A detailed view of modern cyber security threats and defence

In this blog, the second in a series from Pravesh Kara, Content+Cloud’s Security and Compliance Product Director, we take a closer look at the National Institute of Standards and Technology’s (NIST) Cyber Security Framework. We’ll then dive deeply into what actions you need to take based on the framework’s guidelines to secure your organisation, data and people.  

For an introduction to the framework and to better understand the evolving threat landscape, check out the first of Prav’s blogs on the topic. 

The NIST cyber security framework  

As we discussed in my previous blog, the NIST cyber security framework offers five guiding focus areas that organisations should focus on when assessing and implementing a cyber security threats analysis. The five areas are: 

1. Identify 
2.  Protect
3.  Detect
4.  Respond 
5.   Recover 

If you’d like to know a little more about what each area instructs, the first blog in this series will bring you up to speed. 

Many organisations have adopted a lopsided approach to cyber security, without the due care and attention required to proactively seek out threats before they escalate, leaving themselves at great risk. For example, for many organisations the ‘identify’ stage is only undertaken after the fact, once a security incident has taken place, with organisations identifying what threats have been carried out and which key systems and data have been affected.   

In reality, ‘identify’ should be the very first rung on the cyber security ladder, underpinning everything that comes next. It is this proper sequence of security stages that the NIST cyber security framework seeks to outline.   

Here, we are going to look in greater detail at the questions each area asks of your cyber security solutions and the actions that you need to take to be compliant, safe and future-proof.  

Organisations should be framing their security position as a continuous operation, requiring 24/7 monitoring and a detection awareness that goes far beyond the basics, seeking out new and evolving threats before they become major incidents. By partnering with an experienced managed services provider (MSP) for your security needs, you can be assured of expert security advice and constant monitoring of your data and environments.  

Before we look at how the NIST cyber security framework can be used to properly prepare and defend against cyber security threats, let’s discover how Content+Cloud can help achieve your security goals.  

How a managed services provider can bolster your cyber security solutions  

The complexities and pace of evolution of threat actors and their weapons mean that cyber security is one of the most critical functions of an organisation’s IT team today. Fortunately for you, there is no need to create and execute every strategy outlined in this blog on your own.  

By partnering with a reliable and experienced MSP, you can lean on mature, scalable services that can hold the reins for you. As one of the most trusted MSPs in the UK, Content+Cloud can bring the benefits of broad experience, capabilities and knowledge to deliver the outcome that’s right for your business operations.  

Our dedicated managed cyber security teams offer a holistic package of cyber security solutions, together with decades of experience and knowledge of the cyber sector. By following the example of the NIST cyber security framework, our experts can work with you to create a long-term, future-proof and reliable package of cyber security solutions that will keep your people, your data and your environment secure.  

Identify cyber security threats: identifying the problem space  

Before even thinking about investing vital resources on cyber security, organisations need to invest in understanding their challenges better and more holistically. The expenditure on protections, detections, responses and recoverability will still be needed, but their ‘scopes’ will benefit by doing the ‘problem-scaping’ first. Indeed, an organisation’s wallet may end up better for it too.  

You don’t have to boil the ocean to define what is valuable to your business and what threat actors would subsequently like to deprive you of. The people, processes and technology deployed in the identifying stage should ideally match – or strive to match – the complexity of the business.  

We often find the easiest place to start is with your key products and services. Once you’ve clearly defined these, you can then trace your steps backwards in terms of understanding what technology, people, process and data underpins those products and services. This immediately tells you what is important to the business and gives you an indication of what losses might look like in monetary terms.    

This forms the basis of your cyber risks. The probability of any negative event happening is much easier to calculate based on any of the publicly available guidance on likelihood assessments.  

The other key area that helps shape what you need to protect is anything your organisation has been mandated to comply with. This could be specific laws (e.g. the UK Data Protection Act 2018), regulations (e.g. Payment Cards) or contracts you have signed with customers and suppliers (e.g. Security Schedules or Confidentiality Agreements). Again, these are much easier to assess as the ’clauses’ (or ‘obligations’) have already assumed the impact and are now expecting you to put the minimum set of controls in place.  

Fortunately, there is a way to put this in simpler terms. The decisions about your base-level security approach have been made for you. You can put a cost against these things, using a simple ‘what if’ approach as follows:  

• “What if we didn’t comply with the UK Data Protection Act? Then there is potential to be stung by a hefty fine?”
• “What if we didn’t comply with customer contracts? Then we may end up losing our business?” 

Simple activities like the above really help frame the security controls you need and, importantly, how much to spend on the controls. There is no point spending money on a control that will cost you more than the benefit it provides, for example. 

Protect from cyber security threats: prevention is better than cure  

Protection is all about prevention in this functional area of the framework. The aim is to make yourself as small a target as possible where you can control this. There are some things you can’t control, such as which threats will target you and when, but you can at least understand how those threats operate and employ cyber security solutions to counteract or mitigate their attempts.  

In today’s technology environments, there are multiple perimeters that make up your overall attack surface from all threats, whether from inside or out. They are:   

• Identities 
• Devices
• Platforms
• Apps
• Data
• Networks 
• Humans 

Focusing on specific perimeters helps simplify the problem and allows you to reduce the attack surface of each perimeter depending on which ones are a higher priority for you. There are many controls available across these perimeters to help mitigate the chances of yourselves being breached or of you breaching a compliance obligation. Now we have recognised the perimeters that contribute to your attack surface, we can consider each one in more depth.  

Identities   

Digital identities can include credentials, accounts, ones used by humans, ones used by technology to talk to other technology, and secrets, such as encryption keys. These can all live in a centralised identity management solution like Azure Active Directory (Azure AD) or can operate stand-alone atop a specific technology. Identities, and where those identities are used, are more exposed now than they ever have been – they are the gateway to your information and to your operations.  

