Companies across all industries are increasing their cybersecurity maturity across people, process and technology aspects, but are also increasingly looking at how best to respond in the event of an attack or breach.

A growing part of effective response to cyberthreats is the use of automated detection to identify potential vulnerabilities, monitor networks and identify malicious traffic. Coupled with this is the increasing use of automated responses to react quickly to attacks and manage the actions taken across an enterprise’s network to mitigate and stop the attack, various cybersecurity experts told Engineering News & Mining Weekly.

Cybersecurity solutions company Fortinet South Africa regional director Doros Hadjizenonos said that artificial intelligence (AI) is built into the company’s solutions and its detection technology uses AI to find patterns and anomalous behaviour.

Similarly, machine learning (ML) and AI systems are deployed to perform event correlation across millions of logs to isolate unique events and allow a security operations team to focus on those.

“An important part is being able to respond automatically such that, once one attack has been blocked, protection measures are implemented across the environment to automatically prevent similar attacks,” he said.

These scripted responses reduce the load on scarce resources, including cybersecurity specialists, to focus on critical events.

In general, the cybersecurity threat landscape is wide and varied, and dependent on the organisation in question. There are no borders to cybercrime and South Africa ranks as the 82nd most attacked country in the world, said cybersecurity company Kaspersky Middle East and Africa technology expert and consultant Brandon Muller.

Some of the main cybersecurity threats facing South African companies include phishing attacks, ransomware, data breaches and insider threats.

However, there has been an exponential increase over the past years in attacks on Internet of Things (IoT) devices, as their use increased.

“IoT devices are everywhere, including in our homes and businesses, as well as in smart cities and smart cars. Kaspersky detected more than 220 000 attacks against IoT devices in South Africa during 2022,” he highlighted.

Trusted Defence

The cyberattack surface of companies has increased in proportion to the increased use of information technology (IT) devices, and the use of zero-trust frameworks can help to reduce the risks from the increased attack surface, said Muller.

“Zero trust focuses on verifying and validating every user, device and transaction. This makes it much more difficult for attackers to gain unauthorised access or to successfully navigate the network if they have breached it already.

“Smaller organisations tend to have much flatter network architectures and a breach could allow cyber attackers to move laterally with relative ease. Zero trust limits user privilege. This means that, even if a person were to fall victim to a phishing attack, the potential damage that the cyber attacker can do is limited.

“A zero-trust model will significantly increase smaller organisations’ capabilities of staving off attacks,” he emphasised.

Additionally, zero trust extends beyond the borders of an organisation to include the organisation’s supply chain partners, which is implemented to ensure strict enforcement of cybersecurity measures so that the overall risk is reduced.

Fortinet’s global 2023 State of Zero Trust report showed that organisations of all sizes are working to implement zero-trust strategies, with 66% of companies deploying more solutions as part of their zero-trust strategies. Companies are working to enable zero trust everywhere to minimise the impacts of a breach, said Hadjizenonos.

However, although companies are moving forward, they highlighted that end-to-end policy enforcement, application latency, and a lack of reliable information to select and design a zero-trust solution remain challenges, he noted.

Right Sized

Further, while larger enterprises have more resources to follow cybersecurity standards frameworks, such as the US National Institute of Standards and Technology (NIST) Cybersecurity Framework, not all organisations can follow such standards, said IT and networking company Cisco technical solutions architect Greg Griessel.

“Cybersecurity best practices that are suitable for a company’s size, cybersecurity maturity level and risk profile can help organisations of any size to raise their cyber resilience,” he said.

”For smaller organisations, making sure to do the basic practices right, deploying multifactor authentication and having a cybersecurity roadmap and response strategy in place can significantly help them not only to know their environment and risks, but also to know how to respond if and when they are attacked.

“Larger enterprises, meanwhile, are moving towards extended detection and response (XDR) solutions, which is a trend we are seeing in a lot of discussions with clients.”

