3 Steps for Timely Cyber Intrusion Detection
Imagine my surprise when I was asked, “Did you hear about the New Yorker Magazine? Their website was hacked yesterday!” As a cybersecurity professional, I’m accustomed to hearing about hackers and data breaches – just not from my barber. Cyber attacks, hacks and breaches are so common these days that they have become a topic of casual conversation. Sadly, the intruders seem to be winning, in many cases, because organizations do not detect cyber intrusions fast enough.
Why Speed Matters
Speaking to CBS’s “60 Minutes” in October 2014, James Comey, the Director of the Federal Bureau of Investigation, asserted that “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”
Although Comey’s remarks are aimed at larger companies in the U.S., it stands to reason that your company is on some hacker’s list of targets, regardless of its size or industry, and that it will experience a cyber intrusion, if it has not already. Therefore, the prudent course of action is to work on minimizing the damage to your company when the inevitable cyber intrusion does take place – an outcome that is often predicated on your ability to detect an intrusion in a timely fashion.
The significance of early and timely detection of intrusions becomes clear when you consider the recent data breach at the Office of Personnel Management (OPM), the U.S. government agency in charge of conducting background investigations for individuals seeking security clearance. By some accounts, the hackers had infiltrated the OPM systems and were actively working to compromise its data for nearly two years prior to detection. The result is a compromise of personal data impacting 22.1 million Americans (according to a National Journal estimate from July 2015) and hundreds of millions of dollars in recovery costs that must be shouldered by taxpayers.
Compared to the damage the OPM data breach has caused, the inevitable cyber intrusion at your organization may be far less damaging – or it may be far worse. It is impossible to predict the outcome of a cyber intrusion with any degree of certainty. However, one thing is certain: the sooner you can detect an intrusion, the sooner you are in a position to mount a response.
What are some actions that you can take today to improve the speed with which your organization detects cyber intrusions? The following sections outline three specific actions that should be on every organization’s to-do list.
1. Develop a Better Baseline for “Normal” Activity
The ability to spot cyber intrusions – “abnormal” activity on your information systems and networks – is a fundamental function of intrusion detection that often requires an understanding of what constitutes “normal” activity. However, this understanding seems to still elude many organizations.
In its most recent Analytics and Intelligence Survey 2014 , the SANS Institute reported that its survey respondents cited an “inability to understand and baseline normal behavior” as their biggest impediment to cyber attack detection and response.
Fortunately, advancements in Security Information and Event Management (SIEM) technologies and intrusion detection tools continue to help organizations develop better baselines for what constitutes “normal” activity on their systems and networks.
Nevertheless, to glean true intelligence about and visibility into potential cyber intrusions, these tools must be integrated across various enterprise platforms, including mobile and cloud-based systems – a task that continues to prove challenging for most organizations.
Regardless of the difficulties or the tools your organization currently deploys, developing a better baseline for normal activity that is specific to your organization is a critical first step that can drastically improve your security staff’s ability to detect intrusions quickly and effectively.
2. Stop Intruders from Getting Out
This may sound counterintuitive at first. After all, how can stopping intruders from getting out improve your organization’s ability to detect intrusions in a timely manner?
The logic of this suggestion becomes clear when you consider the fact that most organizations’ ability to identify and recognize intrusions is far from perfect. The SANS survey mentioned earlier indicated that 37 percent of respondents – whose companies deploy a variety of intrusion detection, prevention and analysis tools – reported that on many occasions, cyber intrusions would have gone unnoticed, had it not been for an outside party alerting them to malicious behavior originating from their networks.
You should therefore assume that you will not be able to prevent intruders from breaching your organization’s outer defenses or to detect their presence in all cases – regardless of the tools and technologies your organization may deploy.
You can, however, extend the time period between a cyber intrusion and a data breach by hindering the intruders’ attempts to “walk away” with your information assets. Of course, undetected intruders can still cause damage to your information systems, networks and data. But hindering their ability to leave with your data practically increases the odds of your discovering the intrusion before it becomes a full-blown data breach.
Case in point, according to a July 2015 speech from Jeh Johnson, the Secretary of Department of Homeland Security, the federal government’s intrusion detection systems have blocked more than half a million requests to access potentially malicious websites by intruders who were already on federal networks – intruders that were not detected until they attempted to communicate with their “home base” and steal data from agency networks.
To begin the process of stopping intruders from getting out, your organization should strive to become more intentional and persistent in continuously tuning firewalls, traffic filtering appliances, and white-/black-listing systems to allow only what is considered normal activity for your organization. In addition, you should consider leveraging Cyber Threat Intelligence (CTI) services to discover, prepare for, and keep pace with the changing cyber threat landscapMake Security Staff
3. Training a Priority
Despite improvements in intrusion detection technologies that promise to infuse more intelligence into the task of discovering intrusions by making sense of various system and network logs, alarms, and event indicators, “alert fatigue” continues to be a problem for many organizations.
In organizations where the same teams that are responsible for detecting intrusions are also responsible for responding to them, the large number of security events that must be evaluated often overwhelms the teams’ ability to identify and respond to critical intrusions in a timely fashion.
A recent study by Verizon and Deloitte ( Transforming Cybersecurity: New Approaches for an Evolving Threat Landscape ) found that a staggering 88 percent of cyber attacks are successful in less than one day, while only 21 percent of affected companies are able to discover those attacks during the same time period.
Given this stark contrast, it seems that as long as automated intrusion detection tools fail to present a consistent, reliable and timely picture of potential intrusions, an organization’s most effective weapon against cyber intrusions remains a well-trained security team that can distinguish normal from abnormal behavior.
Leading organizations recognize that skilled security practitioners with experience-based knowledge and intuitive situational awareness can sometimes distinguish between true security events and “false alarms” at a rate that rivals the most advanced intrusion detection systems.
As the frequency of cyber attacks, hacks and intrusions continues to accelerate, no organization seems to be immune from the onslaught. In most cases, rapid and timely detection of cyber intrusions can help to minimize their potential impact.
Intrusion detection, prevention and analysis technologies and tools continue to improve their ability to provide true intelligence and reliable alerting to intrusions. However, a well-trained staff that can spot “abnormal” activity, use the tools on hand to analyze data, and glean actionable intelligence that can be used to detect and respond to cyber intrusions in a timely fashion is still the best weapon against cyber attacks.