Inside the kill chain: What the data tells us about security priorities
- Posted on January 7, 2021
- Estimated reading time 3 minutes
As a global systems integrator with hundreds of clients around the world, Avanade has access to a treasure trove of security data points. This information – kept strictly confidential and anonymous – has now been analysed to give you insight into what’s driving the state of cybersecurity today.
Intriguingly, our data mirrors the ‘kill chain’ of a typical cyberattack, reflecting our clients’ priorities and revealing which areas are most at risk of compromise.
Let’s take a look at how our data fits into four vital phases of the security kill chain.
1. Detecting the attack
Determining whether an attacker is attempting a breach is one of the most difficult areas of cybersecurity. Organisations searching for security information and event management (SIEM) tools – such as Microsoft Sentinel – showed up as one of the top priorities according to our clients. And not without reason: SIEM tools are nothing short of essential for helping detect both external and internal threats. The need for SIEM is compounded by the shortage of security pros – estimates suggest an expected shortfall of 3.5 million security professionals by 2021. That’s where Microsoft Azure Sentinel steps in. Sentinel gives you a bird’s-eye view across your organisation, combining the power of the cloud with Microsoft’s large-scale security intelligence. It makes threat detection and response smarter and faster, using AI to better secure your organisation.
2. Investigating and denying access
Another top performer in our customer data was Zero Trust, which our customer data tell us is one of the top five most important concepts in cybersecurity. Our numbers show that ‘data security’ is one of the biggest priorities for our clients, and Zero Trust is central to keeping malicious agents at bay. Zero Trust means exactly that – eliminate the idea of ‘trust’ in a network. No more assumptions or partial login credentials. You need to prove who you say you are every time. Executed well, Zero Trust needn’t impede the user’s productivity, rather, it should make an attacker’s life much harder.
With its central position within almost all organisations, Active Directory (AD) is a major security priority for our customers, as our data proves; it’s third on our list of the most-asked-about security topics. Across our clients, we’re seeing more and more hardening activities to help mitigate or prevent attacks. These include tactics like AD database consolidation and configuration changes to make AD tougher, updating password policies, locking down configuration options, increased patching and maintenance, and patching legacy protocols.
3. Disrupting the attacker by stopping or changing outbound traffic
Detecting a security breach was one of the key concerns highlighted by our data. To help stop an attack in its tracks – or at least delay it – security-conscious organisations are routing all outbound traffic through a cloud service that analyses traffic in-line to prevent lost of stolen data. Microsoft Azure Security Centre and Microsoft 365 Advanced Compliance are both options here. For example, Azure Security Centre can control workload and traffic using the scale and power of the cloud. Doing this on-prem would be very difficult.
Equally, organisations are implementing remote management on a ‘just in time’ basis. This means outbound traffic is set to ‘locked’ by default state, only opening when an authorised user needs to send information.
We’re also seeing strong interest in SOAR (Security Orchestration, Automation and Response) and EDR (Endpoint Detection and Response) tools. These tools automate the fight against security threats by responding to low-level attacks instantly and without the need for human intervention.
4. Containing the attack and reporting
Compliance and GDPR is the number one concern for our customers. At first this sounds like a mistake – surely threat detection or security should be the biggest concern? But, in fact, it shows a maturity of approach: smart organisations know they will be attacked, it’s a matter of when, not if. The immediate task once the threat has been detected and contained is to assess the damage and have a precise record of what has been breached, if anything. Then a rules-compliant notification can be made in the fastest shortest timescale. GDPR, for example, penalises organisations that delay notification. This data also suggests that clients are taking a compliance-led approach in addressing their security maturity and their compliance with frameworks and standards, which are key tools used to build a mature Cyber Security Service.
We’re also seeing more and more e-discovery projects. E-discovery is an important step in the compliance process, as it lets organisations quickly and easily gather evidence and information. You can use eDiscovery tools in Microsoft 365 to search for content in Exchange Online mailboxes, Microsoft 365 Groups, Microsoft Teams, SharePoint, OneDrive, and much more.
What we learnt
Our data shows where the priorities lie for our clients. Here’s the top 6 security issues:
- Compliance and GDPR are the biggest concerns.
- Data security, DLP and identity protection are vital.
- Active Directory is the most targeted feature. We’re seeing plenty of proactive hardening activities taking place around AD.
- Security information and event management (SIEM) tools are a priority.
- Zero Trust has maximum importance.
- Customers want secure clouds.
Reduce your security risks, talk to Avanade today
Recognise the concerns expressed by our customer data? Want to secure your organisation and be fully prepared for cybersecurity attacks? Contact me today.