Maintaining Cybersecurity in the New Normal

The insidious spread of COVID-19 across the globe has accelerated changes to our way of life. The reliance on the internet saw a prodigious increase in March 2020 as people started relying on digital means to work, buy groceries, order food, and basically ensure they could stay home and stay safe! More people doing things online means more opportunities for cyber-attacks.

With organizations and businesses rapidly deploying remote systems and networks to support staff working from home, criminals are also taking advantage of increased security vulnerabilities to steal data, generate profits, and cause disruption.

MIT Sloan CIO Digital learning series hosts monthly webinars to bring together the best thought leaders for discussions about leadership and technology in this digital age. Episode 2 in this series focused on the topic “Keeping our organizations cybersecure in the COVID-19 environment. How secure are we?”. Keri Pearlson, Executive Director, MIT Cybersecurity sheds light on the increase in social engineering and phishing attacks during the pandemic. From websites providing information about vaccines, emails claiming to help you get your stimulus check to links prompting employees to download VPN software, cybercriminals have exploited all possible avenues to steal electronic data and cause disruption or misdirection of online services.

It was alarming to see some of the numbers she highlighted in the talk. For instance, there have been 105,061 reports of social engineering attacks pertaining to the stimulus checks in the United States alone –

While technology can help secure your systems and networks, she stressed the importance of cultivating a culture where people are trained to identify attacks and also rewarded for being cautious and aware!

That got me curious about the impact on the cybersecurity technology landscape during the pandemic.  Not surprisingly, the key cybersecurity players like Neustar, Radware, Cloudflare, Akamai, Kaspersky, Zscaler, Verisign, StackPath all reported an increase in cyber-attacks during the pandemic.

According to a recent report, during the first week of June (2020), Akamai mitigated a massive DDoS attack against an internet hosting provider, the largest the company has seen at 1.44Tbps. Neustar said they have mitigated more than twice the number of attacks as in the first quarter of 2019. Kaspersky’s Q1 2020 DDoS attacks report pointed to a sharp increase in volumetric attacks against the websites of healthcare organizations, delivery services, and gaming and education platforms. Zscaler reported that since January there has been an increase of 30,000% in phishing, malicious websites, and malware targeting remote users—all related to COVID-19.

This brings me to the importance of observability and end-user monitoring. With the surge in attacks, organizations are introducing additional components to their delivery chain. Security and performance often step on each other’s toes. For instance, when an organization is under a DDOS attack, one possible remediation is to direct the traffic to a scrubbing center for mitigation. This in turn has an adverse impact on end-user experience. For the organization, it becomes essential to have visibility into this change in the traffic pattern. During the DDOS attack on AWS on October 22, 2019, Catchpoint’s traceroute monitor was able to track and provide visibility into the traffic being directed to Neustar for scrubbing.

Monitoring for Improved Security and End User Experience

With remote work becoming the norm, ensuring a good employee experience has become a harder problem. Employee reliance on IAM, Access control, SSO and VPNs has increased to ensure secure access to internal networks and applications.

At the beginning of the lockdown, a lot of our customers changed their employee experience monitoring strategy. One of the key aspects they worked on is monitoring the VPN gateways from key ISPs and geographies as employees are no longer confined to a corporate set up and are using broadband ISPs. We were able to detect an issue for one of our customers where there was a brute force attack on the VPN gateway at specific times of the day as seen in the chart below. This resulted in denial of service to employees who were trying to access the internal network.

The panel discussion that followed in the webinar revolved around how organizations approach the question “How secure are we?”

Andrew Stanley’s (Chief Information Security Office, Mars) answer about reframing this question to “How ready are we to respond” really resonated with me. With attack vectors changing often and the nature of threat never repetitive, it becomes very hard to say an organization is secure. It is thus important to invest in training the security teams, invest in technology that helps with detection, and build a culture around security awareness.

Danny Allan, Chief Technical Officer, Veeam Software answered this question by saying he would also reframe it to two yes or no questions –

1. Are we more secure today than we were yesterday?
2. Are we being more proactive than reactive?

I was nodding my head and agreeing because I have seen this work in practice. At Catchpoint, I often come across instances where we are the first to pick up on a security incident. With proactive Synthetic monitoring, we are constantly probing servers, performing key user transactions, and collecting metrics about the network and infrastructure. Thus, the system is aware of baselines and can quickly sound an alarm when any metric goes astray.

Consider the example of a Layer 7 or Application layer attack. This attack targets the application layer in the OSI model where the most common internet requests over HTTP occur. These layer 7 attacks result in the consumption of server resources in addition to network resources. The example below answers the first question Danny posed – “Are we more secure today than yesterday?” Clearly not. The server resources were exhausted due to the attack and legitimate requests were being denied.

In this scenario, the team had set up alerts comparing current server response times to historical response time baseline, so they were quickly alerted and were able to proactively begin remediation.

Here is another example of an SSL flood attack which was exhausting the SSL capacity at the server resulting in DDOS.

We collect metrics that are very specific and hence a great indication of the type or types of attack vectors being leveraged.

For instance, plotting the overall response time along with the server response time in the first example, we can quickly say that it is an attack at the Application layer –

We can also identify what attack vectors we can dismiss. For instance, in the second example, by plotting other metrics like the TCP handshake time (connect time), we can say that it isn’t a SYN flood attack.

Proactive monitoring plays a crucial role in ensuring your organizations are ready during a crisis. The panelists spoke about how important readiness exercises are. Katie Jenkins, Senior Vice President, Chief Information Security Officer, Liberty Mutual Insurance, mentioned that they conducted a Cybersecurity crisis tabletop exercise while remote to test their readiness and decision-making capability. We discussed how your Red and Blue teams can leverage a comprehensive monitoring solution in security exercises in this blog post.

Keri Pearlson rightly quoted Professor Stuart Madnick – “There are only two kinds of organizations. Those that know they have been attacked and those that don’t YET know they have been attacked”. Leveraging synthetic monitoring can take you one step ahead in being an organization that is aware, ready and proactive.

The next episode in the MIT Sloan CIO Digital Learning Series features our CEO and Co-founder, Mehdi Daoudi. In this fireside chat, JetBlue’s Chief Digital and Technology Officer, and Mehdi will be talking about the future of the digital workplace and how employee and customer experience will drive the post-COVID digital world. Register here to attend.