Smarter Security: Logs & Context-Aware Access Controls
Encryption and firewalls? Could be useless if an attacker steals administrator credentials and goes undetected in your systems for months.
DarkReading published an article analyzing the tools that may help Anthem and other similarly large companies prevent another breach.
The article makes a good point that certain types of security solutions, such as firewalls and other software would be useless in this particular situation. Hackers had already found a way to get legitimate access to their databases and systems, using a system administrator’s credentials to run queries.
And while encryption should be a best practice for securing sensitive data, it’s also useless in this situation, as a set of legit credentials can allow a user to decrypt the data. A lot of solutions are designed to secure the perimeter, but fail to address security where it’s needed the most - at user-level access to applications in the cloud and on-premises.
###Security Logs & Behavioral Analysis As the article stated, ‘behavioral analysis’ can help administrators analyze the activity of their users. But in order to conduct an analysis, the data needs to be available. A good access security tool gives your administrators access to many different logs, including user activity, administrator activity and fraudulent attempts to log into your networks. Learn more about Security Logs.
###Context-Aware Access Controls Context-aware access controls could have also stopped an attacker, even one armed with phished credentials, according to the article. For companies using a two-factor authentication or access security solution, they should seek out providers that offer accompanying detailed data logs to help their teams detect threats and escalate security incidents.
With the ability to identify the geographic locations of authentication sessions, an administrator could have detected logins potentially originating from suspicious IPs or locations. If your company doesn’t have any employees or reason to validate authentication request coming from foreign countries, that may raise a red flag and prompt your team to investigate further. Find out more about geolocation in Where On Earth Are My Users?
Likewise, other details related to authentication requests could be telling - integration type (VPN, OWA, etc.), type of authentication method used (like push notification or SMS), time sent, and whether the attempt was successful or not. All of these data points can also be aggregated and used to profile attackers.
So while one of the biggest companies were breached, all is not lost - your company CAN protect your users by making smarter security investments.