In security, attack is the best form of defence

The recent ransomware attack on Travelex is a salutary reminder of the constant security threat we all face. While we don’t know whether or not a ransom was paid in this case, it’s widely understood that some organisations have been willing to pay several times to have their data restored.

The growing risk means organisations can no longer simply rely on defence as a means of protecting themselves against cyber criminals. As the saying goes, attack is the best form of defence. For truly effective security, we need to know who is accessing what data, when, where and why, so we can wrap security around how our users actually work. For example, if someone is logging into our network at 10pm, is this normal behaviour? What applications and data are they accessing, and should this set alarm bells ringing?

Of course it’s not just user behaviour that needs to be considered. Our networks can provide us with huge amounts of information if we ask the right questions. For example:

• Can Bob really be logged in twice in two different time zones?
• Why are all these TCP ports open on the firewall when no service is using them?
• Are all our sales team emailing the client list to their home email address?

The best way to tackle this is a SIEM (Security Information and Event Monitoring) solution. SIEM essentially takes hundreds or thousands of data sources from throughout the entire IT infrastructure and analyses them using AI to give insight into how and when businesses are under attack.

In the past, such systems have been extremely expensive and so out of the reach of all but the largest organisations. However, Microsoft Azure Sentinel has opened up new opportunities, and we’ve used it as the basis of an affordable managed security service that will protect an organisation’s entire infrastructure, including on-premise infrastructure, private and public cloud services and all end user devices and data.

Azure Sentinel correlates alerts from security incidents using fusion where machine learning helps to reduce false positives. Sentinel – and systems like it – are self-learning, and will work towards a point when they only alert you when they detect abnormalities in access and traffic flow. However, organisations using them still need to map their environment and the behaviour of their users so that they can tune the tool to create a picture of normal working. Many simply don’t have the time to do this, so are not able to obtain its full benefits.

What Fordway does is to apply our knowledge of your business, plus industry best practice and NCSC guidelines, to calibrate and manage this process for you. The result is a bespoke service based on categorising incidents into two priorities:

• Advisory events, which do not require an immediate response to prevent a loss of service or data. e.g. patching requirements or best practice advice on configuration
• Critical events, which pose an immediate risk to services and data and require immediate action to mitigate the threat e.g. penetration or intrusion by a third party and/or malware activity caused by file downloads or phishing attacks through email.

We can also repurpose your existing security devices and integrate them into the solution, protecting cloud, on premise and SaaS services across your IT domain. Combining this SIEM service with our 24x7x365 monitoring enables us to protect your data, notify you of any attempted breaches, and offer swift containment and remediation action should the worst happen.

If you'd like to know more or have a discussion about how to choose a cyber security solution for your organisation  Fordway can help.