Many organization's application security practices are failing to keep up with current threats. They are not capable of defending against the most sophisticated cyberattacks.
As hybrid working models become more common, enterprise applications are exposed more than ever, making them prime targets for attackers looking to steal sensitive data and infiltrate networks.
On October 25th, 2022, C-Vision International hosted a CISO Council in partnership with RevealSecurity. The virtual discussion focused on real life examples from security and application development experts including Adam German, CISO at the California State Controller's Office, Michael Kearns, CISO at Nebraska Methodist Health System, Shereen Jones, CIO of The Jamaica National Group, and Dr. David Movshovitz, Co-Founder and CTO of RevealSecurity. Read about the takeaways below:
Application Layer Detection
Insiders, by definition, are employees or contractors with accounts or tokens that have been provisioned for their use. Unlike hackers, who compromise the gain access by using tactics like phishing, malware, or weak passwords; this group uses valid credentials to get into the system through authorized channels.
Dr. David Movshovitz shared an incident of an Israeli insurance company's employee's internal fraud in the business application. His team proved that malicious activities could be detected by analyzing logs, and the employee was caught. He pointed out another external threat of cybercriminals impersonating legitimate customers or employees in SaaS applications.
Although this is an extreme example, it illustrates that insider threats can be quite challenging to detect. It's a common misconception by businesses today that they already have an efficient solution for detecting insider threats.
Dr. Movshovitz suggested Application-layer Detection and Response (ADR) is one strategy that would enable enterprises to detect these impersonations fast. Other infrastructure security mechanisms such as MDR and an MSSP could also be used.
In addition, SaaS vendors also play an essential role in providing an application code that offers all kinds of configurations. According to Movshovitz, SaaS vendors also offer excellent logs. He noted that it is the enterprise's role to use the logs in order to detect malicious activities.
Dr. Movshovitz praised the power of machine learning as it can automatically learn all the typical working profiles and typical journeys, across applications, and adapt them to the changes and use them to detect very, very accurate anomalies. He mentioned that it is a matter of resources as many human resources are needed to manage the rules and analyze the alerts generated by a rule system. The sequence provides enriched context for anomaly detection and enables better accuracy based on journeys, as opposed to outcomes. Higher quality alerts means security analysts reduce wasted time on false positives.
Shereen Jones shared the story of an employee who accessed private or personal information during the regular filing process and stored some of that data for sharing externally.
She proposed other viable solutions to this problem;
- Restricting the size and number of downloads
- Tracking access to the document management system (including what it is used for)
- Implementing an agile authentication process with rules-based scripts
In addition, her firm placed CCTV cameras in crucial operating places, which triggered alerts when access was made from untrusted devices. Finally, machine learning or AI was used to detect imposters and rogue insiders by looking into how often users log in from untrusted devices.
Similarly to Jamaica National Group, Michael Kearns implemented an independent system that runs in the background and audits all records searched by nurses and other employees. The new system profiles nurses, providers, and other employees based on their roles and can limit searches based on specific criteria.
Penetration of hackers into enterprise systems
Hacker invasion into enterprise systems is becoming even more sophisticated, difficult to detect, and complex. Since insiders have the capacity to go around conventional security measures due to their positions within the firm, insider threats can be challenging to detect. Insiders can still do tremendous damage with little effort, even if they do not have access to sensitive material or confidential information.
Adam German talked about logging and data transparency at government institutions. He suggested that logging is the best way to differentiate typical and atypical traffic in any system. His team is looking into the use of AI monitor application logs.
Of course, this is just one method that can be used for detecting imposters or rogue insiders. It's also important to remember that insider threats come from the outside through social engineering methods like phishing campaigns or hacking. When these attacks occur, they're often successful because users don't know what steps to take to remain secure or may even click on links without realizing it's a malicious campaign.
Enterprise owners should focus more on establishing a solid foundation of cybersecurity to protect their operations from internal and external threats.
In a field as intricate and dynamic as cyber security, it can be challenging to look at the calendar and predict what the future will bring. However, by investing in the work necessary to create that foundation today, companies can position themselves for long-term success as new threats continue to emerge.
