The situation has been exacerbated by the pressures of the last couple of years, says Darren Reid, Director, Security Business Unit Australia/New Zealand, VMware, as companies had to quickly pivot to enable their employees to work remotely. “Previously companies used to have a big moat around them. They’d have people walking into the office on a known device. The company would control the network and they’d be able to secure that and ensure only people that were allowed on the network could get on it…
“What we now have is people on any device, coming across literally any network – from a home NBN connection to a coffee shop, to a library, to a mobile connection. And they’re accessing applications that the organisations no longer really control because they’re sitting in the cloud.”
Add to this the increased geopolitical unrest with nation state actors behind ever more sophisticated threats and the situation is even more alarming. “These are very well-funded, very motivated actors who are targeting very specific industries. “Companies in critical infrastructure, such as food, water, utilities or other core infrastructure, have seen monumental increases in the attacks that they’re receiving. And the attacks are sustained, they’re not one-offs,” says Reid.
Against this backdrop, it is understandable that SOC teams, as people who work in cyber security operation centres, are reporting growing levels of stress and burnout. This is being compounded by a shortage of skills.
Mitigation strategies
To mitigate increasing ‘SOC fatigue’, says Reid, education and ensuring staff are vigilant is imperative. However, inherently trusting Australians fall victim to scams more often than most, he says. “It comes down to automation and technology. If your security operations team – however big or small, and whether it’s in-house or outsourced – is already overwhelmed by the sheer volume of issues, then you need to help them filter through all of the various telemetry notifications to help them understand the ones that they really need to be paying attention to.”
The danger here is that it’s possible to inadvertently block legitimate access, which is why it’s important to consider each business and its operations individually and then ask relevant questions. Software like VMware Carbon Black is able to determine whether a particular activity is the sort that would normally be allowed. When an operation or user behaviour has been identified as out of the ordinary or odd, the team will be alerted. “We then start to carefully narrow the border around this particular user, until we see them doing either the right thing or the wrong thing,” explains Reid.
Implementing enterprise detection and response (EDR) software can ease the burdens of overwhelmed SOCs by taking a significant slice of their security responsibilities out of their hands and giving them more time to focus on other tasks. Implementing a set of tools that already has responses for the most common security attacks (as per a framework such as MITRE), while also utilising existing knowledge and skills, can enable an infrastructure person to take action on the network to reduce the movement of the attack at the same time as the security team is taking action to contain the threat to a single device or application.
“Because it's unlikely that a malicious actor is going to attack just a single machine,” says Reid. “They’re likely to be doing it to multiple staff members.”
Software like VMware Carbon Black allows users to automatically scan and see where else the attack may be happening in the same environment and take action there too.
Plus, a framework like MITRE is updated regularly to recognise and address the many different types of potential attacks being committed.
Priorities
Reid also advises considering the issue from an escalation viewpoint by identifying an organisation’s most important pieces of data, whether that be R&D, customer data or credit card information. “Then work your way out,” he says. “Protect your crown jewels first and then work out what happens next. What’s the next most important?”
The same applies to ransomware – one locked laptop may not have too much of an impact, but a company being locked out of its entire database is a much bigger problem, he says, so security measures should be prioritised accordingly.
Adopting the Australian Government’s Essential Eight mitigation strategies, educating staff and implementing the best fit-for-purpose software won’t stop the cyber attacks, but it may go some way to prevent SOC team burnout and distress.