Devices  

Devices are typically physical and offer a broader attack surface, both in the physical sense – think lost or stolen devices – but can also be logically compromised and act as a launch pad for further attacks. Laptops, desktops, mobile devices, kiosks and even virtual desktop solutions like Azure Virtual Desktop offer an opportunity for threats actors.  

Platforms  

Platforms, or infrastructure, represent the receptacles that underpin your apps and data, your cloud platforms like Azure, or your on-premises servers or virtual machines. These, by design, offer their services to internal networks and sometimes to the internet.  

Apps  

Apps are the workhorses that provide the workflows to support your business and the main things that govern the access to your data. They include any line-of-business application that is fundamental to your organisation, whether that is directly related to revenue generation or protection, or helping you meet your compliance obligations.  

Data  

Your data is your crown jewels, the digital gold that democratises your productivity, efficiency and consistency (among other benefits). It will be important to you because it is confidential, because you rely on the accuracy or integrity of the data, or because you always need it to be available – or a combination of all of these. As data is moved in third-party applications and cloud platforms, etc, you are more reliant on the vendor’s individual security solutions – though this does not change the accountability, which remains with you.  

Networks  

Networks are the arteries, veins and the nervous system equivalent in technology environments. They allow you to connect, integrate and build things of great complexity. Similar to data and apps, you may now have multiple network perimeters: your on-premises one and possibly one or many cloud platform-based network perimeters.  

Humans  

Typically, your people form one of your first lines of defence against threats. However, as compromising an individual employee could cause other layers of defence to be compromised in one motion, this is clearly a perimeter that needs to be monitored and maintained.  

Finding the right pragmatic controls at the right budget level is the aim of this functional area of the framework. Don’t just focus on implementation; technology, no matter how good the marketing says it is, requires regular feeding and watering. This means you need process and/or people – or a service provider to deliver an outcome for you. The right control is the one which answers your specific need.  

Detection of cyber security threats: detect what you can’t protect  

There are always going to be gaps in your absolute protection. Some gaps you will be aware of but have to live with in order for your business to operate; other gaps you won’t know about. In each of these cases, you must assume a bad actor will find these gaps at some point in time.  

This assumption is not based on rumour or FUD tactics (fear, uncertainty and doubt) – it reflects the increase in threat actors, the advancement of their techniques, the quantity of open vulnerabilities and the number of reported security breaches. All of these have been significantly rising for several years as intense analysis by vendors, industry analysts and government agencies shows. Fundamentally, the problem is real, and is at everyone’s doorsteps.    

While the ‘defenders’ in your organisation have some detection automation available to them through technology, it is not at a stage where every detection is fully validated and automatically blocked. They also need to undergo triage and investigation before they can be classed as a true detection. Remember, threat actors leverage automation to be able to discover gaps at scale, which means your gaps will be found even if threat actors are not targeting you specifically.  

Relying solely on vendor out-of-the-box product detections can give you great coverage, but it does not give you full coverage. For this, you’ll need to stay up to date with the latest threats and their behaviours – also known as their tactics, techniques and procedures (TTP).  

There are also situations that confirm technology is not infallible, where threat activity is not picked up because it is advancing at a prolific pace. In these situations, you need the right set of capabilities to hunt for behaviours and follow suspect threads of activity to see if there is a real threat at the end of it.  

Once again, a combination of people, process and technology is needed to create an appropriate detection layer, and it should be proportionate to your risk tolerance levels. 

Respond to cyber security threats: how to minimise the pain with your response  

You’ve detected a threat and validated that it is genuine. What do you do next?  

Option 1: panic, frantically pulling the proverbial plug on anything that the threat might have touched or is touching in a game of whack-a-mole, and in doing so bringing your organisation to its knees by causing as much damage, if not more, via your actions.  

Option 2: execute the plans you have in place in an orderly manner with all expectations managed across the business. You can do this because you expected a threat, have planned for it, have created simple response and communication processes, and tested them regularly to maintain your state of readiness.  

Investing a little time and effort in being ready for an adverse event is well worth it compared to the mental, physical and commercial pain that is felt by organisations who have had to go through a real security breach.  

Response isn’t just a technical theory. You should have the following in place for a seamless and strong response to cyber security threats:  

•  Pre-approved actions – to be carried out without delay  
• Communications plans – so relevant stakeholders can be kept informed and not overwhelm your response team with questions  
• Procedures developed for the most likely day-to-day incident scenarios – to be followed consistently, measured and optimised over time  
• Major incident plan – linked to disaster recovery plans
• Responsibility matrix – avoiding any gaps in responsibility and ensuring everyone knows who does what   

Recover from cyber security threats: recovering from a security incident   

Just as with responding to threats, recovery is focused on forward planning and making sure those plans are going to work when you really need them. 

Not all recovery is down to having backups, simply because not everything can be technically ‘backed up’ and ‘restored’.    

If the security incident goes public, then there is also crisis recovery that may be needed in restoring your organisation’s reputation and brand, and you may also need cyber insurance to help cover the cost of recovery.   

It may be a reality that recovery is not feasible with existing capacity or skill, and there may be a need for some burst capacity to be introduced that can aid recovery for your business. Having this agreed up front will make engagement that much faster.   

Choose cyber security solutions for today and tomorrow  

The crucial point when considering how to keep your people and data safe is that the biggest, most expensive solutions may not be the right answer for you. Based on the cyber security threats that you face, a logical calculation can be made to differentiate between your needs and others, helping to point towards the best and most cost-effective solutions and services for you.  

With our collective knowledge and experience, our experts are perfectly placed to listen to your concerns and offer insightful and focused guidance on the services available to keep you safe today and in the future.