Having a resilient cybersecurity strategy in place is key for any organisation when it comes to tackling cyberthreats and driving the investigation forward. Stefano Maccaglia, EMEA Practice Manager Incident Response at NetWitness, an RSA Business, discusses some of the core elements of an effective cybersecurity programme, as well as stressing the importance of the human element and the limitations of taking a technology-only approach to cybersecurity.
Can you introduce us to NetWitness and the clients and markets served?
NetWitnessstarted as a project from the Department of Homeland Security in 1997 and we became a company in the early 2000s. It was a really important step in our development when we were approached by RSA for the breach in 2011. From that moment on, RSA understood the value of the product, the platform and the approach. So, we started on our journey into the market.
Initially, we tackle the visibility from the network perspective which is the main goal for the platform; to offer the visibility that just a handful of technologies are available to support. From that moment on, we develop a number of additional elements. These include behavioural analytics and endpoint detection, so we added all the visibilities to the platform in order to tackle in full the different domains of every incident response investigation.
From the market perspective, while the deployment of NetWitness usually targets medium to large companies, with the new application of cloud visibility and cloud incident response capabilities, we are also offering these to SMEs. Since last year, basically every type of company can hire our services and our technology so that we can support them in their daily monitoring of activities.
We span across several regions in pretty much every part of the world – from Australia to Scandinavia, to Canada and South America. This is also true not just for the technologies, but also for the professional services.
What are the key challenges your customers [in Europe] are experiencing today?
The challenges are the standard challenges of cybersecurity which include the proliferation of actors and the sophisticated types of attacks that these actors are able to carry out against companies. The other challenge is to organise the proper response and this is where we come in. When you are facing a sophisticated actor, you need to bring a lot of different capabilities to the table, from the forensic capabilities to the network analysis to the application analysis, and this is where our technology excels.
With the current crisis in Europe, has there been any change to the cybersecurity threatscape?
Not really. It’s definitely showing us a new way of cyber-activism but this is not a long withstanding phenomenon. Something that has instead created a huge impact in the cybersecurity landscape were the actions against the ransomware gangs last year – that was really effective. In fact, nowadays, the cybercriminal war is scattered in different small groups, while up to 2020 there were four or five years of consolidation in this market by small groups affiliating themselves with larger groups. That is now no longer possible because of these mighty blows carried out by the different investigative agencies worldwide, which all of a sudden, in a few months, arrested several people.
What are the core elements of an effective security programme?
Collaboration, communication and visibility. Collaboration means that for every company to really be able to integrate a working programme in the cybersecurity field, they should create a collaboration landscape so that different departments and different people inside the company can cooperate. This is extremely important because working in segregation in preparing a cybersecurity programme is definitely not working.
Another element is communication because during an incident, if all the components aren’t communicating with each other and more importantly, if communication is not done properly and effectively with the public and third-parties, it can backfire.
The third element is visibility. To have visibility on all the domains involved in an investigation is extremely important to minimise time needed for the reaction to an incident and to be able to properly block the attacker in the right moment. It is also extremely important that the strategy is delivered correctly – not overreacting, not creating issues to the whole investigation itself by not acting according to plan.
What are the limitations of taking a technology-only approach to security?
The shortage of knowledge and capabilities on the market is definitely a problem. I know that several companies decided to solve the problem by integrating technology, but that is definitely not working. We need to believe that the attackers know the technology as we do and so their goal is to fool the technology. By executing good attacks fooling the technology, if there is no brain behind an attack from an investigative perspective, they can basically stay under the target and the victim for months. So, while technology is extremely important to support the investigative activities and the monitoring of daily activities, there is also the need for the human capability to really understand what’s going on and to react accordingly.
What are the key questions organisations should consider ahead of developing/implementing an incident response programme?
Again, visibility is key. Ensuring we can investigate every single area of the company is paramount. Other than that, preparation. You need to run drills every so often to decipher whether your people and your technologies are properly responding to an incident. Above that, a number of procedures shall be planted and shaped accordingly, but also properly prepared and tailored to answer the typical questions of the operators inside the company. ‘How and when should I engage when I notice something is wrong? How and when do I need to react to a situation that is anomalous’. These are the questions that should be considered during the preparation and organisation of the incident response practice inside a company.
Why is a holistic security programme crucial for targeted attack defence – and how can organisations best achieve this?
The plan is to properly define what types of attackers can target you because while there are some common companies and individuals, there are other types of threats that are targeting specific segments of the market. So when you are building your cyber incident capabilities and deciding where to drive your capabilities inside your investigative spectrum, you need to consider these factors. It is important that everything is shaped and timely integrated according to the plan and the plan should consider the risk related to the market segments that the company is operating in.
Can you highlight any specific examples of how you’ve worked with clients across the region and the benefits realised?
There are two potential examples to bring to the table. Let’s say one company engages with us before an incident and we are immediately able to track the attacker and block the execution of the ransomware before it causes harm. Another example is where the company hired us once the ransomware was already running. So, in the second case, while we were supportive in identifying the way the attacker went in and the way the attacker moved laterally to deploy this type of ransomware, the damage was already done. So in that case, we supported the company in rebuilding the situation, offering an explanation about when and how they got in so that we minimise future risk. But part of the damage was already done and it was simply down to a lack of visibility. The company wasn’t aware of what was going on until the ransomware was detonated. Our advice was to prepare beforehand. Again, integrating technologies and ensuring visibility is the main way to drive a situation like this in the right direction.
What is your best practice advice for organisations keen to implement an effective incident response programme?
The main thing, again, is to ensure visibility. I continue to say this because it’s really important. Also, have a proper procedure in place to enable the visibility and to squeeze the best out of the technology simply by mimicking attacker behaviour.
But I don’t want to give advice that is purely based on technology. The human factor is still important for driving the investigation and the reaction in a strategic way.
Liam Burman, Account Executive at RSA NetWitness, tells us how he is on hand to support customers at every step of their journey.
“My role as part of the UK&I team – as cheesy as it sounds – is to ensure client success, which translates to being better positioned to protect its data and employees from cyberthreats leveraging our people, or our evolved monitoring capabilities.
“Increasingly attacks are being deployed indiscriminately using the same level of sophistication as sustained, concerted and targeted offensives. Adopting appropriate protection to all institutions (irrespective of size) will be a significant focus – both to the individuals but also to businesses at the pinnacle as they look to protect themselves from its supply chain.
“With the emergence of XDR, NetWitness has never been better positioned to support smaller entities with the same technology that has protected large, complex, global organisatons and governments for the past 25 years,” said Burman.Click below to share this article