In relation to the news that there is speculation about insider involvement in the recent cyber-attacks on Saudi Arabia's national oil company last month, Darren Anstee, Solutions Architect Team Lead at Arbor Networks, has the following comments:
“The Saudi Aramco attack demonstrates why enterprises need network-wide situational awareness to protect themselves from todays’ complex security threats.
“Organisations need to monitor the traffic on their networks, and associate that traffic with user identities, so that they can establish a baseline of who uses which systems, when and how often. With this kind of information organisations can monitor the health of their critical business applications, monitor user activities against acceptable use policy and detect malicious insider behaviours and compromised devices before a security breach occurs. Solutions that can track the network conversations made by each network user can be used to harden and segment networks, to proactively prevent unauthorized access to confidential information and prevent known, unknown and zero-day attack vectors from getting a foothold.
“In this particular case a solution of this type may have allowed Saudi Aramco to detect unusual traffic patterns, unusual user access to systems, data exfiltration or other network behaviours which might have been indicative of the virus as it spread – allowing them to react more quickly and minimise the impact of the incident.”