How Security Orchestration Can Stop Insider and Outsider Attacks

Last updated at Mon, 15 May 2023 17:11:52 GMT

Running a successful security operations center (SOC) is a tall order. It requires assembling an ideal mix of people, processes, and tools, and connecting them in ways that make it possible to respond to threats fast while also maintaining a strategic overall security posture.

One of the best ways to make sure that a SOC runs seamlessly is to use security orchestration and automation to tie key functions together. Often within a SOC there are many tools to contend with, and the more they can “speak” to each other, the less time people have to spend digging for data, correlating clues, and piecing together the bigger picture.

Now, a caveat: The following are real-world examples. Since we weren’t behind the scenes for either of these, we can’t be 100% certain what went down or exactly how these incidents could have been avoided or mitigated. That said, these are good examples of types of situations where security orchestration can make a positive difference in a SOC. Hopefully they’ll get you thinking about how you can automate and orchestrate your way to a more streamlined and effective SOC.

The Outsider Data Breach

Many of the major security incidents that have made headlines over the last few years (Target, Home Depot, etc.) have been perpetrated by attackers outside the organization looking to steal information for their own nefarious purposes. One example is the well-publicized Anthem breach, which was discovered in January 2015.  The original breach took place on December 10, 2014. During this time, a majority of the 80 million records contained in the database were exposed.

What happened: This data breach was carried out using stolen database administrator credentials from at least five different Anthem employees. It’s important to note that, although HIPAA would have required the data to be encrypted, once attackers have credentialed access, encryption is a moot point.

It’s speculated that the attack was an example of social engineering (phishing, in this case), though Anthem has not publicly admitted as much. (BTW, we have a guide for that: How to prevent, detect, and respond to phishing as an org)

How Orchestration Could Have Helped: In this case, if Anthem had been monitoring in real-time which usernames were executing which queries/commands, while simultaneously ensuring that programs asking for admin-level access were legitimate, they may have been able to stop the attack before the breach happened.

This requires some smart monitoring of user behavior, which many products address, but it also assumes the ability for teams to rapidly respond to that behavior by revoking access as soon as the suspicious behavior is identified.  Orchestration allows teams to connect their detection tools along with an automated response tailored to the customer’s environment -- a powerful tool when suspected credential theft is in play.

The Insider Data Breach

Insider data breaches can involve either company employees, third-party vendors, or partners with privileged access. These types of breaches can be intentional (e.g. a disgruntled employee stealing info on behalf of a competitor) or accidental (e.g. a benefits coordinator accidentally sending sensitive data to the wrong email address).

Insider data breaches often result from insiders having access to company data that they shouldn’t be able to see—in other words, more privilege than is necessary.  One example of this is the Saudi Aramco “burning flag” attack, which some have called the biggest hack in history. Its reverberations were felt around the world, although the whole ordeal was kept under a tight lid for many years afterward.

What Happened: In 2012, politically-motivated insiders successfully erased the data on about two-thirds of Saudi Aramco’s PCs using a virus called Shamoon. Images of burning American flags replaced data that kept the corporation running, and operations ground to a near halt. Every Saudi Aramco office was disconnected from the Internet, while plugs were frantically pulled from servers in datacenters around the world in a dramatic attempt to stop the attack. Security experts say the attack was perpetrated by insiders who wanted to teach the company a lesson for supporting the country’s authoritarian regime.

How Orchestration Could Have Helped:
Many organizations ignore insider network traffic because there’s so much of it that it’s next to impossible to spot the needle in the haystack. Not to mention most companies inherently trust their employees — for better or for worse. For these reasons, it’s quite easy for an insider with malicious intent to gain access to intellectual property, sensitive corporate data like financials, or even employees’ personal information. With the right virus or other malware on-hand, it’s also possible to erase data, as in the case of Saudi Aramco.

If an attack comes in stages, as many do, having the ability to orchestrate a response such as removing malware, quarantining systems, conducting forensics,  and more can go a long way in mitigating an attack once it is first detected.   It’s important for organizations to monitor internal behavior and consider the possibility of an inside attack - and how they can quickly and automatically respond to it.

Putting Orchestration to Work

Security orchestration and automation enables companies to address  a wide range of challenges, including both insider and outsider attacks. Whether you are concerned about employee mistakes, unpredictable third-party vendors, malicious competitors, or nation-state hackers, getting security orchestration up and running in your organization can help you detect and respond to a wide range of threats with speed and efficiency.