Pratum Blog

Be prepared for a mistake! Perform a business impact analysis to understand how various cyberattacks will affect your business.

Bob manages inventory at a mid-size manufacturer. On a very busy day, Bob sees an email from the IT team asking him to confirm his login information. He clicks a link, confirms his login credentials and gets back to what he was doing.

Without knowing it, Bob just gave his credentials to a hacker, who logs into the company environment and starts figuring out what they can access.

A few seconds of carelessness by Bob trigger a chain of events:

A month later, the hackers send the company an email announcing that they have encrypted most of the company's data and want a $500,000 ransom to release it.

The Impact

  • While the company decides what to do, all operations at the plant shut down.
  • Managers send 55 workers home for two days at half pay.
  • The company misses $75,000 worth of deliveries.

The Impact Severity

  • The company decides not to pay the ransom, but it spends $45,000 recovering its data and investigating the breach.
  • Three major customers lose faith in the company's ability to deliver and decide not to renew their contracts totaling $325,000 in lost business.
  • Because of the breach, the company's cyber security premium goes up $15,000 per year at renewal time
  • The combined costs of the breach mean the company misses it's revenue target and can't pay bonuses.
  • Reduced demand next year requires the company to lay off 5 employees.

To learn more about Pratum's security consulting services, contact us today.

Fog of War - soldiers in battle in fog with computer network overlay

Network visibility is critical to cybersecurity, but how do you control costs, improve visibility and avoid costly distractions like false positives?

W

arfare is the way of deception.

Therefore, if able, appear unable; if active, appear inactive; if near, appear far; if far, appear near.

If your enemies have advantage, bait them; if they are confused, capture them; if they are numerous, prepare for them; if they are strong, avoid them; if they are angry, disturb them; if they are humble, make them haughty; if they are relaxed, toil them; if they are united, separate them.

Attack where your enemies are not prepared; go to where they do not expect.

This strategy leads to victory in warfare, so do not let the enemy see it. – Sun Tzu, 01.13-17, Sonshi translation

During World War II, the 23rd Headquarters Special Troops boasted of two divisions of nearly 30,000 soldiers. Their tanks, artillery, planes and large-scale maneuvers made instrumental contributions to the invasion of Normandy, the Battle of the Bulge, counter-positioning at the Maginot Line and the Rhine River crossing.

They drew and held the attention of the Axis forces in Europe from the middle of the war onward. Although the Axis likely could have destroyed the 23rd at many opportunities during the war, they dared not risk their resources on a direct attack.

The very existence of the organization remained classified for 50 years after the war and, once declassified, was considered worthy, as a unit, for the Congressional Gold Medal.

There was only one problem: the two divisions of the 23rd did not exist.

In fact, at its largest numbers, the 23rd – more famously known as the Ghost Army – included about 1000 soldiers total, most of them artists and sound engineers. Their guns were props. Their tanks were inflatable.

The true nature of the threat capabilities of the 23rd were all based on deceiving their target, distracting the target from legitimate threats, and paralyzing systems into inaction. The Ghost Army was a real world “false positive” that drew attention throughout the war, without ever once being detected as such.

The Axis could see into their network of threats…but they saw too much – more than was present – and it proved costly.

Improving Network Visibility – Omniscience Versus Calibration

Network visibility is critical to security, but there is a serious risk of seeing too much. Sometimes, you pay for the privilege of becoming distracted by false threats.

It is impossible to always have perfect vision in a secure environment. Attacks can come from anywhere, systems can become overtaxed, human monitoring can suffer a lapse.

Even if network omniscience were possible, your defenses would not be “perfectly” robust. There would be too much noise: too many distracting data points, far too many false positive events, and of course, to even attempt omniscience would be cost prohibitive.

So, how do you effectively calibrate your visibility into the network and manage the costs, all while avoiding time-consuming false positives? It starts with monitoring network health costs.

Counting the Costs

Your visibility solution(s) obviously comes with a price tag, so it is important to identify the return on investment up front.

Downtime (Technical/Productivity)

First, predict the amount of annual or quarterly downtime that could be prevented by seeing potential vulnerabilities in the network before they become liabilities. Catching system flaws and shoring them up is a key benefit to be had from a well-tuned visibility solution.

