Today’s enterprise attack surface is not limited to the corporate network. In fact, the network is just a small slice. When it comes to deciding how and where to attack an enterprise, threat actors have ample opportunity beyond the network perimeter. As a result, enterprises are investing in operational capabilities to detect and respond to external threats across the digital risk landscape. This is Digital Risk Protection (DRP).
DRP is defined as an operational process that combines intelligence, detection, and response to mitigate attacks across the external digital risk landscape.
What makes DRP Essential?
The external digital threats that organizations face continue to grow. The world is becoming more digital, and as a result business is increasingly being conducted outside the enterprise network through non-traditional channels like social media, mobile apps, and the web.
Additionally, the pandemic-driven acceleration of remote work and digital transformation has led to hurried adoption and reliance on platforms and services outside of the enterprise’s direct control.
Altogether, defenders are dealing with very unfavorable conditions. It has never been easier for threat actors to impersonate enterprises, compromise accounts, and steal data. The risk posed by account takeover, brand abuse, and data leaks is at an all-time high.
Digital Risk Protection levels the playing field by detecting and mitigating external threats across the surface web, social media, app stores, dark web, and deep web.
DRP addresses threats across the digital landscape, beyond the enterprise network.
The most common use cases for DRP include:
- Domain Monitoring
- Social Media Protection
- Brand Protection
- Account Takeover Prevention
- Data Leak Detection
- Executive Protection
Many enterprises are initially driven to establish DRP capabilities by one or two of these use cases. Often, this is in response to a specific incident or ongoing threat campaign. As they mature or as conditions change, it is common for enterprises to extend their DRP program to additional use cases.
Identifying which use cases to prioritize can be difficult as many threat types overlap with one another and may involve different internal stakeholders.
Key Components of Effective DRP
According to the Gartner Hype Cycle for Security Operations, “DRP solutions help improve the ability to predict, prevent, detect, and respond to issues presented by the prevailing threat landscape in a cost-effective, expedient and efficient approach.” Organizations rarely have the skill set to implement Digital Risk Protection on their own. As a result, DRP often requires partnering with solution providers.
There are three components organizations need to incorporate into their Digital Risk Protection process in order to effectively protect against external threats: Collection, Curation, and Mitigation.
Collection is the foundation of threat visibility. Free and paid data feeds are useful, but not enough. Direct collection is needed to provide the level of visibility required to satisfy most DRP use cases. Direct collection can span thousands of sources across the digital risk landscape.
The scale of DRP demands a high degree of automation. That said, some sources may require manual collection. Ultimately, collection efforts should leverage technology where possible and human expertise where necessary.
An effective collection function will yield a high volume of potential threats. Curation isolates those that are most relevant to the enterprise, adds context, and determines the risk they pose. It removes the noise and identifies threats that require response.
As with collection, performing curation at enterprise scale requires automation. Machine processing and algorithms can be applied to score relevancy and reduce noise. Expert analysis adds context and assesses severity.
The handoff from automated analysis to human review is critical to successful DRP. Starting out, it is common for enterprises to find there are too many threats that require expert review. In response, they decide to review only those with the highest score. This inevitably leads to threats being overlooked.
Mature DRP programs avoid this situation by using findings from analyst reviews to optimize automated analysis. This constant tuning is invaluable to maintaining efficiency while minimizing the risk of threats going undetected.
Mitigation is the purpose of DRP. The intelligence provided through collection and curation delivers no business value until it is used to reduce risk. It is also worth noting that collection and curation have a significant impact on the effectiveness of mitigation.
Complex external threats often have multiple components that should be acted on to effectively mitigate the risk. It is through collection and curation that these components are identified. Also, some mitigation measures may require evidence to be gathered and provided to service providers or authorities.
Mitigation should focus on two areas:
- Removing the threat from the infrastructure or platform it lives on. This is often referred to as performing takedowns.
- Blocking access to the threat. This limits the potential impact.
Performing takedowns is often the most difficult and time-consuming part of DRP. Different types of threats require different procedures, and there is no uniform global process across platforms, registrars, hosters, or other service providers. Few enterprises are equipped with the necessary relationships and localized knowledge to efficiently take down threats.
While taking down external threats is difficult, it is an essential part of mitigation. Takedown ensures the threat has been completely mitigated. There is no substitute.
In addition to takedown, mitigation should take steps to block access to the threat. For users within the enterprise, this can be done by adding threat indicators into security controls (such as firewalls) that can enforce blocking policies. This can usually be automated via API integration between DRP platforms and other security tools.
To block access to threats by users from outside the corporate network, malicious URLs and domains identified via DRP can be submitted to browser-blocking services like Google Safe Browsing and Microsoft SmartScreen. There is no guarantee the submission will be used by these services in a timely fashion, if at all.
In conclusion, DRP is an essential operational process that, when done well, stops the bleeding caused by external threats. It supports a range of use cases that will continue to grow alongside our increasing reliance on digital services and platforms beyond the corporate network. DRP consists of integrated collection, curation, and mitigation. By bringing these capabilities together in a cohesive process, DRP levels the playing field and helps security teams counter external threats.