SOC Modernisation: A Digital Labrador for Next-Level Cybersecurity
Written by Ammar Enaya, Regional Director – METNA, Vectra AI
The Arab Gulf region has a well-deserved reputation for being a frontrunner in technology adoption — a reputation that its governments have retained throughout the Fourth Industrial Revolution. In the digital transformation era, managed services wormed their way onto the agenda of most, if not every, regional organisations, but until recently — cybersecurity remained an afterthought.
However, governments in this region have a way of inspiring others by example. By adopting economic visions with technology pillars that put cybersecurity front and center, GCC leaders pushed digital risk management to a top-priority position in the private sector. And those efforts have paid dividends. Saudi Arabia is second and the UAE fifth, on the International Telecommunication Union’s Global Cybersecurity Index for 2020.
But there’s still work to be done. Security professionals are overworked and under-resourced. This starts in the security operations center (SOC), which all too often is holding on to a legacy that has had its day. Modern complexities of rogue devices, remote employees, and multi-cloud environments have brought previously unseen levels of unpredictability to the SOC. These transformative changes coupled with advanced attack methods used in today’s ransomware and supply chain attacks equal a disaster waiting to happen for any organisation that isn’t thinking about modernizing the traditional approach.
The Old Way Opens Doors for New Attacks
Traditionally, the legacy SOC is centered around prevention (think SIEM and IDS), which for the most part is obsolete against modern threats and attack methods. The tools typically deployed in this scenario equal a high cost of ownership and fail when it comes to the detection and response of in-progress attacks. This is because the technologies used today have grown past the SOC as we’ve come to know it. The perimeter no longer exists, and cloud deployments are outpacing security. Analysts are having to work harder to trawl manually through limited data sources only to arrive at inaccurate conclusions. Ultimately what you’re left with is a lack of visibility and a security team scrambling through inefficient workflows at a high price.
The time for change is now. We’ve seen again and again how prevention techniques fail to detect ransomware attacks. These are human driven attacks — where malware isn’t deployed until the final step — meaning the only chance to stop it, is by detecting and stopping attacker motions inside an environment. Nowadays, attackers are finding all types of clever ways to bypass MFA. And while endpoint detection is important, it’s no match for a crafty attacker with stolen credentials.
But the good news is that defending against today’s attacks doesn’t have to be as impossible as the headlines might lead you to believe.
Moving Towards a Modernized SOC
Before we look at the alternative, it is also worth considering the life of today’s security professionals. Who without, the SOC would be the equivalent of falling trees in an empty forest. While the customer experience was all the rage before the pandemic, organisations must now prioritize the employee experience. The now-established efficacy of remote work means the region’s cyber-talent can work anywhere they want. So, as the region builds SOCs, it needs to design ecosystems that relieve burdens on technologists, or it risks losing the most qualified candidates to foreign employers.
This is all the more reason to modernize and take a futureproof approach that prioritizes visibility and workflow, acting as a kind of digital Labrador retriever — capable of sniffing out and fetching the most evasive targets and dropping them at the feet of threat hunters. It still uses event logs and SIEM tactics but supplements them with richer endpoint and network data. It mixes the disciplines of endpoint detection and response (EDR), AI-driven network detection and response (NDR) and user and entity behavior analytics (UEBA). The new SOC drapes a net across on-prem, cloud and cloud-native apps, allowing it to detect previously unknown suspect processes and lateral-movement attacks.
And if you’re looking for a place to start, meaningful AI can lend an immediate hand in the SOC. Everything from improving alert accuracy, optimizing investigations, threat hunting and adding extra horsepower so analysts know which threats to prioritize, can be achieved with the right AI platform. AI can also help SOCs play to the strengths of its players. For example, AI is incredibly proficient at dealing with large sets of data efficiency and at speeds unmatched by humans. On the other hand, humans are exceptional at dealing with ambiguity and contextualizing information — things they’ll be able to do with AI on their team. An analyst can’t see an attack evolving in the middle of the night, but the right AI can catch and stop it so they can get some rest once in a while.
