Complexity is the defining challenge of cybersecurity. Malicious actors grow more aggressive each year, launching an array of increasingly bold and sophisticated attacks. Proactive defensive measures are critical. But, for many organizations, understanding the nature of their cybersecurity coverage can seem as complicated as the threat landscape itself.
The cybersecurity market offers an array of products to protect devices, networks, applications, users and other IT infrastructure. Each tool offers ways to prevent and detect cyber attacks. However, few vendors explain how their product defends against various vulnerabilities and attacks, instead simply assuring customers their solution provides “complete coverage.” This creates uncertainty for organizations trying to determine if and how they are protected against the latest cyberthreats.
Types of security products
Every security expert will define security categories differently, but broadly speaking, IT security products can be grouped into the following three areas of coverage:
- Network security. This governs interactions between hardware and software on the network. Its goal is to protect data by preventing unauthorized or malicious users from infiltrating and spreading through the network. Complete network security starts with configuring network devices to include preventative security measures. Network security also needs to include a detection system to identify irregular activity and a process to respond to breaches. Some common security methods for protecting the network include firewalls, deep packet inspection, intrusion detection and prevention systems, web application firewalls and traffic decryptors.
- Endpoint security. This coverage ensures only authenticated devices — including PCs, laptops and mobile devices — can access networks and data. It typically employs methods such as privileged access management, intrusion detection, application control and data encryption. Together, these technologies prevent unauthorized user access, protect against malicious files and ensure the integrity of data transferred between devices and the network. The products that fall into this category include antivirus, endpoint detection and response, file integrity management and host-based intrusion and detection.
- Cloud and application security products. These products protect data sent through web browsers and email. They also inspect cloud infrastructures for attacks.
Products in each of these areas offer detection and prevention capabilities, ranging from generic to highly targeted at various points in the kill chain. However, this makes it difficult for organizations to know where they are protected and where they are not.
How products defend against the Hafnium attack
The infamous Exchange Hafnium zero-day attack illustrated how products can provide security coverage from different perspectives. The hack was a critical vulnerability in Microsoft Exchange that enabled attackers to exploit running arbitrary code on the server. It was discovered in the wild before a Microsoft patch was available.
From a network security perspective, vendors may provide coverage against such a zero-day attack in several ways. Whenever a vulnerability exists, bad actors will create exploits to take advantage of it. Products must detect and block known exploits. Alternately, a product could detect the root cause of the exploit as it passes through network traffic. Another option is to block the threat actors trying to exploit the Exchange vulnerability. In this case, a vendor identifies what domains or IP addresses are being used to exploit the vulnerability and blocks them at the firewall. As new threat actors are discovered, their IP addresses are added to the product to maintain security coverage.
Endpoint security products can also protect against Microsoft Exchange vulnerabilities. Some products may claim to prevent exploitation. When malicious code hits the Exchange server from an endpoint, a product will stop it from executing, providing a generic exploitation protection coverage. Other products monitor endpoint activity, looking for anything that triggers suspicious processes on the Exchange server. Host-based systems also monitor a host’s behavior to identify and respond to exploit patterns.
Lastly, there is log-based analytics. These products provide coverage after an attack; a series of generic responses can be triggered anytime a user is compromised by an Exchange server exploit. There are also vendors that claim to provide full coverage for the Exchange server vulnerability by monitoring Exchange logs for anomalies that indicate an exploit.
Cutting through the confusion
In each of these cases, a security vendor claims to provide complete coverage against the Exchange server attack. But the coverage of any given product is not made transparent, which makes it difficult for customers to evaluate the truth of their claims. This can lead to incomplete or ineffective coverage and critical security gaps.
For many organizations, it makes sense to partner with a managed detection and response (MDR) provider. MDR providers help customers choose and manage the appropriate technologies to defend against advanced threats.
Organizations must look closely at all product features to understand the coverage provided. Features should also be evaluated against the products already in use. By fitting together complementary technologies, businesses can maximize their security coverage regardless of their budget.
About the author
Rohit Dhamankar is vice president of threat intelligence at Alert Logic. Dhamankar has more than 15 years of security industry experience across product strategy, threat research, product management and development, technical sales and customer solutions. Prior to Alert Logic, Dhamankar served as vice president of product at Infocyte and founded Durvaankur Security Consulting. He holds two Master of Science degrees: one in physics from the Indian Institute of Technology in Kanpur, India, and one in electrical and computer engineering from the University of Texas.