Last Updated on March 16, 2023
Is your cybersecurity program pointed in the right direction? Many security efforts focus on preventing attacks, but in practice that’s next to impossible. Is an emphasis on detection and response better at reducing the impact of attacks?
To share foundational approaches that help SMBs balance business functionality/benefit with risk exposure, Dr. Eric Cole, popular author and Founder/CEO of Secure Anchor Consulting, was our special guest on a recent episode of The Virtual CISO Podcast. Pivot Point Security’s CISO and Managing Partner, John Verry, hosts the show.
Why emphasize detection?
“I’m a pretty calm, nonviolent guy, but I’ll probably start beating on them if I find the person who said the goal of cybersecurity is to prevent all attacks,” Eric bluntly states. “The goal of cybersecurity is timely detection and control the damage.”
“I would argue that all the major breaches [show failure] in those area,” continues Eric. “If somebody broke in and stole 10 records, and you control the damage, it wouldn’t have been all over the news. It’s about the timely detection, response and control of your data.”
The benefits of outbound detection
What’s the right detection/prevention balance? As Eric notes, most SMBs focus mainly on preventive measures: “I would say to most of our clients, keep doing what you can on the preventive side. You’re probably doing as much as you can, so maintain that. But the bigger focus has to be on the outbound detection.
“Inbound prevention, outbound detection—that’s the other piece,” clarifies Eric. Most of our clients that are doing detection are still focused on the inbound. Where does data leakage occur? When does exfiltration occur? When do command and control channels [materialize]? Outbound, outbound outbound!”
Geo-mapping and geo-gating
Eric suggests geo-mapping your outbound traffic using an automated, potentially free tool. Many SMBs are stunned to realize that significant outbound data flow is going to far-flung countries where they do no business whatsoever, like China, Russia and (increasingly) Venezuela. Then when they pinpoint their compromised systems, they find that they were hacked months or even years ago.
“All I did was change the perspective,” Eric points out. “This isn’t hard. I can’t understand why more organizations aren’t just monitoring and tracking outbound communication and doing basic geolocation.”
One of the freeware “geo” tools Eric recommends is EtherApe. He also notes an add-on for Ethereal plus a couple of commercial tools.
John advises going a step beyond examining your outbound traffic and geo-gating your firewall. This is a very simple and highly effective way to prevent data exfiltration and command/control communications between hackers and their malware.
“Drop all your connections from these 262 countries that you have nothing to do with,” John recommends. “Suddenly your risk profile just went down an order of magnitude. I understand we’re going to have [hackers] who are running VPNs and other types of devices to hide where their traffic’s really being sourced from. But what percentage of the noise did you just get rid of? I think the idea of geo in either direction is fantastic.”
If you want to create a better balance between system functionality and cyber risk exposure, don’t miss this podcast episode with Dr. Eric Cole.