A Breath of Fresh Air in the SOC
Modernization is the future for any organisation intent on delivering an efficient, sustainable SOC. And while this is becoming an increasingly urgent matter for many organisations in order to defend against today’s attacks, it can also be approached in phases by setting achievable goals. For example, if you lack the visibility necessary to accurately detect and respond to an adversary, you may want to prioritize implementing a solution that can help spot early attack signals like recon, privilege escalation, and lateral movement. Or if your organisation has traditionally been focused on prevention, it could be time to evaluate where security investments need to be made in order to gain coverage throughout the entire environment.
In a region where regulatory compliance keeps a lot of stakeholders up at night, a modernized SOC can greatly enhance governance and instill confidence in regulators, investors, and customers. The ability to detect, score and prioritize threats in real-time ensures swift and effective resolution of issues and prevents costly and embarrassing breaches.
Fewer manhours, better outcomes, lower costs, faster resolution, tighter compliance, and the ability to go up against unknown and stealthy attacks? Now that’s a Labrador that deserves a treat.
Threat Assessment: Royal Ransomware
Written by Doel Santos, Daniel Bunce, and Anthony Galiette
Unit 42 has published a blog post detailing the Royal ransomware group, which has been recently involved in high-profile attacks leveraging multi-extortion tactics against critical infrastructure including healthcare and manufacturing. Unlike other major ransomware groups (e.g., LockBit 3.0) that operate on a RaaS model by hiring affiliates to promote their services, this group operates behind closed doors – and comprises former members of the notorious Conti ransomware group.
It is important to note that Royal ransomware extends beyond financial losses to small businesses and corporations. Since 2022, Unit 42 has observed this group impacting local government entities in the US and Europe, most recently the group attacked the city of Dallas. In the last 9 months, Unit 42 incident responders have responded to over a dozen cases involving Royal ransomware.
Below are some additional facts about the group from Unit 42’s findings:
- Since 2022, Royal ransomware has claimed responsibility for impacting 157 organizations on their leak site.
- They have impacted 14 organizations in the education sector, including school districts and universities. In the first few days of May 2023, the group has already impacted four educational institutions.
Royal ransomware has been involved in high-profile attacks against critical infrastructure, especially healthcare, since it was first observed in September 2022. Bucking the popular trend of hiring affiliates to promote their threat as a service, Royal ransomware operates as a private group made up of former members of Conti.
The Unit 42 team has observed this group compromising victims through a BATLOADER infection, which threat actors usually spread through search engine optimization (SEO) poisoning. This infection involves dropping a Cobalt Strike Beacon as a precursor to the ransomware execution. Unit 42 incident responders have participated in 15 cases involving Royal ransomware in the last 9 months.
Royal ransomware also expanded its arsenal by developing an ELF variant to impact Linux and ESXi environments. The ELF variant is quite similar to the Windows variant, and the sample does not contain any obfuscation. All strings, including the RSA public key and the ransom note, are stored as plain text.
Time for the Gaming Industry to Level Up Against DDoS Attacks
Written by Matthew Andriani, CEO, MazeBolt Technologies
Distributed denial of service (DDoS) attacks present a significant threat to organizations as they grow in sophistication and frequency. According to several studies, the average successful DDoS attack in 2022 lasted for over 50 hours, compared to 30 minutes in 2021. As the entertainment world’s largest source of income, the gaming industry has become a prominent target for DDoS attacks. The gaming industry houses several different entities that need protection in tandem with gadgets such as online access for consoles, smartphones, and cloud-based casual games – leaving the door open for cybercriminals to capitalize on the ever-expanding attack surface.
Without adequate visibility into DDoS vulnerabilities, an attacker can exploit thousands of entry points without notice, the only way a successful DDoS attack can occur is because of a vulnerability in the DDoS protection. It may only take one attack for an application to experience downtime, costing the businesses hundreds of thousands to millions in revenue along with their reputation within the gaming space. When an attack does occur, organizations are forced to operate in a reactive scenario that will only disrupt business and risk further downtime. As the DDoS attack surface continues to expand, gaming companies must gain insight into their vulnerabilities to close these gaps in protection and ensure players remain online.
