Despite all our efforts, cybercriminals may still find a way into our data and systems. They do, as the news headlines point out. The ‘business models’ of criminals have evolved together with technology and Crime-as-a-Service for the industrialisation of threat. What used to be a capacity accessible only to attackers who could afford it, it has now become a commodity. Even actors with relatively low skills can now use advanced penetration tools to disrupt operations and business functions.
Even if we fail to prevent attackers from penetrating our systems, we should never let our guard down. We need to fight back and figure out how to either minimise the damage or force them out of our networks. It is all about being resilient. How to get back to normal operations quickly and efficiently with the minimum impact and stop an incident from becoming a breach. And how to move faster to prevent the attackers from achieving their objectives.
Focus on Detection and Response
Although most organisations utilise detection and response as a means to stop an attacker from getting into our networks and systems, it is also important in helping us to minimise the impact of a security incident. Detection and response can be used to prevent an incident from developing into a breach by stopping attackers from completing their nefarious objectives.
Detection and response is not a technology-only solution. Instead, it is based on data, technology, people, and processes. Each element is important to enable the right detection content. This must then be visible to the right people, delivering the context that allows them to make sound decisions and follow streamlined procedures for defence, investigation, quick pivots, recovery, and post-incident forensics.
There are six steps that organisations need to follow for effective threat detection and timely response.
Security incident detection must go beyond more than just sounding the alarm. It must identify the root cause of the incident so that security teams can identify the type of intrusion, and then deploy the resources to stop it, remove it, and prevent it from happening again.
Monitoring your infrastructure and your data can give a tremendous speed advantage over blocking an intruder. Understanding your attack tree gives your team knowledge of how the attack is most likely to proceed. Data from email, network, cloud, and endpoints can show you the progress of an attack and give you the ability to follow it and ideally block it.
Use the information generated during the initial detection phase to understand the nature of the attack and the motives of the intruder.
Using actionable intelligence gathered from detection and investigation, you can deploy tools and actions to disrupt criminal operations, contain or stop the evolving attack. In the case of a data breach, even if data has already been lost, containment may help to stem further data damage.
Remove the threat from the system, even by deploying temporary solutions.
Once the threat has been effectively contained, it is time to apply a permanent fix to the issue. This might include patching hardware, reconfiguring systems and application architecture, or rebuilding systems for production.