One constant with security is that it is always changing—we see new models, methods, and activities every year. So, as a security professional, if you don't enjoy change, you’re probably in the wrong job.
In the past year, we’ve witnessed a resurgence of ransomware, thanks in no small part to the fact that the evolution in cryptocurrency has made it much easier for cybercriminals to transfer funds without getting caught. We’ve also seen the rise of illegal cryptomining, where the bad guys get into company systems with the intention of utilizing their processing power to mine cryptocurrency. This means cybercriminals are constantly on the look out for new business models, and they adapt quickly when opportunities arise.
Understanding what your adversaries are doing is crucial to helping you develop and adjust your security program so you know what to look for, what to watch for, and how to react. For example, right now you may not have been really paying that much attention to your CPU utilization, but with the arrival of cryptomining as a threat, that's one of the things you should be aware of. On top of this, the renewed popularity of ransomware means everything from laptops to servers are vulnerable, so what you should be doing is backing up much more often—because sometimes the only thing you have as a recourse is to restore from backup.
Keeping pace with a changing landscape
However, keeping on top of this rapidly changing landscape can be a major challenge. What we saw last year was the speed at which the bad guys can react to certain vulnerabilities. If you look at the Wanna Cry outbreak, it utilized the Eternal Blue vulnerability that was announced just a month before.
Eternal Blue was a remotely executable vulnerability that affected a wide range of Windows machines. It was easy for the bad guys to scan and detect whether the vulnerability had been patched or not, so they would know quickly whether a machine could be taken advantage of. There was a lot of noise about this vulnerability at the time it surfaced, and a patch was released, yet many companies and organizations still got caught out.
As security professionals, we need to be able to look at announcements like these in context, asses their threat level for our organizations, and move quickly on the ones that present the most risk. If you know that information, you can act appropriately for the threat as opposed to acting at the same level for everything—because, let’s face it, nobody can patch everything or manage every vulnerability. You need to pick out those things that are most important and then act upon them.
So how do you actively assess the latest threats? There are a few different places you can get that information.
Best sources of information
US Cert publishes a daily report on what they have found, alongside weekly and monthly summaries. You have to subscribe, but it's a great place to get information, and they do a good job of highlighting what the most important things are. The Sans Institute offers newsletters and blogs that are also a good source of information. The Cloud Security Alliance has become a de facto standard for information about what is going on in cloud properties, and they've done a good job of publishing their findings and offering training. Other good resources include, Dark Reading, ZD Net, and CSO Magazine.
The reality is there are a large number of different sources out there; you just need to pick out the ones that work for you and have a context that makes sense for your business.
But you need to make sure you keep up—read over what goes on in the morning, read over what's happened that night. Don't wait for a month and then get flooded. If you keep a running list of what is out there, you'll be able to build a picture of what is affecting your business and customers. It may feel like a daunting task at first, but if you think of it as an education—and listen and learn from what’s going on around you, you can then take action on what you need to, based on the data you have. It's not about a lack of information, it's just that you need to find a way to keep up.
Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the US government on security initiatives, and holds 18 patents on security-related topics.
© 2018 SolarWinds MSP UK Ltd. All rights reserved.
The SolarWinds and SolarWinds MSP trademarks, service marks, and logos are the exclusive property of SolarWinds MSP UK Ltd. or its affiliates. All other trademarks are the property of their respective owners.