The evolution of DDoS within the gaming industry
There are several enticing factors behind launching a DDoS attack in the gaming industry, including competition, extortion, and at times, disgruntled gamers. Threat actors know exactly how much in revenue and reputational costs a minute of downtime will have on the organization. Competition is a particularly critical factor because if one site goes down, users can easily pass to the next online platform to continue their gaming experience.
Likewise, extortion has become an easy way for attackers to monetize the industry by threatening to attack an online gaming company unless a payment is made, specifically after a demonstration that the threat is real. Online gaming platforms especially house big players in this field with great sums of money at stake, placing a large target on these organizations for cybercriminals to exploit.
There is also a growing trend among disgruntled gamers, known as ‘DDoS for hire’. Individuals no longer need to be knowledgeable about the functions of DDoS attacks, rather, they can have someone else launch the attack on their behalf. Gaming organizations are heavily investing in DDoS protection. The problem is that they are not consistently scrutinizing every vulnerability across the attack surface – the only reason gaming companies are experiencing downtime is because of a vulnerability in the protection they have already implemented.
Deploying a tier-one DDoS protection provider can only ensure around 60% automated protection into the attack surface, the other 40% must be continuously scrutinized with visibility tools. While many of these gaming organizations have the best protection in place, they don’t have the list of vulnerabilities within that solution. Without this critical insight, it’s impossible to manage the vulnerabilities and protect against this growing threat.
A race against time
It’s no longer an if, but when a gaming organization will suffer from a DDoS attack. This is not a new concept to the industry – it is well-known that these attacks are being launched at an alarming rate. To transform DDoS protection processes, gaming companies should start with a trusted solution that continuously identifies vulnerabilities across the attack surface, while speeding up the remediation process to ensure the damaging downtime is minimized.
Once these vulnerabilities are identified, organizations must confirm their closure to provide a more solid defense. At this stage of the process, the company is battling the clock to prevent further damage. Organizations that cannot keep up with this process will continue to experience downtime, and DDoS mitigation vendors not actively engaged in vulnerability management will be at a major disadvantage when working to avoid damaging DDoS attacks.
If you are not at the top of your game with DDoS protection, your organization will be knocked offline, costing millions in downtime and reputational losses.
The Chief Zero Trust Officer: A New Role for a New Era of Cybersecurity
Written by John Engates, Field CTO at Cloudflare
Over the last few years, the topic of cyber security has moved from the IT department to the board room. The current climate of geopolitical and economic uncertainty has made the threat of cyber attacks all the more pressing, with businesses of all sizes and across all industries feeling the impact. From the potential for a crippling ransomware attack to a data breach that could compromise sensitive consumer information, the risks are real and potentially catastrophic. Organizations are recognizing the need for better resilience and preparation regarding cybersecurity. It is not enough to simply react to attacks as they happen; companies must proactively prepare for the inevitable in their approach to cybersecurity.
The security approach that has gained the most traction in recent years is the concept of Zero Trust. The basic principle behind Zero Trust is simple: don’t trust anything; verify everything. The impetus for a modern Zero Trust architecture is that traditional perimeter-based (castle-and-moat) security models are no longer sufficient in today’s digitally distributed landscape. Organizations must adopt a holistic approach to security based on verifying the identity and trustworthiness of all users, devices, and systems that access their networks and data.
Zero Trust has been on the radar of business leaders and board members for some time now. However, Zero Trust is no longer just a concept being discussed; it’s now a mandate. With remote or hybrid work now the norm and cyber-attacks continuing to escalate, businesses realize they must take a fundamentally different approach to security. But as with any significant shift in strategy, implementation can be challenging, and efforts can sometimes stall. Although many firms have begun implementing Zero Trust methods and technologies, only some have fully implemented them throughout the organization. For many large companies, this is the current status of their Zero Trust initiatives – stuck in the implementation phase.
