This is part 4 of the Cyber Security 101 blog series, originally published on Medium

As the Kaseya breach once more illustrated, cybersecurity is a constant battle. There are experts on both sides trying to outsmart each other. As the weapons and attack strategies evolve, the defense systems need to be adapted.

The first line of defense used to be your perimeter security. This was the (fire)wall you tried to build around your castle.

Today, we’re no longer protecting a castle. Modern corporate infrastructures are like sprawling metropolitan areas. There’s no clear front to defend in this scenario. This is urban warfare. Every part of your city is under siege.

You’re defending a city full of different infrastructure. There’ll be people working in the city center (the headquarter) and on the outskirts (branch office, shops, home offices, etc.). And, don’t forget, the network, the transportation systems, and roads connecting the different locations have to be protected.

Your users move about in and between these locations using different vehicles (laptops, tablets, mobile phones, etc.) to access your applications and data.

They‘re everywhere. You never know who’ll be doing what, where, or when, but you have to keep watch and protect all of it: the people, the network, the data, the apps, and the devices.

Your Defense Strategy

There’s no longer a clear distinction between inside and outside. One wall won’t be enough to keep control. You’ll need to build many walls (segmentation).

Within these segments, you have to deploy security cameras and drones. Surveillance systems will be equipped with weapons to stop the enemy on sight if necessary (Detection and Response).

Access to a house, street, or backyard in your city will be given only on a need-to-enter basis. Every single visitor needs to be authorized, authenticated and logged. Consider your city a Zero-Trust environment.

You’ll need to use face recognition and biometric access control on top of code words for dual authentication (2-factor authentication).

In short, you’ll have to turn your infrastructure into an authoritarian police state that constantly spies on its citizens’ every move.

Tons of data about what’s happening will be collected, stored, and analyzed all the time. The sheer amount of it will make it impossible for humans to keep track. You’ll have to rely on Artificial Intelligence to help you out.

The police officers patrolling your streets, steering the drones, and watching your security cameras will be robots supervised by a couple of humans.

Let’s take a look at the systems used to achieve this level of surveillance.

Firewalls and Segmentation

Firewalls are the primary workhorses of network security. They’re here to create a wall around your perimeter. This wall has a few doors (ports) that open for specific visitors.

For example, there is a door for the employees’ remote access or a door for people to visit your websites, and one for the email to come in. Every single visitor is inspected at the entrance to see if they’re authorized to use that door.

In a modern corporate environment, a single wall will not suffice. You’ll have to build many walls and rooms with reinforced doors. If you’re protecting something valuable, you might have to go as far as creating a room for every single workload.

This is what micro-segmentation does. It builds individual rooms for every single one of your workloads and protects them with a personal firewall.

Image 1 – Traditional Perimeter-Based Security vs Application-Level Micro-Segmentation

Micro-segmentation is a network security technique that enables security architects to logically divide the data center into distinct security segments down to the individual workload level, and then define security controls and deliver services for each unique segment.

XDR (Extended Detection and Response)

Firewalls alone will no longer deter hackers from entering your protected zones. They’ve long learned to disguise themselves as someone else.

They’ll hide on the websites your employees’ visit (fraudulent websites with malware). They come attached to the mail traffic (phishing emails).

They might use authorized users to sneak in (e.g., drop USB sticks) or sweet talk them into opening the door (social engineering).

The modern answer to the omnipresent threat of attacks is XDR (extended detection and response) deployed in addition to the firewall.

XDR comprises multiple solutions that work together to keep you safe. EDR (endpoint detection and response) — an anti-virus solution on speed — and NDR (network detection and response) — the police force on the network.

NDR (Network Detection and Response)

The network is the link between the different parts of our corporation. It ensures data travels inside the buildings (LAN — Local Area Network) or between separate buildings, cities, or countries (WAN — Wide Area Network).

