How organisations can play – and win – cybersecurity’s midgame

When Russian chessmaster Eugène Znosko-Borovsky first wrote “The Middle Game in Chess” in 1938, he was shocked to find out that countless books had been written about how to open and close a game of chess – but few on the topic of the midgame. But he believed it was the midgame which contained the most possibilities for success and failure. 

Today, organisations spend most of their cybersecurity budget on preventative measures such as firewalls and antivirus softwares, but they also need to have a detection and response plan in place, says Chris Thomas, Senior Security Advisor at ExtraHop, a leading provider of AI-based network intelligence solutions. 

Thomas shares how organisations can successfully implement an extended detection and response (XDR) strategy, which combines endpoint detection and response (EDR), network detection and response (NDR), as well as traditional security information and event management tools (SIEM), to manage risks as digital environments get more complex. 

Plan with the midgame in mind 

First, it is important to plan for the midgame – that is, cybersecurity teams should account for what happens when threats breach preventive measures and infiltrate systems, says Thomas. 

“No matter how much money is spent trying to prevent the attacks, the attacks may still eventually happen. If malicious actors are motivated and they’ve been given a task to break into an organisation, they’re probably going to find a way,” says Thomas.  

For example, the Russia-linked Cl0p ransomware syndicate exploited the MoveIT vulnerability to gain access to the records of over 15 million people, reported Bloomberg.  

By exploiting the file transfer software’s vulnerability, the gang has compromised data held by U.S. federal government agencies, tech companies, and even cybersecurity enterprises. 

NDR tools can support organisations in detecting such breaches and disrupting these activities so they can see more, know more, and stop more cyberattacks, says Thomas. 

“Once an attack starts and the first systems get compromised, that’s just the beginning. Having network visibility gives us the best chance to detect attack behaviours because the attacker has to go on the network to carry out their attacks,” he explains.  

When a new device appears on the network and transmits sensitive information, NDR tools can flag such suspicious activities to cybersecurity personnel.  

For example, the Reveal(x) 360 platform from ExtraHop can detect unusual activity across hybrid, multicloud, containerised and IoT environments. Then, it can automate and accelerate threat hunting to stop malicious activity in its tracks.  

And artificial intelligence is helping cybersecurity professionals play the midgame better, says Thomas.  

Machine learning helps network detection and response tools become more adept at understanding transactions across complex systems. This means that false positives are becoming rarer and rarer. Cybersecurity professionals are more likely to take action and act fast when they realise alerts are more likely to be trustworthy, he says. 

Ensure comprehensive oversight across systems 

Next, it is important to ensure cybersecurity teams have comprehensive oversight across systems.  

This can be done through implementing oversight over security logs with SIEM systems, activity on individual devices with EDR, and network monitoring with NDR tools – the visibility triad. 

“One of the definitions of XDR is combining the insights and visibility from all these different sources,” says Thomas. Each of these tools have strengths and weaknesses. Using them in tandem can help cybersecurity teams cover all bases. 

For instance, endpoint visibility can help teams detect suspicious activity on individual devices and cut off that device’s activity from the rest of that network. But not every appliance may be visible – legacy systems or third-party devices may be vulnerable. 

Most recently, hackers have begun developing tools that can disable EDR tools and leave devices vulnerable to attacks, reported Bloomberg.  

This is why endpoint detection tools can be most valuable when paired with network detection tools. ExtraHop has partnered with CrowdStrike, an endpoint security provider, to provide complementary coverage for both managed and unmanaged endpoints. 

Some companies view an XDR strategy as providing one integrated solution, explains Thomas, whereas companies like ExtraHop have adopted a partnerships approach. 

“The tradeoff to the single platform approach is that none of the components are probably the best in breed for what they do. You have to compromise for a jack of all trades, master of none approach,” says Thomas. For complex organisations, working with partner organisations that cover all bases may be more suitable. 

Know thy enemy 

Finally, a successful XDR strategy requires cybersecurity professionals to thoroughly understand how malicious actors operate. Then, security teams can mobilise their systems to address threats strategically, he explains. 

“Like the midgame in chess, professionals have to consider what the attacker has to do once they’ve breached the systems to carry out their mission,” he explains. 

“What’s their endgame? What’s their actual mission? Is it extortion? Espionage?” he asks. 

One resource that teams can tap on to know their enemy better is The DFIR Report, a website that catalogues different attack strategies, from privilege escalation to insider attacks, he shares.  

Once teams understand the mindset of their attackers, they can use comprehensive visibility to detect the different stages of a malicious action, map out what threat actors are trying to do, and stop attackers in their tracks.