Most of the top causes of Network Downtime are faults, errors or discards in network devices, device configuration changes, user errors, failed upgrades and patches, and device mismanagement. All can be anticipated in a visible network.

Attacks

Of course, in addition to being a contributor to downtime, security attacks present their own added costs. There are known hard and soft costs and costs that can remain hidden in the aftermath for months.

Churn

For organizations whose customers are expected to touch the network in some way, customer churn can increase when there are visibility issues.

When your network isn’t visible, you may not even know what customers and revenue you are losing. When you waste time and resources on false positives, your costs go up, leaving you less able to attract and keep customers.

Use Case 1: Unseen Network Configuration Errors

A videoconference provisioning company has poor visibility into its own network. Trouble tickets and calls about interruptions in video calls are coming in, and users are being directed by the trouble-center to reboot and try the call in a new browser. This works for some users, but not for the majority. It turns out that the main culprit of the problem is the configuration of the network which is causing delays and glitches in the video calls.

Because the company “doesn’t know what it doesn’t know” it is putting a lot of its hosts and their clients in an infinite loop of reboots and failed calls. Hosts and end users leave the service in droves, all because the videoconferencing company couldn’t see its own network configuration problems.

When visibility is cloudy, any part of the network that touches or serves clients will become this category of “unknown unknown.” Whether or not the client interaction is functioning as expected or is going disastrously awry is simply not visible. Bad customer contacts will go unnoticed, good ones will not be capitalized upon.

If, on the other hand, you are distracted by resolving too many false positives, you may unintentionally punish good actors with unnecessary mitigation. Good customers don’t appreciate being mistaken for bad actors.

Both scenarios are components of customer churn that can be better addressed with well-tuned network visibility. When a false positive happens in the context of a transaction, a good customer pays the immediate price, but the network pays the heavier price in churn.

Reputation (Technical/Productivity)

A company that is relatively blind to its network risks developing a reputation for technical ignorance. They can be portrayed as bumbling or out of touch when suffering a publicly reported attack. Existing customers can be directly or indirectly harmed due to identity or financial loss. But too much network visibility (that is – too many false positives) can be just as damaging, leaving a company’s brand, customer churn and reputation at quieter -- but no less profound – risk.

False positives can be a high-risk symptom of "seeing more than what is there.” When an existing solution identifies a legitimate action or account as a fraudulent threat instead, there is a decent risk that a good customer will be harmed.

Use Case 2: Declined Transactions

In financial technology, for example, a false positive alert might decline a transaction of a good customer. At best, the financial company merely embarrasses the customer, and the customer gets over it with a dim personal view of the company’s reputation.

At worst, the company loses a justifiably angry customer (likely one with a social media presence!) and suffers reputational blowback. Negative word-of-mouth due to false positives could potentially be as damaging to a company’s reputation as a breach.

It isn’t just about customers, either. False positives that trigger reviews will raise operational costs, and many times, those costs directly or indirectly spill over onto a company’s vendors. Both under-tuned and over-tuned visibility can potentially inspire vendors to fire your company, or, at best, not enjoy working with your company going forward.

Cost Effective Visibility

Once you know how to improve network visibility, you can place the cost of visibility into perspective.

At Pratum, we have developed an approach to network visibility that also frees up your IT team to do what you have hired them for. We customize workbooks and other reporting to supply an effective overview of your network while also learning your network's unique tendencies for false positives. This means we can rapidly learn your network profile and vulnerabilities, providing good visibility that quickly becomes great.

The best way to increase efficiency of your view while reducing the cost is to aggregate your data ingestion through a managed solution. Our XDR solution is flexible and since we do not sell hardware or software, you will have more control over your visibility management while also being freer to focus on operations, and – at the same time -- won’t be stuck relying on software that a vendor forces you to work with. This will also aggregate and lower your subscription rates and fees. One thing that should not be cut is 24-hour, 365-day professional support. Visibility that is properly calibrated never sleeps.

Use Case 3: Ending False Positives via Customization

Out-of-the-box rules for finding threats are not always correct. A real-world example of this occurred when Pratum’s SOC team noticed that one stock rule was generating 50 tickets a day for every organization Pratum manages. Less than 5% of the alerts were legitimate threats. The rule, as written, triggered most of the time when normal software operations were underway.

