecosystem, while ZTA would lock down any unassigned resources preventing any lateral exposure to a potential SaaS breach.
While migrating entire your SaaS ecosystem to a Zero Trust model is not something to attempt lightly, the return on investment is well worth the effort. Especially when your organization processes valuable, mostly private, information. Joining hands with specialists in the arena of SaaS security is the best way to go about it. You need to keep in mind though, that a single security measure will not be a cyber security “silver bullet” as cyber security is an ongoing process of continual fortification.