A security data lake. These supply chain incidents have shown the significance of retaining security log data for a long period of time. The SolarWinds incident started as early as March 2020, about nine months before it was initially discovered. Maintaining a security data lake which stores security, network and relevant application logs with adequate retention will prove vital in an organization’s ability to uncover and investigate such events.
Visibility. Ingesting security logs won’t do everything: security teams need to ensure that the organization’s current security controls are deployed on all hosts in the network to ensure proper coverage. Proper visibility will not only allow for swift detection, but also assist in discerning what actions took place on the host, what traffic traversed the network devices, and what applications users accessed and from where. Ensure that all relevant controls are deployed hermetically and that all relevant IT and security infrastructure forwards logs as expected.
Asset management. Creating an organized and updated inventory of relevant assets, both hardware and software (programs, virtual machines, software versions) can help security teams quickly determine whether a specific breaches are relevant to the organization. Visibility dashboards that summarize such information, and get automatically updated and alert on unexpected changes, are a real asset for any security team.
Proactive threat hunting. Companies need a proactive approach to anomaly detection. Conducting proactive threat hunting over security logs, using efficient data analysis tools and anomaly detection techniques, must become an essential part of any security strategy. Security teams also need tools to automate the hunting process so they invest time on hunting and not on tedious supplementary or repetitive tasks. For example, having an automated IOC sweep mechanism can save a lot of time, instead of manually querying the data each and every time.
Connecting security telemetry. The hybrid IT environments within organizations and the disperse solutions also lead to siloed detection. Without interconnecting data sources, single-sensor security solutions will most likely miss advanced threats, especially those that move laterally in the corporate network. Interconnecting and correlating security telemetry with XDR solutions can help the organization eliminate blind spots and detect faster across the entire stack with accurate findings.
DHS CISO Kennth Bible joined the agency "in the peak of the response actions" post SolarWinds hack. He ultimately established a four-prong strategy for supply chain risk management that pushes industry partners to take ownership of their own cybersecurity hygiene to overcome the approach of "bending metal — building something, then deciding how we wanted to address cybersecurity."
Would-be purveyors of “buy now, pay later" (BNPL) programs must consider the potential fraud and attack scenarios that are emerging in the new category — and take steps to mitigate the risks, experts say.