The Wand Is Only as Good as the Magician: Getting the Most From Prevention Tools

As organizations deal with newly remote workers and business uncertainty, prevention is more important than ever. Cyberattackers are looking to capitalize on the current climate and seek vulnerabilities. The CrowdStrike® Services team is seeing a record number of ransomware infections, data leaks and targeted attacks — as well as a troubling trend: Organizations are often failing to enable key preventative features designed to stop malicious activity.

 

Failure to configure these tools properly is often worse than not having them in the first place because it can give organizations a false sense of security and waste security budgets. While this is not a new phenomenon, the growing frequency of ransomware and other disruptive attacks is increasing the impact on organizations that fail to effectively block malicious activity.

Misconfigured Security Toolsets

 

It is not uncommon for the CrowdStrike Services team to encounter cutting-edge security toolsets that are not properly deployed or managed effectively. This includes unpatched exploits, severe misconfigurations, botched deployments, and lower than useful prevention settings that can allow attackers to infect endpoints and move laterally throughout the environment. Large companies are not immune to this pitfall — in fact, CrowdStrike Services found that they are often more likely to fail to configure or misconfigure their security tools.

 

Even though they have significantly more resources than smaller organizations, they often have sprawling footprints, complex networks and multiple improvement projects running at any given time, and they sometimes fail to dot all the i's and cross all the t’s. And unfortunately, the move to a more remote and dispersed workforce

 

and operations is likely to exacerbate the problem.
This issue isn’t limited to endpoint detection platforms. The team has also found crucial misconfigurations in intrusion prevention systems, data loss prevention tools, multi-factor authentication (MFA) platforms and cloud access security brokers. For example, the CrowdStrike Services team has responded to incidents where security controls — such as next-generation firewalls that segment corporate and production networks — were in place, but the victims had failed to configure any firewall rules. This allowed malware to quickly spread laterally to business-critical production equipment.

Maximizing Prevention Capabilities

Although misconfigurations are probably not significantly more common now than in years past, current threat trends place greater dependence on prevention, which makes misconfigured or under-optimized tools more problematic. And, like most human factors in security, it manifests in different ways. In some instances, security tools are deployed in “monitor” or “detect” mode during proof-of-concept testing to prevent disruptions in an environment, and more stringent prevention features are never enabled.

 

In other cases, information security teams are requesting these features to be enabled, but IT teams are not responding, either because they do not trust the tool or it is not a priority. Even more troubling, some companies purchase security tools just to meet compliance requirements and never fully implement them, leading security teams to believe they are protected when they are not. Because there is no single cause, there is no single fix. But there are steps that organizations can take to maximize the efficacy of their tools, both now and as good standard practice moving forward:
  • Never purchase a tool just for compliance reasons. It is fine for compliance to be a driver in a technology purchase, but there must be people assigned to use and optimize the tools and processes.
  • Develop implementation plans for any new tools. These plans should involve both IT and information security teams to ensure that stakeholders are aware of the tool’s purpose and intended use. This planning process should also identify the tool’s operational impact on the business and the degree to which that can be tolerated.
  • Create a regular cadence of security tool review. New features, capabilities and functions are often added to these solutions regularly. Your teams should evaluate, test and implement rollout plans as new capabilities reach the market. “Setting and forgetting” is a recipe for failure as the threats, tactics and techniques change faster than most tools can adapt.
  • Establish change management guidelines. A tool’s agreed-upon configuration should be documented and then audited multiple times a year. Information security teams should frequently discuss configurations and new features with vendors and support teams to maximize the tool’s value and validate its use in the organization’s environment.
  • Develop a detection and prevention framework. Not every tool needs to be deployed with the strictest preventative configurations enabled, especially if compensating controls exist. Implementing a detection and prevention framework should identify the threats and use cases that an organization wants to address, and also identify which tools are mapped to which use cases. This provides an excellent foundation for determining which use cases to prevent and which ones to detect, and with what tools. It also provides a great source of security metrics.
  • Test yourself. Regular audits and adversary emulation exercises should ensure that the tools are working as intended.
  • Take a risk-based approach. Ideally, organizations would tune their toolsets endlessly in pursuit of optimal security. This is great if you have the time and resources, but it’s not feasible for most organizations. If you can’t lock everything down, choose your battles. Identify the attacks you most want to prevent and focus on them first.
Visit CrowdStrike’s COVID-19 resource hub for guidance on how to best protect your organization during these unprecedented times, and download the complete CrowdStrike Services Cyber Front Lines Report for more observations gained from the cyber front lines in 2019 and insights that matter for 2020.

 

Additional Resources:

Breaches Stop Here