Detection, the second of the three keys to effective cybersecurity, is essential to identifying existing weaknesses and breaches and having them resolved.
One of the realities of today’s cybersecurity threatscape is not if you will be breached, but when, and how often. As good as cybersecurity is becoming – i.e. prevention solutions provide a 99.9 percent or higher detection rate for common malware – effective cybersecurity depends upon three pillars – prevention, detection and resolution – with the latter two required to address those situations where prevention isn’t enough.
In the majority (93 percent) of cyber breaches – over 740 million in 2015, and 340 million in the first half of 2016 – attackers take minutes or less to compromise systems and data exfiltration occurs within minutes in close to a third (28 percent) of the cases. Even more worrisome, the mean time to identify (MTTI) a data breach was 201 days, and a mean time to contain (MTTC) was 70 days.
Unfortunately, MTTI and MTTC scores aren’t the only areas where detection gets a failing grade. Up to 70 percent of data breaches are detected by third parties rather than by organizations’ own security operations teams, possibly because they are detecting too much.
Organizations are seeing and evaluating tens or hundreds of thousands of alerts daily. On average, 29 percent of all malware alerts received are investigated and an average of 40 percent are considered false positives.
Still, with the average total cost of a data breach up to $4 million – the average cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 in 2015 to $158 in 2016 – timely detection is critical to business success, if not business survival.
‘IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. Organizations need to detect and respond to malicious behaviors and incidents, because even the best preventative controls will not prevent all incidents.’
Given the high costs of data breaches and stolen or lost records, it’s no surprise that detection is getting a lot more attention. By 2020, 60 percent of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 20 percent in 2015.
Prevention does the heavy lifting when it comes to effective cybersecurity, but detection is essential for identifying the small but incredibly dangerous few that breach the perimeter. It is this vital second pillar that enables their removal and resolution of any issues resulting from that breach or other cyberthreat, as we’ll examine in part three.
5 steps to rapid detection and response
Comprised of five steps designed in a feedback loop, the Rapid Detection and Response Model helps organizations accelerate their ability to detect, investigate and stop attacks.
RDRM Step 1: Identify
Purpose: Create situational awareness of the organization’s threat environment by identifying technology and process gaps that lead to blind spots.
- Document existing security infrastructure
- Analyze capabilities of security technologies
- Examine operational processes
- Review detection and response metrics
- Evaluate the threat landscape
RDRM Step 2: Prepare
Purpose: Close gaps that hinder the ability to efficiently detect, respond to and resolve incidents.
- Implement technology
- Integrate systems
- Modify processes
- Perform tabletop exercises to train personnel
RDRM Step 3: Detect
Purpose: Identify security incidents
- Monitor and apply threat intelligence to endpoints, network traffic and log files to validate alerts
- Perform security analytics to uncover suspicious anomalies
RDRM Step 4: Respond
Purpose: Confirm and investigate security incidents to understand what occurred and assess the impact.
- Contain affected systems
- Collect and analyze data to classify the threat
- Dissect the attack path, reconstruct what it did
- Document the attack details
RDRM Step 5: Resolve
Purpose: Create and implement a remediation plan to remove all points of entry available to the threat.
- Remove back doors
- Fix exploited vulnerabilities
- Reset compromised user credentials
- Restore services
- Document and apply lessons learned to bolster preventative defenses and improve ongoing rapid detection and response