XDR leverages network detection and response, and the network is one area in which malicious traffic can be detected and actions to respond to and mitigate attacks can be taken on the network itself, he said.

“This monitoring would include anything that touches the network, such as hybrid workers in offices and homes, software-as-a- service systems, in-house or third-party applications and the Internet. This information is then used as telemetry to establish a baseline. Organisations can use this to understand their environments and then normalise this information to look for deviations from normal traffic.”

Cisco is also seeing a trend towards automation, using ML and AI, in the detection space to ingest the normalised data and make sense of the large volumes of data.

“However, it is on the response side where we are seeing interesting trends, including the move towards automating response actions in the IT security operations centre (SOC),” Griessel highlighted.

Automation is being used in SOCs to perform routine processes and to clean up the baseline XDR feeds to minimise work for security engineers and free them up to focus on the most critical threats.

Security engineers also use automation and ML-powered tools to augment the information they have when dealing with advanced threats to help them understand what the threat is and how it attacks, he added.

Secure People

Individuals responsible for cybersecurity, whether IT personnel in small companies who have broad responsibilities or cybersecurity specialists in larger organisations, must build an understanding of ML systems, emphasised cybersecurity company Trellix South Africa country lead Carlo Bolzonello.

“It is not necessary for the individual to be able to build ML models, but learning how to use such systems and tweak them to fit the organisation’s environment is important.

“An organisation always retains responsibility for cybersecurity. Therefore, each organisation will have to determine its sweet spot for how much it wants to do in-house and how much and how it will rely on consulting or services.

“Once this is determined, they will have to look at suitable tools to deploy to fulfil their cybersecurity strategy. These tools should be adapted to suit the organisation’s operations and must be adaptable to grow as new systems are added,” he said.

Further, cybersecurity skills are in short supply worldwide and people with these skills are in high demand. Small and medium- sized enterprises do not always have the capacity or resources to do security assessments or deploy cybersecurity protocols and standards, such as NIST, said IT services company iOCO Infrastructure Services cybersecurity business development executive Loren Hollingworth.

Cybersecurity consulting and services allow smaller organisations to leverage enterprise-grade tools and skills to develop and deploy a cybersecurity programme that is based on an understanding of their environment, risk factors in the business and their maturity, she said.

“We take a consultative and engaged approach to cybersecurity service provision. This is essential to ensure that the service provider understands the nuances of the client’s industry and the customers environment, such as operational technology networks in industrial companies,” she said.

Further, constant engagement is not only necessary to ensure that actions are taken by the organisations and service providers when an attack happens or a breach is detected, but also to ensure that organisations retain agency over and responsibility for their cybersecurity, she noted.

“This assessment of risks, deploying processes and technology to mitigate them and then building a feedback loop to ensure that the organisation progresses in its cybersecurity roadmap are important elements of building cyber resilience in organisations,” she said.

Security is foundational for almost anything organisations do in the world today, emphasised Bolzonello.

For example, a company had started to develop a cloud-based application that was needed by a certain date, but only brought in its cybersecurity personnel later during the project. The cybersecurity team highlighted that there was a high risk of something going wrong, but the decision was made to deploy. The system was breached within a week.

“Cybersecurity awareness is something that can help companies and which they do not need to buy. We have seen a small specialist technical company that is involved in multimillion-rand projects being attacked. While it may have to leverage external support to mitigate its risks, cybersecurity has now become part of the team’s daily technical discussions in addition to other operational topics,” he illustrated.

Griessel concurred and said that cybersecurity should be part of an organisation’s culture.

“In certain industries, such as ours, cybersecurity awareness would be a baseline requirement of employees. But, while employees in the manufacturing or office space may not necessarily think about cybersecurity, they also have a role to play.

“This awareness stretches into our personal lives as well, as our daily lives become increasingly reliant on digital systems. Companies can have cybersecurity awareness drives or awareness days to highlight some of the risks that people and organisations face and best practices with which to respond to and thrive in the changing world,” he advised.