How to build & maintain one of the world’s largest Threat Intel Repositories
Date: 14 July 2020
There is a vast array of threat intelligence data out there and a variety of platforms that help businesses collect such insights. But is this data contextual, consumable, instructive and most importantly, actionable?
In this blog, we discuss:
How to stay ahead of the threat intelligence curve and work with the information that is generated – this theme formed the crux of the recent webinar by Mimecast and Cyber Management Alliance. Hosted on June 25, 2020 on Cyber Management Alliance’s BrightTALK channel, in this webinar, Anoop Das, Business Development Manager, Mimecast and Amar Singh, CEO and Founder, Cyber Management Alliance discussed the most effective ways in which businesses can be supported in their journeys towards achieving cyber resilience and bolstering their defences in terms of email security.
Entitled ‘How to Build & Maintain one of the World's Largest Threat Intel Repositories’, the insightful webinar focussed on the importance of threat intel, especially in the post-pandemic world we’re living in currently and also on how Mimecast built one of the world’s largest treasure troves of threat intelligence data.
Effective Threat Intel
Putting the importance of actionable insights into context, Anoop started the discussion by drawing a parallel between the COVID-19 information onslaught on all of us and the overwhelming amount of threat data businesses receive all the time. While the information is available, the key question in both cases is whether there is any practical use of the volumes of data and if it can be put to good use at all.
View the Webinar here
Much like the health crisis-related information, data on business risks and cyber threats has to be presented in a manner that is usable in times of a crisis. And that’s precisely what Mimecast assists businesses in achieving.
Anoop brought up the examples of Cognizant and Honda (who have recently been victims of cyber-attacks) to explain this allegory better. There’s no doubt that these brands have implemented next generation technologies in their businesses, but they were still not spared. Perhaps, the information available to them wasn’t suitably packaged for an actual moment of crisis is what Amar and Anoop mulled over. The questions that one normally gets entangled in are “Who are the adversaries? Are they state actors? Who are their sponsors?”
The two experts on the webinar concurred that these are all ineffective questions.
A cybersecurity team doesn’t need answers to these questions when they’re dealing with an actual attack. They need to know the capabilities of the adversaries, their modus operandi, the infrastructure at their disposal and what verticals and geographies they are trying to attack.
These are the kind of questions that Mimecast Intelligence aims to offer answers to. The specialised department leverages the expertise of engineers and forensics experts who continuously monitor the threat landscape to deliver effective and usable data. They also do a lot of predictive analysis and provide accurate recommendations to clients on how to mitigate risks and augment cybersecurity within their organisations.
Mimecast Intelligence Statistics
Here are some more interesting revelations about the work that Mimecast Intelligence does:
- Mimecast delivers 655 million emails a day and 386 billion emails under management.
- It has one of the largest repositories of data in the world with 16 data centres globally based on grid computing architecture.
- It enables clients to track their own performance overtime and benchmark against peers.
- More than half of Mimecast’s global customers have chosen to use its services on top of hosted Exchange environment within Office/Microsoft 365.
Advanced Email Security
Coming back to email security and the necessity to ramp up defences, Anoop highlighted that 94% of attacks originate through emails. It’s one of the weakest links that hackers exploit to enter into any business environment. 90+% of these email attacks are triggered by human error.
So, what can an enterprise do in such a scenario?
Mimecast Intelligence’s tool has the ability to stop these email attacks right at the gateway. Mimecast has 24x7 monitoring at the global SOC centres. If anything suspicious is detected in the email or web for any of the 38,000 customers, a security policy is updated for every Mimecast customer across the globe.
Further, Mimecast Intelligence works with its clients in improving awareness and human responses. They regularly conduct psychological analysis to identify what motivates humans to click on malicious emails and the duration it takes them to click on them.
To further understand and explain the importance of email security better, during the pandemic period, Mimecast produced a ‘100 days of Coronavirus’ report which saw the monthly volume of all detection categories increase significantly – by 33% – between January and the end of March 2020. (Mimecast’s '100 Days of Coronavirus report'). They also discovered that there was a 26% increase in spam. Detection rates in the MENA region were 25 million across all verticals. Healthcare providers faced a growing volume of ransomware attacks and lots of COVID-themed phishing emails surfaced.
Criminals are clearly rubbing their hands in glee during a time like the pandemic because they know that their success rates are going to be high. As a lot of people are working from home, it’s the perfect opportunity for hackers to get into users’ systems very easily. Further, due to psychological stress that comes with the pandemic, there has been a natural spike in human error. SMShing and Vishing are also becoming extremely common as are spoof websites. During the pandemic itself nearly 1,00,000 COVID-related spoof websites sprouted up across the globe.
The challenge is this – how does one prevent oneself from falling prey to such evolved and emerging threats? All of this can be mitigated to a large extent by improving awareness across the organisation. Hackers and threat actors today are so experienced and evolved in spoofing, impersonation and credential harvesting that they track the victim’s activity, communication style and online personna to spoof third parties they may be communicating most with (suppliers, partners and vendors). By spoofing them, they land an attack on the victim and such attacks need to be stopped outside the business perimeter.
What’s the solution?
Mimecast supports enterprises in preventing attacks at their perimeter, inside the organisation and eventually beyond the perimeter. It is able to keep hackers busy with deception techniques while offering visibility to clients about whether a site is suspicious or not. Additionally, at the click of a button the client is able to take the website down. The differentiator for Mimecast is the time it takes to take down the spoofed domain. For something that can generally take 8-10 days, Mimecast takes only about a few hours and that makes all the difference in case of a real business crisis.
Anoop concluded the webinar by showing the audience what the Mimecast framework really looks like and what services Mimecast clients can look forward to.
Here’s a quick snapshot:
- There is an ecosystem of APIs and Threat Intelligence that is shared across solutions.
- Clients get a detailed dashboard with a lot of data on how to get ahead of risks and prevent breaches.
- They get a consolidated view of the threats for which they need to take action.
- Information is given as actionable recommendations, customized for each client.
- Each client is given a SAFE Score which builds out user risk, attacks, configurations. Mimecast collects data from each of these nodes and gives them weightage. This helps the security team to make the management understand what the threat score is, what the requirements are and what are the improvements being made.
- Individual risk scores are also given. So, if a particular user is more vulnerable then IT has the authority to tighten the security policy for that user.
- A graphic view of detection and global trends.
- Threat Remediation: Malicious emails are removed/rectified after delivery and the admin is notified.
This educational webinar successfully illustrated one main point – when it comes to beating cyber criminals, threat intelligence is the most effective weapon in any CISO’s arsenal. However, this threat intel has to be properly sourced, has to be collected through a source that has a large footprint and it has to be credible. Above all of this, it has to be properly contextualized and delivered in a format that is easily consumable. Email security forms a large part of all the threat intelligence that is generated today and with a solid mix of awareness and the right kind of intel, it is indeed possible for businesses to protect their email environments and stop even the most sophisticated criminals in their tracks.
Cyber Management Alliance is a team of global experts in cyber crisis management. We offer internal workshops to organisations across the globe from all sectors including Government, Banking and Financial, Healthcare, Insurance, Retail and many more. Our flagship course is the NCSC-Certified Cyber Incident Planning and Response workshop. We also deliver internal and public courses on Building and Optimising Actionable Incident Response Playbooks.
Listen to the full webinar here.