An NDR solution is used to monitor your data transportation routes closely. Remember, everything is suspicious. To protect your organization’s sensitive data, you need to increase the number of monitoring points to build a finely meshed surveillance network.

This is a place where every visitor’s face is matched against the wanted posters of every known villain on earth.

The matching is done with an IDS/IPS (Intrusion Detection and Preventions System) that compares the data on the network to the signatures (wanted posters) of known malware communication patterns.

IDS/IPS systems are great to catch threats that have been seen before, but they can’t detect unknown malware (Zero-Day Attacks) because there’s no signature for them.

For Zero-Day attacks, you’ll have to go a step further. NDR uses behavior analysis and profiling to do anomaly detection. It watches the movement and activities of your citizens and builds profiles of what it considers normal behavior. If something unusual happens, it will alert you to it.

NTA (Network Traffic Analysis) is where it gets tricky. Unusual behavior is not necessarily a threat. You don’t want your security team jumping into action every time someone decides to do a late shift or accidentally tries to access the wrong file share.

Unnecessary alerts (false positives) are the bane of security teams’ existence. Common solutions generate so many alerts security teams start ignoring them or don’t have time to look at all of them.

This is where artificial intelligence comes in. A good NDR solution will use unsupervised machine learning to detect anomalies and then filter them with supervised machine learning to ensure you only get alerts for what’s relevant.

Image 2 – Network Traffic Analysis

It will also tell you precisely what the attackers are trying to do by matching the observed activity to the MITRE attack framework.

The third pillar of the NDR is a SandboxImagine your swat team taking a suspicious suitcase to a protected area where they can watch it to see if it will explode. A sandbox is where you take suspicious files and run them without damaging your systems to see if they contain malware.

All three parts of the solution IDS/IPS, NTA, and the sandbox will give you a fighting chance because they’ll allow you to observe different aspects of an attack.

In combination, they will detect known and previously unknown threats (Zero-Day Attacks). If something gets in, an NDR will allow you to respond automatically, track the attacker and quickly determine what they’ve been up to (threat hunting).

Image 3 – Threat Activity Correlation

An endpoint is a computer, laptop server, tablet, or mobile device on your network. Endpoints are the places your users are logged in, use applications, read or store data. Or the places where these applications run.

Like the network connecting them and transporting the data between them, the endpoints themselves must be closely monitored.

Everything you just read about NDR is true for EDR as well. Like NDR, EDR solutions are based on multiple pillars. They use signatures to match data to known threats. This is what your classic anti-virus solutions have been doing for ages.

However, signature matching is no longer sufficient to identify malware. EDR is an antivirus on steroids: it prevents known and unknown attacks (Zero-Day attacks).

We live in the age of previously unknown and evasive malware. Evasive malware uses tactics to avoid detections and lives of the land; this makes it hard to discern from benign software. For example, it uses allowed system processes to achieve its goal.

To detect evasive malware, profiling is necessary. The behavior of processes has to be watched, tracked and analyzed to understand if there are ulterior motives.

Image 4. Tracking process behavior with EDR — Screenshot Source Presentation by author

Like NDR, EDR provides the security teams with filtered real-time responses as well as artificial intelligence to support threat detection, threat intelligence, and threat hunting.

And, like NDR, EDR uses a Sandbox to explode suspicious files or attachments.

Final Thoughts

The unfortunate truth of our digital world is that you have to monitor everything and everyone 24/7.

Only very granular security zones combined with highly intelligent XDR (EDR & NDR) solutions can give you the level of protection needed. These systems will help you avoid catastrophic events that can potentially cost you millions of dollars.

Even with a combination of micro-segmentation, firewalls, and XDR, there remains a risk that someone will breach you. What these systems will do, however, is decrease the impact of the destruction (blast radius).

They’ll help you contain the damage to a few systems instead of your entire data center. One encrypted file server is bad. An entire encrypted data center is the kind of havoc that is difficult and expensive to recover from.