Early Warning Service (EWS) uses publicly available data to provide customers with information on active threats and vulnerable services in their networks. Arctic Security has now completed a six-month evaluation on the usefulness and effectiveness of Arctic EWS cybersecurity notifications among private higher education colleges, and we were recently able to present the results as a case study.
In 2020, the coronavirus pandemic caused one of the largest and most abrupt shifts in operations that the colleges have ever experienced. It was particularly interesting to see how the Arctic EWS study could be executed without affecting the ability of the participating colleges to move towards distance learning, and how it could be completed without adverse effects to the college teams. It’s a testament to the low operational overhead, practicality and convenience of Arctic EWS.The study results support the notion that you can’t fix what you can't see. Arctic EWS's continuous monitoring and notification service helped to find issues that staff might have never noticed on their own. Some issues, such as accidentally misconfigured firewalls or external scanning originating from their own network, are difficult to notice without an external perspective. Service configuration mistakes are usually not uncovered while the service works as intended, even though they create invisible opportunities for hackers. Arctic EWS informed the colleges of these externally visible problems so that they could fix them promptly.
Where we might want to prevent malware infections with existing security measures such as antivirus or anti-malware solutions, cyber criminals are unfortunately good at adapting to such common measures. No existing security product or service can catch all of them and we see this with over four million unique malware infections globally, each and every month. In fact, some of those observations were actually matched with the colleges participating in this study – Arctic Security reported and the colleges remediated them.
The benefits of EWS
For the cybersecurity issues tracked by Arctic EWS, the average time-to-fix plummeted from 81 days at the beginning of the study to only 1.3. The key takeaway from this observation is that vulnerable services and malware infections can go through several stages of different risk levels to an organization, and that swift notification and action is necessary to help that organization prevent serious problems. The initial malware foothold or breach of service may be mostly innocuous and automated activity, but the access to that system can then be sold to another actor who uses it for cryptocurrency mining, thereby trading your resources and energy into someone else’s profit. The third criminal that acquires access to the system may be an extortion gang with the additional capabilities to hold the organization to ransom.
In security monitoring systems, one of the most commonly cited problems is alert fatigue. This means that there are too many false positives in relation to actual incidents, causing staff to either spend an inordinate amount of time to keep their organization secure, or tune out most of the alerts and just go about their business. With reporting accuracy of 98%, the findings of this study showed that there were very few false positives, and that it is indeed possible to improve security without adding significantly to the workload of IT staff.
All participants in this study found notifications useful and concluded that Arctic EWS had improved their security posture. They found notifications to be accurate and that receiving them inspired a new daily routine of checking for security-related issues using both notifications and internal monitoring capabilities. While it wasn’t what we expected when starting this study, several participants highlighted the benefit of gaining peace of mind from having coverage from an additional security monitoring service in place. Knowing that there is someone else looking after your network and catching issues, it seems, makes you more confident in your security posture.
Background
This study was conducted as a collaborative project with five member colleges of the Independent College Enterprise consortium in the USA. We wanted a rigorous study with unambiguous results, so we chose 25 colleges for the control group, making sure that they were similar in size and from the same region. The participating colleges received real-time notifications from Arctic EWS on observed threats for a period of 21 weeks, starting from May 2020. Notifications delivered information about compromised systems and vulnerable services on an institution-by-institution basis.
The colleges received regular updates with patching schedules in place, so they resembled a typical institution of their size and type that takes good care of its IT infrastructure. One of the common threads for all participants was that there are strict constraints on the size of their IT staff. Those staff consistently need to achieve more with fewer resources – dedicating more resources to IT staff would have to come from elsewhere in the organization. The results of the study revealed that some issues do fall through the cracks, even when you work to the best of your ability.
In the end, the study, whose scope included networks used by the employees, enterprise services and the students, made full use of Arctic EWS. Some participants even shared information about their cloud infrastructure assets, which were tracked in the same way. We also monitored the top-level .edu domain for every college in case any of their domains appeared in known malicious URLs or phishing campaigns.
You can read the full whitepaper here: Early Warning Service for cybersecurity incidents