Even the best preventative controls will not stop all incidents from occuring. IT risk and security leaders must change from trying to protect againt and prevent every attack and instead, focus on detecting and responding to malicious incidents.The gap between the speed of compromise and the speed of detection is one of the main failures noted when investigating a breach. According to a 2015 report by Mandiant, the average targeted malware compromise was present for 205 days before detection, the longest presence was 2982 days, and 69% were discovered by external parties, not internal IT security functions. Additionally, the 2015 Verizon Data Breach Investigations Report highlighted that, "in 60% of cases, attackers are able to compromise an organization within minutes."
The pace of change combined with the advancement in the levels of attacks means it will be impossible to detect against every threat. IT security leaders must shift from prevention and protection to investing in technical, procedural and human capabilities (like IntelliGO) that can detect a threat when it occurs. First responders must be able to act quickly while investigating the source of the threat and potential business impact of the breach.
There must be the right mix of investments across prevention, detection and response capabilities within an organization. In addition to new tools needed to enhance existing protection solutions, new skills need to be acquired and the culture within existing security teams and the organization need to be developed to be in line with changes to cybersecurity processes.
A detection and response capability will be composed of the following elements:
- Managing behavioral expectations
- Behavioral analytics
- Incident response process and team
- Tools to monitor and analyze:
- Data access and utilization
- Infrastructure technologies (for example, networks and endpoints)
In many cases, existing traditional protection tools such as firewalls can be leveraged through features that enable detection and response. Firewall logs and flow records can be instrumental in threat detection and response. Incumbent vendors, such as endpoint protection platforms (EPPs) and firewall vendors, are rapidly adding detection and investigation features and products to their suite of products.
Application security testing will indicate areas where you are not able to find and plug all the holes and this data also influences a detect-and-respond strategy.
Gartner has identified four key components for successfully creating a detection and response capability:
- Governance, process and management
- User-centric detection and response
- Data-centric detection and response
- Technology supporting detection and response
Governance, Process and Management
Governance, process and management are required to effectively implement detection and response capabilities. The priorities and strategy of the security team will also need to shift from trying to protect and prevent against attacks to actively monitoring and responding to incidents, in addition to actively looking for new threats and predicting future ones.
In 2015, less than 20% of organizational information security budgets were allocated for rapid detection and response approaches. In contrast, by 2020 this will have risen to 60%. Less than 5% of organizations in 2015 even knew how their investment was split between prevention and detection/response. Current investments should be categorized by prevention and detection and response by security officers to understand their balance and to be able to plan for future investment shifts.
People-Centric Detection and Response
As average, everyday-users can be the weakest links in the digital security chain, it is important to educate and motivate staff to do the right thing when it comes to IT security. Then, a number of restrictive controls can be replaced by the monitoring and analyzing of user behavior.
Organizations can also monitor and analyze the behavior of internal users, customers, partners and contractors to detect intentionally bad or deliberately negligent users. Analysis of user and entity behavioral data and fraud detection tools focus on being able to differeniate the everyday user from a harmful user, which can vary from allowing the user access in certain circumstances to the notifying of a customer when an account has been compromised.
Data-Centric Detection and Response
The arrival of big data platforms and enterprise file-sharing services that are cloud-based means organizations must review their strategy for data security. Organizations need to protect data, from personal information that can identify a customer to sensitive intellectual property or proprietry information.
It would be impossble for organizations to track access to everything and find all sensitive data, so each organization will have to commit the resources they can to managing their abiity to do this. A critical part of your response and recovery strategy should be to backup and be able to restore data after an incident takes place.
Control and monitoring of each access to a protected file can be provided by Enterprise Digital Rights Management (EDRM) and Enterprise File Synchronization and Sharing (EFSS), irrespective of traffic passing a CASB, the application used, and the storage location or technology.
Technology Supporting Detection and Response
Technology provides a huge amount of opportunity for monitoring, from networking to endpoints to applications, and is central to response activities.
The ability to detect machine behavior that requires investigation or response is what defines the tools in this space. These tools are only useful if they are supported by a team of security specialists with a clear process for defining and responding to an incident and the role that each person on the team plays in the process. Due to the demand for specialists with these skills, finding and hiring in this area can be difficult.
The decision must be made by organizatons as to whether to deploy detection and response technology in the network, or in the endpoints. There are postives and negatives to both, but both are likely necessary and should be integrated, at least at some level. Larger enterprises will have the resources to integrate components from different vendors and integration in a SIEM while smaller enterpises will favour more integrated suites that do not require manual integration, cost less to implement and have lower operational costs. This also helps to avoid any potential policy gaps.
Overall, enterprises should begin to look for cloud-based network controls that are also capable of detecting network events, even when clients are not on the network. Network detection and response tools are defined by their ability to detect incidents that require investigation and response by scanning network traffic for patterns that suggest an incident has occurred.
How can IntelliGO help my organization?
IntelliGO can help you focus your team's energy where it matters most: protecting systems from unauthorized access and continuously testing your defenses. This helps to detect and respond more effectively in comparison to buying and implementing security products or patching programs alone.