How to navigate cybersecurity product coverage
Complexity is the defining challenge of cybersecurity. Malicious actors are getting more aggressive each year, launching an increasingly daring and sophisticated array of attacks. Proactive defensive measures are essential. But, for many organizations, understanding the nature of their cybersecurity coverage can seem as complicated as the threat landscape itself.
The cybersecurity market offers a range of products to protect devices, networks, applications, users, and other IT infrastructure. Each tool offers ways to prevent and detect cyber attacks. However, few vendors explain how their product defends against various vulnerabilities and attacks, simply assuring customers that their solution provides “full coverage”. This creates uncertainty for organizations trying to determine if and how they are protected against the latest cyber threats.
Types of security products
Each security expert will define security categories differently, but generally speaking, IT security products can be grouped into the following three areas of coverage:
- Internet security. This governs the interactions between hardware and software on the network. Its purpose is to protect data by preventing unauthorized or malicious users from infiltrating and spreading across the network. Complete network security begins with configuring network devices to include preventative security measures. Network security should also include a detection system to identify irregular activity and a process to respond to breaches. Some common security methods to protect the network include firewalls, deep packet inspection, intrusion detection and prevention systems, web application firewalls, and traffic decryptors.
- Endpoint security. This coverage ensures that only authenticated devices, including PCs, laptops and mobile devices, can access networks and data. It typically uses methods such as privileged access management, intrusion detection, application control, and data encryption. Together, these technologies prevent unauthorized user access, protect against malicious files, and ensure the integrity of data transferred between devices and the network. Products that fall into this category include anti-virus, endpoint detection and response, file integrity management, and host-based intrusion and detection.
- Cloud and application security products. These products protect data sent through web browsers and e-mail. They also inspect cloud infrastructures for attacks.
Products in each of these areas offer detection and prevention capabilities, ranging from generic to highly targeted at various points in the destruction chain. However, this makes it difficult for organizations to know where they are protected and where they are not.
How products defend themselves against hafnium attack
Exchange Hafnium’s infamous zero-day attack illustrated how products can provide security coverage from different angles. The hack was a critical vulnerability in Microsoft Exchange that allowed attackers to exploit the execution of arbitrary code on the server. It was discovered in the wild before a Microsoft patch was released.
From a network security perspective, there are several ways that vendors can provide cover against such a zero-day attack. Whenever a vulnerability exists, the bad actors will create exploits to take advantage of it. Products should detect and block known exploits. Alternatively, a product can detect the root cause of the exploit as it traverses network traffic. Another option is to block malicious actors who attempt to exploit the Exchange vulnerability. In this case, a provider identifies which domains or IP addresses are used to exploit the vulnerability and blocks them at the firewall level. As new malicious actors are discovered, their IP addresses are added to the product to maintain security coverage.
Endpoint security products can also protect against vulnerabilities in Microsoft Exchange. Some products may claim to prevent exploitation. When malicious code reaches the Exchange server from an endpoint, a product blocks it from running, providing generic protection against exploitation. Other products monitor endpoint activity, looking for anything that triggers suspicious processes on the Exchange server. Host-based systems also monitor a host’s behavior to identify and respond to operating patterns.
Finally, there are log-based analytics. These products provide coverage after an attack; a series of generic responses can be triggered whenever a user is compromised by an Exchange server exploit. There are also vendors who claim to provide comprehensive Exchange server vulnerability coverage by monitoring Exchange logs for anomalies indicating an exploit.
Cut through the confusion
In each of these cases, a security provider claims to provide complete coverage against the Exchange server attack. But the coverage of a given product is not made transparent, making it difficult for customers to assess the veracity of their claims. This can lead to incomplete or ineffective coverage and critical security vulnerabilities.
For many organizations, it makes sense to partner with a Managed Discovery and Response (MDR) provider. MDR vendors help customers choose and manage the right technologies to defend against advanced threats.
Organizations should take a close look at all product functionality to understand the coverage provided. Features should also be evaluated against products already in use. By combining complementary technologies, businesses can maximize their security coverage regardless of their budget.
About the Author
Rohit Dhamankar is vice president of intelligence on threats to Alert logic. Dhamankar has over 15 years of experience in the security industry in the areas of product strategy, threat research, product management and development, technical sales and customer solutions. Prior to Alert Logic, Dhamankar was Vice President of Products at Infocyte and founded Durvaankur Security Consulting. He holds two Master of Science degrees: one in physics from the Indian Institute of Technology in Kanpur, India, and one in electrical and computer engineering from the University of Texas.