But what if there was a missing piece in the cybersecurity puzzle that could change everything? Enter the role of “Chief Zero Trust Officer” (CZTO) – a new position that we believe will become increasingly common in large organizations over the next year. The idea of companies potentially creating the role of Chief Zero Trust Officer evolved from conversations last year between Cloudflare’s Field CTO team members and US federal government agencies. A similar job function was first noted in the White House memorandum directing federal agencies to “move toward Zero Trust cybersecurity principles” and requiring agencies “designate and identify a Zero Trust strategy implementation lead for their organization” within 30 days. In government, a role like this is often called a “czar,” but the title “chief” is more appropriate within a business.
Large organizations need strong leaders to efficiently get things done. Businesses assign the ultimate leadership responsibility to people with titles that begin with the word chief, such as Chief Executive Officer (CEO) or Chief Financial Officer (CFO). These positions exist to provide direction, set strategy, make critical decisions, and manage day-to-day operations and they are often accountable to the board for overall performance and success.
An old saying goes, “When everyone is responsible, no one is responsible.” As we consider the challenges in implementing Zero Trust within an enterprise, it appears that a lack of clear leadership and accountability is a significant issue. The question remains, who *exactly* is responsible for driving the adoption and execution of Zero Trust within the organization?
Large enterprises need a single person responsible for driving the Zero Trust journey. This leader should be empowered with a clear mandate and have a singular focus: getting the enterprise to Zero Trust. This is where the idea of the Chief Zero Trust Officer was born. “Chief Zero Trust Officer” may seem like just a title, but it holds a lot of weight. It commands attention and can overcome many obstacles to Zero Trust.
Implementing Zero Trust can be hindered by various technological challenges. Understanding and implementing the complex architecture of some vendors can take time, demand extensive training, or require a professional services engagement to acquire the necessary expertise. Identifying and verifying users and devices in a Zero Trust environment can also be a challenge. It requires an accurate inventory of the organization’s user base, groups they’re a part of, and their applications and devices.
On the organizational side, coordination between different teams is crucial for effectively implementing Zero Trust. Breaking down the silos between IT, cybersecurity, and networking groups, establishing clear communication channels, and regular meetings between team members can help achieve a cohesive security strategy. General resistance to change can also be a significant obstacle. Leaders should use techniques such as leading by example, transparent communication, and involving employees in the change process to mitigate it. Proactively addressing concerns, providing support, and creating employee training opportunities can also help ease the transition.
But why does an organization need a CZTO? Is another C-level role essential? Why not assign someone already managing security within the CISO organization? Of course, these are all valid questions. Think about it this way – companies should assign the title based on the level of strategic importance to the company. So, whether it’s Chief Zero Trust Officer, Head of Zero Trust, VP of Zero Trust, or something else, the title must command attention and come with the power to break down silos and cut through bureaucracy.
New C-level titles aren’t without precedent. In recent years, we’ve seen the emergence of titles such as Chief Digital Transformation Officer, Chief eXperience Officer, Chief Customer Officer, and Chief Data Scientist. The Chief Zero Trust Officer title is likely not even a permanent role. What’s crucial is that the person holding the role has the authority and vision to drive the Zero Trust initiative forward, with the support of company leadership and the board of directors.
Getting to Zero Trust security is now a mandate for many companies, as the traditional perimeter-based security model is no longer enough to protect against today’s sophisticated threats. To navigate the technical and organizational challenges that come with Zero Trust implementation, the leadership of a CZTO is crucial. The CZTO will lead the Zero Trust initiative, align teams and break down barriers to achieve a smooth rollout. The role of CZTO in the C-suite emphasizes the importance of Zero Trust in the company. It ensures that the Zero Trust initiative is given the necessary attention and resources to succeed. Organizations that appoint a CZTO now will be the ones that come out on top in the future.