“I clicked a malicious link, so what!?“, could be the response of a user who is absolutely confident in the security of his ICT.
Most of the time however, the response is completely different. In panic, the support desk is contacted and the question is, what should I do? What you would actually prefer is that the virus is immediately rendered and the specific file is placed into quarantine.
This requires a detection and response mechanism that responds quickly, even to unknown threats. Based on behavior, artificial intelligence can be used to determine whether an application exhibits different patterns. This information is then shared with the rest of the organization, to prevent them from affecting other systems and users. This requires adequate tools that work 24×7 and take the appropriate immediate action like for instance isolating a system or user. A system like this is called XDR (eXtended Detection and Response). An XDR system retrieves information from multiple sources. Therefore, it can make connections and decisions based on real-time information.
ICT is more than users and their computers, it includes e-mail and document management services, server-based applications and often several applications that are purchased from different Cloud services. This all combined is your landscape in terms of security.
IT security is not only a matter of scanning for events but also constantly checking the status quo. Is everything up to date? Are network ports unintendedly open, causing unnecessary risks? Is the installed software approved and up to date?
It is crucial that the log analytics of this broad and sometimes complex ICT landscape is centralized. Applications like Microsoft Sentinel are made for centralized insights. Sentinel is a Security Information Event Management (SIEM) system. Like a large container with lots of collected data from different sources, where you can discover patterns and, if necessary, where action is automatically being taken.
When a user has accidentally installed Cryptoware, the IT ServiceDesk is already alerted and Sentinel has already created the support ticket before the user even had time to call the supportdesk.
If a user’s computer is infected with unwanted software, you would prefer that computer to be marked as unsafe and thus deny access to other systems or applications until the system is “clean” again. The user receives a message that an extra scan needs to run on the system, after this, with a green light, the system is released again.
Another example is detecting failed login attempts from a certain IP address, after which unwanted e-mail is sent from that same IP address. By linking this information, a fully automated response can be made. These events can occur 24-7 with a speed that humans can no longer keep up with, software is needed that does this for us. However, monitoring and analyzing to discover patterns is still human work.
For an engineer, this incident provides important insights, the retained information can be used to optimize security even better. Of course, it was annoying for the user that he/she was not able to continue working for a short period of time, but the issue was solved quickly. In this scenario, an employee does not have to feel guilty about the fact that this has happened, at least he/she could contribute to optimizing security, and that is also worthful.