A security data lake. These supply chain incidents have shown the significance of retaining security log data for a long period of time. The SolarWinds incident started as early as March 2020, about nine months before it was initially discovered. Maintaining a security data lake which stores security, network and relevant application logs with adequate retention will prove vital in an organization’s ability to uncover and investigate such events.
Visibility. Ingesting security logs won’t do everything: security teams need to ensure that the organization’s current security controls are deployed on all hosts in the network to ensure proper coverage. Proper visibility will not only allow for swift detection, but also assist in discerning what actions took place on the host, what traffic traversed the network devices, and what applications users accessed and from where. Ensure that all relevant controls are deployed hermetically and that all relevant IT and security infrastructure forwards logs as expected.
Asset management. Creating an organized and updated inventory of relevant assets, both hardware and software (programs, virtual machines, software versions) can help security teams quickly determine whether a specific breaches are relevant to the organization. Visibility dashboards that summarize such information, and get automatically updated and alert on unexpected changes, are a real asset for any security team.
Proactive threat hunting. Companies need a proactive approach to anomaly detection. Conducting proactive threat hunting over security logs, using efficient data analysis tools and anomaly detection techniques, must become an essential part of any security strategy. Security teams also need tools to automate the hunting process so they invest time on hunting and not on tedious supplementary or repetitive tasks. For example, having an automated IOC sweep mechanism can save a lot of time, instead of manually querying the data each and every time.
Connecting security telemetry. The hybrid IT environments within organizations and the disperse solutions also lead to siloed detection. Without interconnecting data sources, single-sensor security solutions will most likely miss advanced threats, especially those that move laterally in the corporate network. Interconnecting and correlating security telemetry with XDR solutions can help the organization eliminate blind spots and detect faster across the entire stack with accurate findings.
Recent reports from Shred-it and SecureLink show most healthcare and pharma providers continue to struggle with securing vendor access and implement plans to support effective recovery after cyberattacks.
Third-party vendor management and security remains a massive issue in the healthcare sector. Impact Advisors tackles basic security measures and effective business impact analysis needs to move the needle on the sector’s cyber posture.
This week’s breach roundup is led by network outage at Central Indiana Orthopedics brought on by a ransomware attack and a dental vendor data breach affecting multiple dentist offices and 174,000 patients.