KJR’s CTO Mark Pederson shares his perspective on Collective Defence for Cyber Risk Leaders magazine, and the importance of this collaborative strategy when it comes to addressing cybersecurity and tackling cybercrime.
This article was first published in Cyber Risk Leaders, Issue 3 2020. Access the 2020 magazines here
There is no doubt the global COVID-19 pandemic has had a significant impact on our everyday lives. In particular, we’ve seen a rapid shift to digital platforms for many of our daily interactions — from remote work to virtual schooling. Many organisations which previously had scant provisions for working from home have embraced the change with a majority of their workforce entirely online.
According to a recent survey from ADAPT, half of private, public, and hybrid cloud organisations have increased their cloud workloads by more than 50% to enable remote working since the outbreak. Given the need to transition rapidly, many of those organisations are still in the process of updating their security posture and policies to reflect the “new” status quo of operating outside any kind of defined security perimeter.
Similarly, just as the COVID-19 pandemic requires a coordinated and collective response, dealing with rapid escalations in cybercrime also requires an approach that goes beyond the capability of any individual organisation working in isolation.
As part of our own response to both the growing need and complexity of cybersecurity issues, KJR has partnered with the US-based cybersecurity firm IronNet in order to make its expertise in Collective Defence more accessible within Australia.
The concept of Collective Defence is not necessarily new, as intergovernmental military alliance NATO has been using this principle to defend treaty members. However, the application of the strategy is a new approach to cybersecurity, where organisations are actively sharing cyber threat intelligence and collaborating with one-another to improve detection capabilities.
During a recent webinar hosted by IronNet’s APJ Vice President, Gaurav Chhiber, IronNet’s Chief Operations Officer Major Gen Brett Willams (Ret) notes: “As a collective group, we can come together to defend ourselves better, by having full situational awareness and full visibility … we bring the strengths of each together, so we are all stronger as a group.”
But what does Collective Defence mean for organisations and why should it be applied?
Collective visibility of a broader threat landscape
Increased visibility of the threat landscape is possibly the most important aspect of Collective Defence. Many organisations are linked to others – either directly through partnerships and supply chains, or by virtue of being in the same industry sector. Having access to collective threat intelligence updates from similar companies at machine speed allows better insights and faster responses to cyber threats that could affect their own organisation. “The quickest way to remediate is to see that someone else was attacked, to see the characteristics and behaviours of that attack, and look at your own environment… and proactively make that adjustment,” says Major Gen Williams.
Real-time collaboration and threat-sharing to facilitate rapid response
Many organisations are reluctant to share details of being under attack. While this is understandable, we must move past this resistance in order to respond faster to early warnings about the kinds of attacks others may be experiencing. In turn, sharing data means protecting industry sectors and/or networks of businesses across the company’s value chain.
This is where encrypted data can be used to enable SOCs to securely share anonymised alert data to collectively amplify threat detection. Timely information about specific attack campaigns that may be underway can mean the difference between a successful defence that reduces dwell time and a full-on data breach. Collective Defence makes it more challenging for attackers to reuse the same techniques to “cherry-pick” enterprises individually as they do today.
Ongoing, real-time collaboration is required so the industry can learn from one-off events on an individual organisation. Major Gen Williams suggests that “instead of every company having to look at every alert, you can crowdsource that…. Cyber specialists can collaborate and share expertise without putting their intellectual property at risk.”
Sophisticated behavioral analytics to detect unknown network threats
While many organisations rely on endpoint detection and firewalls to protect the enterprise, the nature of today’s cyberattacks requires network defense as well. Network Detection and Response (NDR) solutions see unknown threats using cybersecurity analytics. These solutions are designed to focus on behaviours, rather than relying on signatures.
NDR solutions can detect network behaviours that are hard for attackers to evade, as they currently do with traditional indicators of compromise (IOCs), such as IP addresses, domains, and file hashes. NDR can pick up behaviours such as lateral movement, malicious use of standard protocols, beaconing, data loss, and DNS tunneling attacks.
By identifying patterns in behaviour, organisations can collaborate and learn from similar behaviours that result in cyber-attacks.
A mindshift toward Collective Defence for a unified front
At KJR, we increasingly find ourselves working with organisations that are having to rapidly improve their own security practices to meet the compliance requirements of their larger private enterprise or public sector customers.
No organisation is an island. Even with the proper defences in place, breaches can still occur. For example, there have been recent data breaches in Australian organisations that originated from phishing campaigns spread from other related agencies which had less mature security capability. It’s not enough just to invest in your own internal capability: it’s important to mature collectively.