When an enterprise becomes the target of a cybersecurity attack – an almost inevitable occurrence nowadays – the question of network access arises. Will employees, partners and customers have the same access as they did before the attack? Will the enterprise network completely shut down? Or will it be some combination of the two? Unsurprisingly, at least some level of blockage is required to prevent irreparable damage. However, in the case of an ongoing security threat that occurs over an extended period of time, it’s simply unfeasible to implement total network isolation and bring everything to a grinding halt. How can enterprises reconcile the need to increase the level of security with that of sustaining vital business functions?
Step 1: Define Security Policies
In order to avoid a situation where the treatment is worse than the disease itself, enterprises need a well-defined set of security policies that align with their business objectives. By setting security policy rules, an organization can better enable the business to achieve its goals while protecting them from advanced threats. Without policies or a set of tools in place for such eventualities, it will be very difficult for the business to operate effectively when under attack.
These policies must account for a variety of threats – internal, external, ongoing, industry specific, widespread, automated, and so on. A threat can be as small as a user opening a spear phishing email, or realizing that multiple machines have been compromised inside the network, to being subjected to Distributed Denial of Service (DDoS) attacks, combined with compromised internal machines with confidential data inaccessible due to ransomware.
Step 2: Develop a Plan of Action
Once that is understood and stakeholders are on board, security teams must develop a plan of action for responding to each type of threat. The plan should identify the key resources that need to be protected at all costs, assets that will have heightened focus, and assets that will be available only to a select group of users while the threat is active. Mapping out this plan requires a high level of detail and clearly defined roles – after all, this is an attack, one that calls for militaristic strategy and execution.
Options less severe than complete isolation include limiting access to critical servers and services, enabling enterprise-wide two-factor authentication to validate identity, limiting access to the Internet or cloud services. A CISO may want to force Multi Factor Authentication (MFA) on all users if they are trying to access specific critical assets, or limit access to certain servers to specific users while the incident is in progress. In the worst case scenario, you may need a kill switch in place.
Step 3: Implementation
The last preparatory step is implementation. This can be achieved with specific tools that enable response based on the threats. Using policy based solutions like next generation firewalls, behavioral firewalls and other network security devices, enterprises can obtain the desired level of security while a cyber attack is underway. Next generation firewalls can help to protect the enterprise from attacks outside the perimeter. That can keep on going threats outside the core of the network, especially if the threat is still external.
For access to cloud applications, cloud Single Sign-On (SSO) products can help to rapidly and systematically restrict access to users if required. Cloud infrastructure services like Azure and Amazon Web Services (AWS) provide Role Based Access Controls (RBAC). If roles are well defined, these can be effectively quarantined. Similar access controls can be enabled inside the enterprise network to control access to applications. The challenge with these kinds of approaches is that they are very clear cut; either access is allowed or disallowed. To balance the desire for security with the necessity of access to meet business objectives, a more nuanced approach should be explored.
An emerging category of solutions, behavioral firewalls, can help provide better control and protect enterprises from the inside. Behavioral firewalls can define security policies by individual, group, or organization. These policies give enterprises the flexibility to restrict access to important resources based on user roles through a simple change in policy. For example, some users may need access to critical resources to get their job done while under attack. In such cases, to maintain security, users can be forced to perform a MFA before gaining access. Other users may not be allowed to access those very same resources while the threat is ongoing. The granularity of these types of solutions as part of an overall security strategy enables more effective security in times of both war and peace.
Striking a Balance
In this day and age, enterprises must adopt the mentality that it’s only a matter of time before a cyber attack happens to them. Having the right policies and tools in place to enact a graduated and granular response will help security teams not only thwart attacks when they do hit, but will give them more options and flexibility so that the entire business does not have to come to a grinding halt in order to keep the threat at bay.
About Ajit Sancheti
Ajit Sancheti is an entrepreneur focused on solving challenges in enterprise software and security. He is currently the co-founder and CEO of Preempt, a cybersecurity startup with a patent pending solution for detecting and responding to security breaches and malicious insider threats.