PROTECT
Cybersecurity capabilities – a practical model for a stronger defense
We believe that Cybersecurity is not about single products or solutions – We believe it is about capabilities. Specifically, three core cybersecurity capabilities – PROTECT, DETECT and RESPOND. By building on and strengthening these over time, your organization can effectively reduce the risk of serious impact in the event of an attack.
PROTECT – in several layers
There is no ONE protection that will protect you from everything. Both your own environment and external threats are constantly evolving and changing. What we can do is work to significantly reduce the risks by creating a shield that can cope with the failure of one of several layers of protection. It’s about a capability more than just technology itself!
The cybersecurity capability PROTECT is about building protection that both prevents intrusion and limits damage if someone does get in. It’s the digital locking system, the fence and the regular security inspection – but also the methodical work of constantly identifying, fixing and preventing weaknesses before someone else exploits them.
Strong protection increases the opponent’s workload. At best, the attack is completely prevented. At worst, it delays it long enough for the Detect cybersecurity capability to activate and alert you that something bad might be about to happen. Think of Protect as building watertight bulkheads in a ship. If one section is damaged, the whole ship will not sink.
PROTECT – as a sophisticated burglary and fire protection
Having the ability to PROTECT your IT environment is like securing your house against burglary and fire. You install sturdy locks on doors and windows, fireproof materials in walls and doors, and perhaps a safe for the most important things. You make sure that valuables are not left in plain sight and that no openings are left unlocked. You carry out regular safety checks, test smoke alarms and review the electrical system to reduce the risk of short circuits.
It’s about preventing something from happening – but also about limiting the consequences if it does. Just like a house, a strong PROTECT capability is built on prevention, barriers and clear control.
The Protect capability is probably the most comprehensive capability, largely because there are so many different technical solutions, but also because that is where all attacks start!
The ability Protect vs
How an attack often happens
Most attacks start with an attempt to gain access. This can include phishing, scanning for known vulnerabilities, outright hacking attacks, or buying credentials from the Dark Web.
If the attacker succeeds, the next step is to try to move around the environment, increase their privileges and eventually reach their goal, which is usually to steal information or otherwise extort money from you.
The PROTECT capability is about creating a capability to counter this by:
- Before the attack – making initial access difficult
- During the intrusion – limits the attacker’s freedom of movement
- Pre-impact – prevents sensitive resources from being accessed
What are the most common shortcomings in the ability to PROTECT?
Lack of segmentation
Large parts of the IT environment are connected without any well-thought-out division.
If someone gets in, it is very easy to move around unhindered within the environment.
This applies to both the network side and the identity side.
Unsegmented networks make it easy for an attacker to move around the environment quickly. Similarly, unsegmented identities and roles can cause the same problem.
Unfortunately, it is not uncommon to see ordinary computers, critical systems and even “IoT” devices sitting on the same network without restrictions. It is also not uncommon for people with high administrative privileges to use the same account both in their daily office work (for mail, surfing and other), as well as when they administer, for example, permissions and/or backups.
Remote connections are based on legacy technology
Traditional VPN and remote desktop solutions that lack modern protection features are still used.
Attacking remote connections is today a very common start of a major attack. Today, modern solutions are needed for connections that work regardless of the user’s location and that understand what they are trying to connect to.
Missing or outdated patches
Poor patch management or too lengthy update process means that security updates are completely missing or take too long to get in place.
Known vulnerabilities in unpatched systems can then be easily exploited by attackers to get into the environment.
Today, the risk and thus the cost of being attacked because you have not had time to update security flaws is often greater than the risk of problems when an update is rolled out.
System overview missing
It is not known exactly which systems and functions are actually active in the IT environment. “Shaddow IT”, i.e. IT systems and services purchased directly by the business, is very common today. All too often, this leads to systems not being properly updated or protected in a good and controlled way.
Thus, known vulnerabilities in these systems or in other unpatched systems can be easily exploited by attackers to gain access to the environment.
All according to the old motto – “What you don’t know, you can’t protect”.
Incorrect permissions
Users and systems have too much access and no distinction is made between role and person. A person who has the highest level of access to the environment or various systems often uses the same account for day-to-day work as for administering the environment/systems. If you can access the account, you can quickly take over the entire environment.
LEAKED LOGIN DETAILS and Lack of SECURE “MFA”
One of the most common ways for attackers to get into an environment today is to use valid accounts and passwords. That is, you log in with a valid and correct account.
Cracking passwords and obtaining login credentials is now both easy and common, usually through phishing. With the help of AI, these phishing methods are becoming more and more effective and increasingly difficult to identify, even for trained eyes.
MFA, i.e. Multi-Factor Authentication in the form of one-time codes or similar or other similar protection functions is today a must for all organizations and also all users. Moreover, by combining the various smart rules and conditions, one can make it a painless experience for the users.
But, MFA is not the whole answer. Already now we are seeing new advanced methods where attackers manage to get past traditional MFA solutions. Soon, “phishing-proof” MFA solutions will probably be the norm, with concepts and technologies such as Passwordless and Passkeys becoming standard.
Another way to strengthen protection against this threat is to continuously educate and talk to users about what the threat actually looks like and how phishing works. Here it is also important to create a culture where people actually dare to question and report things that seem suspicious, while at the same time not putting the blame on users in cases where they still happened to click on something crazy.
Publicly exposed resources without adequate protection
Older systems that were not built for today’s threat landscape are still used for external functions. Without protection that “encapsulates” and adds an extra layer of security, these systems are often completely open to attack.
How we strengthen your PROTECT capabilities:
Some of the key building blocks we help put in place are:
- Network and Firewall Architecture
– Build an intelligent defense where different parts work together to protect the whole environment. - Segmentation and barriers
– Limit the possibility to move within the network, especially between sensitive zones. - Vulnerability Scanning and Security Validation
– Identify and fix known weaknesses in systems, applications and configurations – before the attacker does. But, don’t just look for your vulnerabilities, but also test that your protections (and configurations) actually work as you intended – We call it Security Validation, where automated pentests are an effective tool.
Identify the vulnerabilities and validate the protection. Continuously! - Visibility
– Make sure you can see everything that happens in your environment at all times, so that you know both the extent of your environment and what is happening in it. Do you really know which systems are publicly exposed and do you know which cloud services are connected to your environment? Overview and logging! - Identity management and strong authentication
– Ensure that the right people have the right access – and no one else.
MFA is essential today and there are many effective ways to ensure that corporate identities are not used for the wrong purpose. - User training
– Effective systems for ongoing training and education of users in the form of nano-training are known to be successful and create both a tight general security awareness and a clearer security culture.
Find out more about our services in each Cybersecurity capability
Immerse yourself in Cybersecurity skills:
DETECT
The ability to detect, respond to and mitigate threats through monitoring, alerting, analysis and action – in real time.
RESPOND
The ability to act forcefully, quickly and methodically when a security incident occurs.
Cybersecurity capabilities
A comprehensive introduction to Cuebid’s methodology around the three basic cybersecurity capabilities and the first principle of Cybersecurity.
Timeline of an attack
A general description of how a common attack works and how you can link the cybersecurity capabilities to this to create understanding and insights.
Top 4
measures
Getting started with cybersecurity – Four actions that make an immediate difference
Vi förstår. Det är mycket att hålla koll på – hoten förändras ständigt, regelverken likaså, och tiden räcker sällan till. Cybersäkerhet kan kännas överväldigande, men ni behöver inte lösa allt själva.
Vi hjälper er att ta första steget.
Fyll i formuläret så kontaktar vi dig.
Vanligtvis inom 1-2 arbetsdagar.