The true importance of time: Cyber attacks

‘Integrated cybersecurity is probably the only viable way forward for organisations now to be perfectly honest,” said Brian Murray, enterprise account executive with Sophos. “Up until now, people have been pouring more and more money into individual endpoint security solutions. It’s not realistic in the long-term.

“With stand-alone solutions, you can only then address specific vectors of attack, and while that’s well and good, organisations need a layered approach to security one where the products can share the information as it comes in.

“Companies that aren’t embracing this are exposing themselves to massive risk.”

The terms of security can really be broken down to those who are embracing these changes, and in some cases it can be difficult to figure out exactly what you need to do. This is especially true in the case of integrated security, which requires businesses to really take a deep dive into how their business works.

Murray looks at it from the perspective of synchronised security - bringing coordination into how your security systems operate - and operates under three pillars: discover, analyse, and respond.

“These pillars enable security components to become more than the sum of the parts by working together and staying ahead of the attackers,” he explained.

“When we discover, we see all network traffic, enabling, identification of risky apps, malicious traffic, and risky user behaviour as well. So the products automatically share information to unveil hidden risks and all known threats, because it’s what we can’t see, this is the key to it.”

The other parts like analysis allow them to see the full chain of events around an incident, such as all files, URLs and IPs, and correlate the network traffic to particular apps or devices. This ties into the final pillar of response where they can isolate compromised devices.

“The moment it touches the endpoint, we restrict that access,” he said. “We can remediate, but if it’s restricted on that, it means that adaptive policies automatically respond to infections and incidents in seconds.”

Something that is core to what Murray does, and is an important component of security as a whole, is the time it takes to respond or adapt. The time it usually takes to discover, analyse and respond can make a massive difference to the type of damage a company takes from an attack which is why Sophos has worked on making this period as short as possible.

“Your biggest enemy has always been time, when it comes to incidents actually happening,” he explained. “But then it’s remediation - identify and remediate infected computers - which is a hugely laborious task. It takes on average 3.3 hours per machine, but with Sophos, we got that down to eight seconds.

“It automatically responds to threats and provides detailed analysis of exactly what happened, and it means that you can prevent it happening in the future.”

Keeping that timeframe to a minimum is now essential, considering how much attacks change. A product or service that is designed to protect you should not only be communicating with other parts of your security infrastructure, it should also be updating and supported. A security product can quickly become redundant if it’s working in isolation.

“Attack vectors are changing, and the exploits are evolving on a daily basis,” said Murray.

“A product that was out six months ago - and it may still be reasonably good today - unless it’s actually sharing that information with other products that are across your network, it’s almost becoming redundant.

“We start sharing that information because it can happen in real-time and as the security heartbeat, what you want to do now is react to an incident as it happens and where it happens.

“So instead of waiting for information to be fed back to the firewall, once the endpoint sees it, the endpoint speaks to the firewall and that device is isolated. And really, timing in all of these exploits is absolutely key.”

Having those different security endpoints talking to each other is the direction security is going at the moment. On their own, they may only protect specific parts of your company, but if they’re talking together, they can create something that’s greater than the sum of its parts.

“The move towards synchronised security and the understanding of it really is almost like a human body,” Murray explained. “[It’s] all connected together, speaking to each other, one part doesn’t work without the other.

“Really, that’s the only way that we cannot see say that we are secure at the moment by that information, traversing all of those different levels by the devices speaking to each other.”

“Things that stay the same, they will disappear, they will become less relevant. A good way of looking at it is the high jump. It was seen as something where you had to run straight at your target and jump over it as best you can. Then the Fosbury Flop happened and it completely changed athletics.

“If we don’t evolve, we will get left behind. And if businesses do not evolve, they leave themselves highly vulnerable.”