To address this, Pratum’s analysts disabled the stock rule to stop the flood of unactionable data, then rewrote it with complex logic.

This cut the false positives to almost zero. Within 72 hours of enabling the new rule, the managed service spared a customer from an intrusion that the stock rule would have missed.

With good visibility, a managed service should be able to provide comprehensive yet easy-to-understand reporting for compliance, audit support, defense and post-event analysis.

Properly calibrated, visibility will better position your network to defend against threats, both real and imagined, with equal effectiveness.

Huynh, T. (Trans.). (n.d.). Sun Tzu's Art of War translation. Sonshi. Retrieved September 9, 2022, from https://www.sonshi.com/sun-tzu-art-of-war-translation-original.html

Co-workers looking at computer in office

When most people talk about developing an information security program, they are referring to the administrative, physical or technical controls used to protect information. While no information security program can be effective without them, there is one key element that is often underestimated: the employee element. The reality is that employees are responsible for designing, implementing and following all controls put in place to protect sensitive information. One misstep by an employee can spell disaster in terms of information security. And it often does.

The good news is that by providing effective information security training to end users, we can solve many security issues. According to the Verizon Data Breach Investigation Report, nearly 1 in 3 successful cyberattacks has a social engineering component. Social engineering is nothing more than a hacker psychologically attacking a human rather than a computer. They use their knowledge of human behavior to con a user into giving them information over the phone, online or in person. If organizations can prevent social engineering attacks, they can reduce the number of successful cyberattacks.

Targeted Cyber Attacks Against Employees

Raise your hand if you took an information security awareness course for work this year. If that course explicitly trained you to spot and respond to specific social engineering attacks that would be targeted to you, keep your hand up. There likely aren’t many hands still in the air.

Traditional information security training is failing.

Attacks are becoming more targeted to companies and individuals. They are coming from groups that have done research into organizations’ people and practices. They have a specific target objective and have been designed specifically for this purpose.

A Small Number of Security Incidents Can Make a Large Impact

The Verizon data breach investigation reports that 23 percent of users open phishing emails and more than one in 10 click on links in these emails. This may seem like a small number, but let me put this a different way. One of every 10 users in your company will take a single action that will allow a hacker to compromise your security when presented with the opportunity. In a company of 500 people, a hacker will have 50 or more people who will provide credentials or open a machine to compromise by clicking on a link in an email. Does this paint a different picture?

Information security training must be more than just a review of regulatory guidelines, company policies and good password selection. It should show users examples of the types of attacks they are facing right now. It must transcend computer use in the office and needs to show how our digital life is connected to both work and personal computer use. How can we expect people to combat digital con artists when they don’t even know how to spot them? Security awareness training is a cost-effective method for fighting back against the onslaught of attacks against your organization. Hackers attacking your organization typically target employees. They know it’s easier to fool a human than to break into a server.

Enlist Employees as Frontline Defenders

Successful organizations show employees that they are part of the solution, not part of the problem. Organizations that invest in information security awareness and training activities see strong returns, as fewer employees fall prey to cyber threats and tactics such as social engineering. Well-trained employees take pride in reporting suspected attempts to compromise the organization’s critical assets. Use the following steps as an outline for developing your employee information security training program:

Strategy

Writing a specific vision for your security culture will define the training plan to follow.

Resources

Take time to make realistic plans for the resources your company will commit to building a security culture.

Learning Styles

Your training program should be flexible enough to reach the wide variety of people in your organization.

Metrics

Creating SMART goals for your security program will help track progress and build morale as employees see your security culture maturing.

Leadership Involvement

Executives and managers should plan specific ways they can demonstrate their personal buy-in on the information security training plan.

Persistence and Timeliness

Your training program should be flexible enough to reach the wide variety of people in your organization.

Security programs must constantly evolve to handle new threats.

Feedback and Incentives

Security programs thrive with the right balance among coaching, rewarding and enforcing the rules.

Changing your mindset—and building it into your cybersecurity training—provides a solid cornerstone for building a successful awareness and training program that your team will embrace.

Use our Employee Security Awareness Training Planner to help your organization start developing an effective security awareness and training program today.

Download Employee Security Training Planner
The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.