04 December, 2020
By Paul Bottomley, Endpoint Hunt Lead, and
Wietze Beukema, Endpoint Hunt Senior Analyst
The disruption caused by COVID-19 has put organisations at even greater risk of suffering a cyber attack. There has been a surge in intrusions, ransomware, and data breaches, along with an increase in phishing attempts, as cyber criminals seek to take advantage of the uncertainty around our new working practices.
For example, there has been a sharp increase in human-operated ransomware attacks. This is not the conventional self-propagating ransomware like WannaCry – it involves skilled, adaptable, financially-motivated people who can evolve their tactics to maximise the chance of a payout. Furthermore, our experience is showing us that these ransomware attackers are exploiting several common IT and security weaknesses, such as vulnerable web-facing services for initial entry, poorly configured Active Directory to compromise privileged accounts, and using a combination of legitimate admin tools and security testing tools to compromise systems further.
This worrying trend highlights the importance of a data-driven approach to cyber risk -- using endpoint data and both internal and external enrichment sources to identify, validate, measure and track cyber risk over time. But understanding cyber risk is not an easy task; IT estates are extremely complex, with endpoints comprising different operating systems, business applications, custom add-ons, data repositories, user behaviours, etc. Distilling and aggregating these data points into meaningful metrics forms part of the challenge, alongside:
A new approach to cyber risk management is needed. Our data-driven solution to identify, validate, measure and track risk over time assembles a set of powerful interactive dashboards that enrich endpoint data collected using Tanium. This single visualisation layer presents broad sets of telemetry in the form of impactful metrics and data points, that can be cut, sliced, and filtered in a number of ways, and tracked over time in a repeatable way.
Our solution is underpinned by the following five features:
An example of the first concept, asset identification, can be seen on our Managed Endpoints dashboard, one of twelve dashboards our IT and Cyber Risk Visualisation service offers.
By combining asset data collected using Tanium with Configuration Management Database (CMDB) data, it is possible to establish what ‘role’ each endpoint has within your IT estate, and how critical it is to your business. This allows you to prioritise the assets most important to your organisation, rather than looking at all your assets as though they were equal.
You may also want to look at your data based on tags you have assigned to endpoints within Tanium. Some organisations use these tags to distinguish endpoints based on their criticality, geographic location, whether they are development or production machines, applications running on the endpoint, and so on. Being able to get the latest tag mapping and filter all other Tanium output using this datapoint provides a quick and flexible way to slice your data. Once again, this filter is available on every dashboard.
As well as internal enrichment sources, ‘external’ information is just as important. An example of this is taking a closer look at Common Vulnerabilities and Exposures (CVEs) and TTPs used by attackers targeting your sector. These actors are more likely to target your organisation too, so at a minimum you should consider what methods they have used in the past and take preventative measures.
An example of this can be seen on our Signals dashboard, which shows the behavioural rules (Tanium Signals) that have generated alerts. We implemented a MITRE ATT&CK® visualisation to show how these alerts and TTPs align. If we correlate this with data from our Threat Intelligence team for your sector, we get a subset of alerts that should probably be prioritised. Combine this with your internal role/criticality mapping, and you get a much richer understanding of the risk such alerts impose.
Tanium Signals provide important real-time insights on actual, observable threats within your estate, as we have previously written about in the Signal the ATT&CK blog series.
An example of the third concept, security and hygiene (risk) indicators, can be seen on our Vulnerabilities dashboard, which is all about CVEs identified on your estate.
A key factor in determining the impact a CVE might have is the CVSS score, which plays a prominent role on this dashboard. Because all dashboards are fully interactive, it is possible to search for specific CVEs, highlight multiple vulnerabilities on the scatter plot or filter on CVSS score. A breakdown of CVSS severity versus endpoint role and criticality, as can be seen in the top right corner, helps focus your attention on the vulnerabilities that matter most.
Other helpful ways of looking at your data, for example considering CVE year to distinguish old and new vulnerabilities, or CVE vendor to identify where you need to improve patching, can give unique insights that are hard or impossible to get by looking at the raw data.
Another example of enriching your data with external data points is the Public Exploit angle, for which we automatically look up CVEs against a database of publicly available exploits. These vulnerabilities have the highest potential of being abused by attackers, and are therefore something you may want to consider when comparing the real risk a vulnerability poses.
Once you combine all these tools together, you can really see the most serious vulnerabilities posing the biggest threat to your environment. Perhaps you want to filter CVEs that are present on your most valuable assets, have a CVSS score of 8.0 and above, have a public exploit available and are internet facing. Using your current tooling and methods, would you be able to find these CVEs with the same ease?
To remediate the CVE issues found, as per the fourth concept, we have a dedicated Patching dashboard focusing on fixing Microsoft vulnerabilities. Once again, public data sources are leveraged to provide more context. By using real-time information from the Microsoft Security Updates API, it is possible to see which patches should be installed to resolve the highest number of vulnerabilities.
If you are familiar with Microsoft patches (‘KBs’), you will be aware that sometimes there are multiple patches available to fix the same vulnerability. By looking at all available patches across your entire estate, it is possible to work out which patches will address the most vulnerabilities.
The green tree map in the bottom left corner contains a rectangle for each eligible patch: the bigger the rectangle, the more vulnerabilities it will fix. For example, in the animation above, after filtering on Microsoft CVEs with the highest severity level, we see that over 5,500 of the 17,000 vulnerabilities can be addressed by installing just 7 patches.
Similar to all other pages, further drilling this down will give even more environment-specific insights, e.g. by filtering on endpoint criticality, business unit, region, and so on.
The only way to tell your board you’re making progressis by tracking your risk, our fifth concept. Every dashboard has a time filter that looks at the same page in the past, which makes comparing results easier. A good example of this is the Patching Efficacy dashboard, which shows detailed charts and metrics reflecting the ‘real’ state of your patching efforts. Once again, through filtering and drilling down, it is possible to see, for example, if you are meeting your service level agreements (SLAs) for resolving critical vulnerabilities on your most important assets, to determine how well you’re doing at resolving a specific CVE, or to compare how well different business units are doing at patching.
In summary, having dedicated tooling that allows you to identify and assess the risk of the real cyber threats your organisation is facing, by being able to quantify this in a way that reflects the nuances of your IT estate, as well as measuring, reporting and tracking this over time, is instrumental when getting a handle on your cyber security risk.
Combining Tanium’s rich data sets with our powerful models, methodology and dashboards, it is possible to achieve all of the above in a simple and accessible dashboard.
If you want to see more, we’re more than happy to give you a full demonstration or provide you access to our demo environment. Please reach out to us to learn more.
We have been working closely with Tanium for almost seven years now, using the power of near real-time visibility into endpoints to detect, contain and remediate targeted intrusions for our global client base. Through this partnership, we have built Tanium-specific services – helping our clients with everything from threat intelligence to incident response, proactive threat hunting and risk assessments and a range of consulting and integration services within the cyber threat detection and risk domain.
Are you running Tanium in your network and want to discuss IT and Cyber Risk Visualisation in more depth? Drop an email to Paul or Wietze using the contact details below.