From the desk of
Trey Stokes
Criminals are often found on the edge of technological revolutions. Working outside of the laws, regulations, and moral standards that many of us are bound to free the mind for innovation. Take a look at Bonnie and Clyde. Born in poverty in the suburbs of Dallas, these two young lovers used the latest cutting-edge military technology of the time to rob 15 banks in the short span of four years, called the “Tommy Gun.” The Thompson Trech Broom was designed to fire 20 rounds per second. With its compact size and ability to spray hundreds of bullets, this gun was loud, sending anyone in its near vicinity heading for the hills. This deadly weapon saw action in the First World War into the Vietnam era. More recently, Ross Ulbricht, the Dread Pirate Roberts, leveraged the Internet and dark web technology to create the Silk Road. Leveraging a dark web browser called The Onion Router (Tor), users were able to mask their identities, making it easier to move illegal goods and services. This created the Amazon of the criminal underworld. Anything you might need discreetly -drugs, weapons, human trafficking, hit for hire – it was all available with just a few easy clicks. Using encryption, aliases, and digital wallets to cover his tracks and launder funds, Ulbricht evaded law enforcement for years. But as these criminals were on the rise, law enforcement agencies were a quick step, then a half step behind. Eventually, Bonnie and Clyde died in a shootout in Shreveport with the same lead bullets they used to fuel their region of terror. For the Dread Pirate Roberts, properly handling millions of dollars in cryptocurrency and not getting caught proved to be like spinning dozens and dozens of plates. When he used public Wifi networks in San Fransico to access the Silk Road, the authorities captured him and threw him in the clink, where he is now serving a life sentence. While criminals often get a running start by using new technologies, the defense usually catches up. That is why it is important for businesses to make sure they evolve their cyber detection methods. I’ll quickly walk through some popular cyber detection tools and what the pros and cons are of each.
Antivirus
Antivirus is probably what most people are familiar with because it has been around for years. Remember that little McAfee logo at the bottom of your computer? Before he was a tech millionaire, the founder, John McAfee, was a cybercriminal. He has a crazy documentary you can check out on Netflix. Basically, the way that his and other antivirus software are trained is to look for signature-based alerts. Signatures are indicators of known strains of malware. Once the tool sees that familiar strain of malware, it blocks it from being executed onto the computer. However, criminals can easily modify their malware code to circumvent antivirus detection, so many teams have evolved into using endpoint detection and response.
Endpoint Detection and Response (EDR)
Endpoint Detection and Response (EDR) has taken the cybersecurity market by storm. Some of the big players include companies like CrowdStrike, SentinelOne, Sophos, and many others. These tools work like antivirus blocking signature-based alerts, but they take it a step further by incorporating behavioral analysis into their portfolio. If the user does not typically do behavior X, that triggers an alert for the security team to begin an investigation. The challenge with these tools is they are typically agent-based. That means there is a software packet downloaded onto the endpoint (desktop, laptop, server), and that agent monitors that device. However, it does not correlate events across devices or applications. So, for example, when a phishing email gets through your email filter, that information is not captured by the EDR. It is only identified when a malicious activity is conducted on the endpoint. Basically, these tools contain an explosion as it detonates. To get better visibility, EDR is evolving into the next generation of detection, extended detection and response.
XDR and SIEM
Extended Detection and Response (XDR) is relatively new to the market. In an attempt to combat the siloed nature of information EDR receives, XDR attempts to integrate with other security appliances, such as a firewall. The drawback to this model is that XDR providers often charge per feature or module that you would like integrated into your detection system, and that can lead to runaway costs. These technologies are new to the market and integrations can be spotty at times. An alternative more established technology that works in a similar fashion integrating additional log sources and correlating events, is a Security Information and Event Management (SIEM) tool. In today’s market, this is your best detection capability. This operates like the Sherlock Holmes of cyber, taking tiny seemingly insignificant details and piecing them together to create a cohesive story and catch the bad guys. A SIEM can be invaluable in auditing logs. If you have compliance requirements like PCI-DDS, CMMC, or SOC II, a SIEM will make your auditing procedures more efficient.
Having these tools is critical to effectively detecting security events. Once the event is detected, it is important to have a team with cyber-specific training available to handle the response. In my next article, we will talk about the pros and cons of insourcing our outsourcing your response capabilities. If you are an executive, start a dialogue with your IT team about how they detect threats. If you are a technical professional, share this article with your team to advocate for obtaining these capabilities or to pat yourself on the back for having them in place. Until then, watch out for insider threats so that you don’t get Keyser Soze’d, and think twice before you click.
