The automation of response actions has become essential when managing the huge number of alerts that an incident detection system can generate. If we add to this the shortage of professionals with experience in the analysis and investigation of cybersecurity incidents, we find the need to also use the most current technology based on Artificial Intelligence to reduce the alert fatigue of human teams and that they They can focus their efforts where they are essential, while automation is responsible for responding to the majority of repetitive incidents that are susceptible to automated response.
This automation of actions is not only necessary in the last mile: the Industrial SOC, where SOAR – Security Orchestration Automation and Response type tools are designed for this. It is expected that the automation of the response will also be carried out in the workstations (EDR – Endpoint Detection and Response type solutions) and in the network protection elements (NDR type solutions – Network Detection and Response), that is That is, as close as possible to where the incident occurs, so that we prevent it from spreading to the rest of the network.
Design of advanced access control policies
As third-party access to industrial networks becomes more necessary and IIoT devices proliferate, it is necessary to carry out continuous verification of the users and devices that access the different systems hosted on these networks. To more effectively secure networks, network administrators should implement a zero-trust access approach.
Applying this security model allows organizations to improve their security posture compared to using traditional VPN tunnels, which provide unlimited network access, while zero trust network access (ZTNA) solutions grant access to individual applications after constantly verifying the devices and users in each session they try to establish. This policy must be applied to both users and devices that connect to the local network, as well as those that do so remotely.
Another aspect to consider to increase access protection is the implementation of multi-factor authentication (MFA) systems, since passwords are the oldest and least secure authentication system today due to different circumstances, such as bad habits. of users by reusing passwords or writing them down within reach of anyone, but also by becoming victims of increasingly frequent and sophisticated phishing campaigns.
Implementation of least privileges and identity management
Implementing zero trust access includes the need to provide the minimum access privileges necessary for a user or device to perform their task without impacting production, as well as having strong authentication capabilities, such as those provided by solutions of Identity and Access Management (IAM). Protecting user identity is one of the main elements of the zero trust principle.
This additional layer of security greatly reduces the possibility of security incidents while helping to meet audit requirements associated with different mandatory regulations (depending on sub-industry, country, and other aspects); which in turn are becoming tougher and more specific and demanding in terms of the protection measures to be implemented.
Continuous monitoring and audit strategies
Continuous monitoring is the best way to comply with the requirements of these regulations, directives and laws that establish increasingly shorter deadlines for notifying the authorities, as is the case of the NIS2. But we should not think that the objective is only to comply with the law, these laws have been developed to protect environments and information, so complying with them is synonymous with protecting ourselves.
Security evaluation in industrial software development
In October 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and 17 U.S. and international partners announced the second version of their security by design white paper, “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.”
This white paper aims to encourage software manufacturers to build security into their products, making it proactive rather than reactive.
Security by design recommendations focus on making security a central business priority and core of the software development process, and cover two related concepts:
• “Secure by design” products are designed to protect against malicious cyberattacks so they cannot access devices, data or connected infrastructure. Manufacturers must include protections to account for the changing cyber threat landscape and invest resources in every layer of product design and development.
• “Secure by default” products are configured to protect against the most common threats and vulnerabilities “out of the box” without end users taking additional steps to protect them. Safety is included in the base product at no additional cost, just as seat belts are included in all new cars.
The software industry needs to develop more secure products, not more security products.
A negative connotation of evolution in technology – of any kind – is that it can be used for both good and evil. This is what happens with Artificial Intelligence and Machine Learning, that cyber attackers can also take advantage of them to sophisticate their attacks, increase their mutation capabilities and try to evade their detection techniques. It is for this reason that to protect the systems it is also necessary to use the latest technologies or we will be at a clear disadvantage.
Author:
Jose Luis Laguna
Director, EMEA OT SE Solution Architects