Want an Ounce of Prevention? Start with a Pound of Detection
It takes months for most computer intrusion victims to learn they were breached. Unfortunately, the hackers get busy much sooner, often stealing data within days if not minutes.
Once inside the network, the bad guys first might install their favorite malware, including keystroke loggers to gather passwords (yes, even those strong passwords you worked so hard to create); turn off security notification alerts; disable anti-virus programs and firewalls; clear log files of their activity; lock legitimate users out of their accounts; create new user accounts for themselves so they can sign in like decent folks; and, basically do whatever else they like, whenever they like, from wherever they like.
Or, you can detect the hackers and shut them down. But how?
Last month’s Cyber Tactics column explored continuous monitoring, and pointed out that companies have wide latitude in selecting and applying their detection methods. Fortunately, an increasing number of organizations are moving to a powerful combination of improved endpoint detection, fully integrated log and event management, and big data analytics. As a result of enhanced monitoring and analysis, detection times are being reduced to minutes (without a rise in false positive rates), and security solutions are doing a better job contextualizing alerts (describing not merely what is happening, but why it matters) and correlating events across the organization (contrasting, for example, coordinated hacking campaigns from a series of one-off commodity infections).
Still, we are a long way off from achieving full network security through automated detection alone. Enter the last category of the NIST Cybersecurity Framework’s “Detect” function: “Detection Processes.” It is here that organizations are meant to focus on detection roles and responsibilities, legal and compliance requirements, testing, communicating results and constant improvement.
The harsh reality is, even once detected, companies often fail to respond to an incident alert in a timely manner, leading to a perception that the organization was asleep at the wheel. Ensuring sufficient, well-trained staff is a good first start, as is considering the use of a Managed Security Service Provider. Either way, particular attention must be paid to team structure and incident response procedures. Consider enhancing accountability by assigning different people to the roles of device configuration and support; incident and event data structuring and management; data analysis; and incident response. Then, focus on clearly defining initial notification, escalation and de-escalation procedures for reporting and responding to common events and significant incidents alike.
In the OPM breach, hackers gained their initial foothold to the agency’s networks nearly a year before they were discovered. In contrast, but to similar effect, the Target breach set off immediate alarms, but the team determined that it did not warrant immediate follow up. The question for Security readers comes down to this: Is your company prepared to do better?