employees to bypass the gates. These attacks aren’t visible to typical security technologies because they look like normal activities. However, there are techniques similar to the multi factor authentication used to protect fraudulent logins that could be used to detect social engineering attacks. For example, process changes could be employed to require multiple approvals for certain actions. Similarly, code could be written to defer credential changes until they could be authorized by separate functions.

A good first step would be to audit key processes to determine which ones are protected solely by company policies. Some of those policies should probably be candidates for additional protections.

This would reduce the social engineering attack surface, but in order to thwart an attack in progress, monitoring at a different level is required. A common practice today is to correlate and monitor logs across a spectrum of security technologies such as firewall, endpoint detection and response (EDR)’s, etc. In order to detect social engineering, monitoring could be done across applications to detect atypical process executions. For example, if account credentials are typically done with new hires, or promotions, actions could be fired when typical HR platforms aren’t set up before new credential requests. Businesses could start making cross checks on credential updates as well.

In these examples, the attacks became more expensive the longer they remained undetected. Monitoring technologies that ingest logs in a central site system, and then correlate them for anomalies, introduce latency in order to spot patterns. Alternatively, social engineering introduces latency because those attacks tend not to look abnormal until much damage has occurred. This gives rise to the need for low latency solutions that can correct issues before they have a chance to spread their infection, extract more data and increase expense.

Solutions that are non-centralized can reduce the latency issue. One implementation of such a solution may have specialized monitoring resident on the end points, servers, Clouds, applications, etc., that would not only be able to alert more quickly but could have remediation capacity as well. For example, routines could be set up to block a user, restore from backup, or any number of activities as opposed to just alerting. Many businesses are cautious about automating remediation as they are concerned about unforeseen circumstances, but small changes can be a life saver in certain situations.

In many of the examples above, the attackers were able to install malware after cracking through the first level(s) of defenses. While malware varies, the intent could be to extract information, spread infection, create damage, or perform any number of harmful exploits. There are technologies today that can detect some of these situations and give the network defenders a chance to remediate. Since the amount of damage increases consistent with the amount of time the malware operates, automated remediation should be considered. Some situations may be good candidates to automate.

Finally, the attackers are continuing to innovate, and situations like AT&T’s recent attack are not uncommon. Much time has passed, and yet the existing technology and practices in place are still struggling to figure out what happened. State of the art technologies sifting through huge data lakes of logs to try to find anomalies may struggle to see these zero-day attacks because there may not be signatures yet for identification, or they may be lost in too large a sea of data. Smaller algorithms running closer to attack entry points might be more helpful since there would be less data to sift through, thus making anomalies quicker to spot. These algorithms could also be permissioned to take defensive actions, alert quicker, and provide faster, more tailored renditions than a more centralized approach.

Conclusion

Businesses are allotting more and more of their budgets to cybersecurity. Yet, in spite of greater investments being made in security, attackers are still getting in, leveraging vulnerabilities, and innovating new approaches. Most executives fear that while they’re doing all they can, they will inevitability fall victim to an attack. The fact that attacks on large enterprises such as AT&T, MGM, and Microsoft Azure have been in the press makes those bumps in the night all the more concerning to executives.

As attacks continue to evolve, it is increasingly important for organizations to examine their processes to determine where they are vulnerable to social engineering. It is also important to diversify and automate defenses, and to not only leverage today’s centralized monitoring solutions, but to also add non-centralized monitoring.