A guest blog by Ian Loe, Senior Vice President, Cybersecurity, NTUC Enterprise Co-operative Limited
News flash: aided by time, persistence and smarts, advanced cybersecurity felons are leapfrogging traditional security systems to compromise confidential data. Realising this, we at NTUC Enterprise have been looking into new security technologies that help address these rising concerns. One of the key areas we have identified is how to better protect our endpoints and increase our visibility into what goes on within these devices.
With over 20,000 endpoints across PCs and IoT devices under the group to secure, and the potential to grow to 30,000 in the near future, we realise that incident detection and response is becoming critical. With so much at stake, we need a solution that provides constant surveillance – like a CCTV camera – to identify suspicious activities undertaken by a criminal.
Enter endpoint detection and response (EDR) technologies that can record and store queries, behaviors, and events on the endpoints. Picture this: a CCTV camera has the ability to capture movement across every corner and point of entry of a building. If someone surreptitiously breaks the lock of a door, disables the security alarm, or trespasses on commercial property, security personnel will get alerted by footage on these surveillance cameras.
Now let’s put that in the context of EDR. IT teams are able to go beyond just indicators of compromise and achieve high visibility into the nitty-gritty that’s going on. EDR also helps them to understand the multitude of different threats and attack types, allowing teams to correlate information and respond in a timely and effective manner.
For instance, EDR can help teams pinpoint how many devices in the organisation are using a particular piece of vulnerable software, or have accessed a bad domain. EDR stores these events in its memory repository and can identify the exact starting point of a criminal’s footprint to reconstruct the whole attack.
Swiftly detecting and removing a threat from an endpoint, or isolating an endpoint in a large network, can potentially thwart a large-scale infection down the line. This is what has drawn me to EDR in the beginning. By working with Trend Micro, my team can now understand the source, impact, and spread of advanced threats.
But technology is only part of the answer to the overarching situation.
Where are the cybersecurity personnel?
In the cyber world, detection and response is a set of processes that requires specialized skills and years of experience to handle. I think we can all agree on the fact that there is only one predictable thing about a cybersecurity professional’s day – its unpredictability.
Most of us in our field never have the same day twice, having to put on the hats of both defender and attacker. No security offering is complete without skilled intelligence to support it. In fact, an ESG survey reveals that 83 percent of organisations agree that using EDR effectively demands advanced security analytics skills. A lack of qualified candidates to fill these positions means that even if an organisation could justify the full-time staff, it is difficult to find them.
Put simply, the abundance of vulnerable businesses along with a lack of skilled cybersecurity personnel translates to more open doors for attackers to slip through – easily.
Managed detection and response (MDR) then comes into the picture to help organisations like ours ease the skills gap by providing 24/7 alert monitoring and threat-hunting capabilities from experienced cybersecurity professionals – powered by big data and AI technologies to detect anomalies faster.
For an organisation the size of NTUC Enterprise, the imperative is to achieve an effective security control posture, ensure compliance, and close known security gaps. By offloading the task to Trend Micro’s skilled MDR team, my team is able to focus on security projects that are important for the business and overcome staffing challenges.
For instance, I’m able to create custom alerts for significant assets within my environment when malicious or suspicious activity happens. Monitoring would be done via a follow-the-sun model within the region and in the US regardless of time zones, increasing responsiveness and reducing delays.
I’m also powered with insights from endpoint data that serves as the basis for root cause analysis – illuminating the path where the threat originally entered the endpoint (e.g. email, web, USB, application), and how it was executed.
Data – the brains behind visibility
By the end of the day, organisations want more visibility into every nook and cranny of their IT infrastructure. And what enriches visibility? Data. The industry is decidedly moving towards XDR, a form of data-powered defense that provides omnipresent, nuanced visibility into attacks.
We are more likely to be a victim of a cyber crime than any other criminal offence – let’s be prepared!