There was a time when one of our biggest challenges was securing our physical assets, whether that was our people or our property from crime.
We researched and deployed the very latest in video solutions, intrusion systems, fire alarms and access control devices, all in an effort to keep the bad guys out and the good guys safe, along with protecting our facilities from break-ins, robberies and countless other crimes. However, times are changing. No longer must we only be concerned about keeping intruders out of our buildings but now—off our networks.
It should come as no surprise that cybercrime is one of the biggest threats organisations of all shapes and sizes face today. While attacks on major brands and Fortune 500 companies make headlines, there were purportedly 918 reported data breaches, compromising nearly 2 billion data records in just the first six months of 2017. Of those 918 breaches, 500 of them had an unknown number of compromised records.
Some in the industry referred to not locating cyberattacks in a swift manner as a breach detection gap or dwell time
Reducing breach detection gap
Depending on your organisation, these cybercrimes and the investigation into them, may be handled by your IT department. However, considering the magnitude of these crimes, it now falls on the entire organisation, including the traditional security or loss prevention executives, to band together to combat these threats.
One of the biggest challenges cyberattacks pose is timing. Often cyberattacks can go undetected for weeks, months or even years. Some in the industry referred to this timing as a breach detection gap or dwell time and is defined as the time elapsed between the initial breach of a network by an attacker and the discovery of that breach by the victim.
To put that into perspective, the most recent Ponemon report on the cost of a data breach showed dwell time for malicious attacks has stretched to an average of 229 days—a long time for bad actors to be lurking around your networks.
Many companies rely on heritage-based services offered by managed security service providers (MSSPs)
Traditional cybersecurity measures
We are familiar with traditional cyber lines of defence against these attacks like firewalls and anti-virus software. While these solutions are effective at identifying and potentially stopping known forms of malware and viruses that are attacking companies every day, they are blind to signatureless and zero-day malicious activity.
Unfortunately, this trend does not show signs of letting up as internal security processes are having trouble keeping up with increasingly sophisticated land pervasive threats.
Many companies rely on heritage-based services offered by managed security service providers (MSSPs) that use security information and event management (SIEM) software, or intrusion detection systems/intrusion prevention systems (IDS or IPS respectively) to monitor networks for malicious activities on a continuous basis.
However, these activities are based on known threats where a valid signature of the cyberattack or system logs are available and used to analyse activity. They then provide security alerts to the client and generate reports for compliance purposes.
This form of alerting often generates an overwhelming number of notifications causing what is coined in the industry as ‘alert fatigue’ making it hard to weed out what is important from what is not.
Managed detection response uses a combination of advanced technology and expert human analysis to combat cybercrime |
Managed detection and response
The Ponemon Institute found that companies spend an average of 21,000 hours each year analysing false negative/false positive alerts trying to detect and contain cyberattacks. This translates to approximately 17,000 security alerts in a week of which only 4% were deemed reliable and investigated. This can potentially waste nearly $1.3 million per year on investigating and managing inaccurate data.
Based on this overwhelming challenge, it’s time for organisations to look at improving real-time threat detection and incident response capabilities beyond standard security screening and compliance requirements. In addition to the services provided by an MSSP, it would be wise to add or layer a managed detection and response (MDR) service to your arsenal of cyber defence weapons.
An MDR analyst can replay the event allowing him to dig deeper into the incident and determine remediation steps
Identifying real threats with MDR services
MDR services use a unique combination of advanced technology and expert human analysis. Equating MDR services to traditional physical security devices, it is more like having a DVR, where an analyst can go back and replay the incident on the network via packet capture technology.
Event logs and signatures by themselves don’t provide visibility and detail. Traditional cyber defences act like a conventional alarm system. The alarm sounds and a notification is sent, but there is no context or detail about the incident and it is up to the recipient to determine if the alarm is valid, what exactly happened and what to do about it.
With packet capture on the network, an MDR analyst can replay the event allowing him to dig deeper into the incident and determine remediation steps. This approach helps quickly identify real threats to the business, provides remediation specifics for timely resolution, and significantly cuts through the false positive noise so security teams can focus on the things that matter.
Efficient incident management
MDR services only notify clients after the incident is verified. The notifications provide granular detail of the scope and severity of an attack with recommendations for quick containment and response. MDR services offer 24/7/365 continuous monitoring of customer network data, provide analysis of the data to add context to the event and notify the customer of the incident.
With MDR services, clients have direct communication with the security analyst and rely less on using an alert portal
With MDR services, clients have direct communication with the security analyst and rely less on using a portal for alerting, investigations, case management and workflow activities.
Because MDR services rely on advanced tools and human analysis, they are more apt to uncover malicious activity that has breached the first line of defence and can reduce the time from infection to detection to minutes rather than months.
Combating cybercrime with secure networks
To sum it all up, MSSPs focus on perimeter devices like firewalls, or IDS/IPS and SIEM and provide device management such as updating firewall rules, anti-virus software and compliance reporting. They are typically used to supplement internal IT or security teams.
An MDR service concentrates on detecting threats that have penetrated the perimeter. MDRs deliver threat notification and remediation guidance. While both solutions provide value to their clients, their basic areas of focus are different.
Cybercriminals are becoming more coordinated in their efforts to steal our data, disrupt our operations and damage our brands. It is time that we coordinate our efforts across the entire organisation to combat them.