Digital Risk Monitoring: The New Normal
by Scott Gordon
The threat landscape is evolving much faster than many enterprises can react to protect themselves and their customers.
Today, an online promotion can turn into a forgotten website that hackers can use as an easy inroad to a network. A CEO’s social media presence meant to create visibility with customers can turn into hundreds of rogue accounts impersonating him. A deprecated SSL certificate can ruin trust between a brand and its website visitors.
With massive breaches making headlines all the time—Panama Papers, the DNC, Yahoo, the list goes on—it’s evident the most damaging cyber threats are coming from sources outside the network firewall, completely invisible to security teams that aren’t comprehensively and persistently monitoring risk in all digital channels. The scale of these risks is unprecedented, and most security teams continue to track a much smaller portion of their environment than they realize, leaving much of it prone to attack.
To put things in perspective, Forrester recently released The Forrester Wave™: Digital Risk Monitoring, Q3 2016. The report is a not-so-subtle hint to security leaders that as their organizations continue to grow into the cloud, SaaS, mobile, and social channels, their traditional security programs are ill-prepared to continue protecting their business. For example, the report notes that digital channels are the fastest way to detect a slew of brand and physical risks such as compliance violations, corporate defamation, protests, and supply chain disruption. Consider it the writing on the wall: solutions and best practices that focus on security outside the firewall are now table stakes for CISOs.
It can Happen to Anyone
The fallout for organizations that don’t take this new category seriously can be crushing. Take the recent hack of the DNC for example. The Hillary Clinton campaign’s chairman, John Podesta, had his personal Gmail account compromised, leaking thousands of damaging emails to the public and sending the campaign scrambling to control the damage.
Turns out, Podesta, a trusted confidant of some of some of the most powerful people of the 21st century, fell victim to one of the oldest tricks in the cyber threat book: phishing. Threat actors emailed him purporting to be Google’s Gmail account services department saying his password had been compromised and that he should change it via a fake link to a phishing page on which he could enter his credentials. As you can probably guess, he did–and the consequences have altered the American political landscape.
Attacks like this also have seismic consequences for other organizations that fall victim—the FBI estimates CEO email scams have cost organizations more than $2.3 billion in losses over the past three years. But inside-the-perimeter security technologies continue to fail in the face of external threats like these, putting company stakeholders and customers alike at risk. Security teams must now monitor their organizations from the outside in, seeing it the same way their customers—and those targeting them—see it.
So what goes into effective digital risk monitoring? When implemented, the following best practices have proven to help enterprises significantly address and protect against threats outside the firewall:
An organization’s online presence is constantly changing via a wide range of factors, both legitimate and malicious. As companies grow, it’s increasingly challenging for security teams to stay on top of the day-to-day activities by far-flung partners, vendors, and internal teams and business units, making it easy for threat actors to create fake branded websites, mobile apps, and social media accounts intended to fool customers and prospects and steal sensitive information or distribute malware.
By having the ability to analyze and contextualize enormous datasets to peruse the full breadth of the internet, these teams can have a real-time view of their internet-exposed attack surface as it appears to hackers, allowing them to verify the security and compliance of what assets belong to them, and identify what may be fraudulent.
- Efficient Detection
Web crawling plays a critical role in monitoring organizations’ internet-facing assets for security risks.
Web crawling technology for DRM is different than the kind built for indexing. A network of crawlers, sensors, and proxy users, it works as an emulated human user with a fully instrumented browser and algorithms to simulate human-like mouse movements and click behavior. Similar to how you read an article online, this type of automation does it much faster, all while storing the entire chain of events that may have led to an attack and allowing security teams to reconstruct an event and what led to it.
The same technological advances that empower internet users, services, and businesses also enable cyber crime to thrive at an unprecedented scale and velocity. Attackers can create massive amounts of these digital accounts at little or no cost and leverage a huge network of black markets to maximize profit and reduce the level of technical skill required to carry out sophisticated attacks.
Organizations must be able to scale at the same pace, leveraging the internet itself as a detection system to automatically defend a network from cyber attacks.
- Leveraging Automation
Attackers use automation to launch sophisticated attacks cheaply by rotating and reusing undetected infrastructure. But defenders with access to internet data can detect unknown threats at the source and track how they change and spread.
Correlating threat data extracted from a broad set of data sources across channels reveals the risk posed to an organization by a single piece of infrastructure—and how it’s being used within a larger context. Advanced analytics are necessary to automatically triage and address security events and track changes in threat infrastructure to predict new attack vectors as they emerge.
The New Normal
Digital Risk Monitoring platforms aren’t an overhaul of your security programs—they should fulfill a unique function that complements and enhances the other tools in your security stack. They should integrate visibility into your external attack surface with the data and capabilities provided by traditional security tools including SIEMs, firewalls, endpoint security solutions, and vulnerability scanners—as well as non-security tools such as GRC platforms.
Security programs that take digital risk seriously and proactively operationalize digital risk monitoring as a function will have the best chance at staying a step ahead of adversaries.
Scott Gordon (CISSP) is the chief marketing officer at RiskIQ.