When Defenses Fail

/in , /by

If you are doing things correctly, you’ve got a solid firewall protecting your network, enterprise-grade endpoint protection on each computer and (hopefully) some reliable content filtering in place to keep your employees (and your business!) safe.  But there could be one very import piece missing here – – how do you know when these defenses fail?  “Fail?” you say? “They shouldn’t ever fail!”  Unfortunately, that’s just not the case.  The old sports adage about offense and defense holds true in IT, too – – Defense has to be right 100% of the time and Offense only has to be right once to win.  So, eventually, defense will always lose.  And statistics show it is most frequently not even faulty technology at the root of the breach, it is the human factor.  So, it’s not a matter of “if”, it’s a matter of  “when”.  With the increase of attacks lately on Microsoft 365, you’re not guaranteed security there, either.

With Microsoft 365 specifically, it has become a favorite target for hackers.  It is a great platform and millions of people are utilizing it but there are security features that too many small businesses just do not implement.  What we’ve seen most often is the hackers go after Microsoft 365 email accounts that have weak passwords and no two-factor authentication in place.  Additionally, they wisely target companies that utilize wire transfers for large sums of money (such as law firms and real estate related businesses).  Once in control of the mailbox, they surreptitiously  watch the conversations and then step in when the wiring instructions are to be sent and intercept or re-send the instructions with their own banking information.  Tens or hundreds of thousands of dollars can be lost in seconds.  Without the proper protections in place, you would not know they were in your mailbox until it was too late.

The issue here is that the protections you have in place will almost certainly NOT tell you when they have failed.  You might get an alert when you anti-virus successfully blocks something, but you won’t get an alert when it lets something through that it thought was harmless but wasn’t.  The same is true for your firewalls and just about any other defensive device.  If they are tricked into thinking the file or traffic is innocent, they won’t report it.

If they can’t let you know when they have failed their defensive job, the attackers can sit on your network for days, months or even years.  You don’t want to wait until all of your data has been stolen to figure out that you were hacked a month ago or longer.  The same is true for your Microsoft 365 email, you don’t want to realize that an interloper has intercepted a business transaction of yours AFTER it happens.

So, what is the best approach?  There are actually two best practices that will provide the extra layer of security every business needs.   The first is two-factor authentication and the second is anomaly detection.

Let’s address two-factor authentication (sometimes called multi-factor authentication) first.  With the current technology in use with passwords and account access, two-factor authentication is the best way to help safeguard your digital assets.  While it’s not perfect (especially when utilizing text messaged based solutions) it is still very effective at stopping all but the most determined attackers.  For a full write-up on two-factor authentication, it’s pros and cons, see our previous blog post.

Now let’s talk about anomaly detection.   Wherever your crucial data resides, you want a system in place that will tell you that something out of the ordinary has happened.  The systems learns the “normal” digital behavior of your people and network and is configured to alert you when those normal behaviors change.  For example, your business normally only works with US-based companies then one day a computer on your network sends 100GBs of data to a server in Russia.  This would generate an alert.  Or, for Microsoft 365, you have never created any email rules but then one day one gets created that forwards a copy of all of your emails to another address.  This would also generate an alert.  Or finally, you come in Monday morning and access your Box account at 8am like you always do but at 8:05 am your Box account is accessed 1500 miles away.  Yes, another alert would be sent.

There are innumerable other scenarios but the key here is that the usual defenses have failed and it does not matter at the crucial time HOW they failed – – with the right systems in place ahead of time, your IT team was alerted to the problem and they quickly took the necessary steps to prevent any further damage and THEN that can take the time to figure out where the defensive breakdown occurred.  If these alerts weren’t generated, the interloper could sit on your systems for as long as they wanted, stealing all of your information or impersonating you or your employees.

It is critical for you to remember that if you are on the internet, you are a target…period.  It doesn’t matter how large or small your business is, there is value in what you have and the bad guys have very creative ways to make money off of your digital assets.

We have solutions that can cover all of your digital assets and they may sound like only large companies could afford them but that’s not the case.  In this case, the ounce of prevention is worth hundreds of pounds of cure.