Throughout its maturation, the overarching principles and intentions guiding cybersecurity have changed. Historically, the focus of security was largely guided by prevention and preventative controls, such as firewalls, anti-virus, anti-spyware and penetration testing.
In fairly recent years, the emphasis shifted towards the importance of governance and specifying roles, responsibilities, and accountability in the face of security incidents. Pinpointed here was a marked shift in businesses recognising that cybersecurity was – and still remains – not only an IT issue, but an existential business matter.
While this spotlight on prevention and governance had led to evident advancements in information security (IS) and cybersecurity in the past, they have proven to no longer be adequate in the prevailing threat landscape alone. Cyber criminals have garnered their own global intelligence and are crafting increasingly sophisticated and profuse exploits. They are able to disguise attacks, and moreover, craft Zero Day threats that are more likely to circumvent firewalls and other preventative software. In addition, their tactics are increasingly focused on stealthily exploiting the non-technical aspects of organisations and executing attacks centred on human error or lax security behaviours leading to compromised credentials.
Further, with complex cloud environments becoming the new norm, it is no longer feasible to maintain full visibility with only prevention and governance measures in place. This mass migration to the cloud has given attackers more opportunity to conduct their exploits.
Organisations have so heavily and disproportionately implemented preventative measures and in turn, neglected two vital aspects of any security strategy. Despite the abundance and rapidity of threats in today’s environment, the industry’s recognition of the importance of Detection and Response has only recently come to fruition – and is still arguably inadequate.
What is Detection and Response?
The objective of threat detection is to swiftly and accurately identify threats to the network or endpoints, as well as threats that may have already circumvented the established firewall or anti-virus software. At any given time, threats could exist and traverse your environment without your knowledge. This is evidenced by the statistics, as according to IBM’s Cost of a Data Breach Report 2020, the average time it takes to detect a breach is 280 days and the average time it takes to contain a breach caused by malicious attack is 315 days.
…the average time it takes to detect a breach is 280 days and the average time it takes to contain a breach caused by malicious attack is 315 days.
Being able to detect threats that have successfully bypassed your preventative controls is essential as it could mean the difference between being breach and not being breached. Attackers success hinges on the target’s failure to detect their activities, so in essence, detection acts as a crucial preventative measure.
Threat detection and response are so effective because they are proactive in their nature. With preemptive detection controls in place, an organisation is better equipped to swiftly respond to and mitigate any security incidents. Malicious activity is identified and acted on in order to stop it from escalating further, while normal activity and data at rest are also being monitored. Moreover, threat detection mechanisms collect data as part of an iterative process that informs threat response activity.
In order to successfully eliminate and recover from the identified threat, an organisation must have an established forensics and incident response process in place. This involves implementing formal incident management that provides response guidance when an incident occurs, planned remediation, immediate protection of key assets and a prompt return to normal business operations. Response not only refers to rapidly containing and eradicating the adversary, but recuperating affected systems, as well as thoroughly investigating and analysing the nature of the incident.
While the current approaches to detection and response – such as Endpoint Detection and Response (EDR), Managed Detection and Response (MDR) and Cross-Layered or Extended Detection and Response (XDR) – involve a range of technology, they also somewhat rely on detection powered by the people within the organisation. Users should be empowered to identify suspicious behaviour and work in conjunction with the organisation’s detection and response investments.
Detection and Response can help you quickly identify and mitigate evolving threat:
Malware: Malicious software designed to cause network and data availability issues – including ransomware, spyware, viruses and Trojan Horses.
Phishing: Typically enacted via email with the objective of compromising credentials or deploying malware via downloadable attachments.
Zero Day Threats: A new kind of threat that has not been discovered or previously mitigated prior to its execution. This may also involve exploiting previously known computer-software vulnerabilities.
Advanced Persistent Threats: An attack that typically goes undetected for an extended period of time, performed by a state-sponsored cyber-actor.
Blended Threats: A combination of threats designed to rapidly proliferate. This involves a mixture of malware, such as worms or viruses with Internet and server vulnerabilities.
The ruthless and determined nature of attackers, paired with the continuously changing environment in which systems exist and operate necessitates heightened detection and response capabilities. With criminal attacks growing increasingly stealthy and bypassing preventative controls, organisations must review their security investments to favour detection and response as part of their protective measures.