In times gone by, cybersecurity was a matter of protection and prevention. As hackers upped their game, employing more powerful tools and techniques to crack into a network, cybersecurity professionals bunkered down and added additional layers to their defenses. Today, however, the proliferation of malware strains (much of it available for purchase) alongside the increased number of attack vectors enabled through cloud, software as a service (SaaS), mobile computing and the Internet of Things (IoT), has rendered this traditional stratagem redundant.
All of this has contributed to a far lower barrier to entry for would-be cyber-criminals and, ultimately, a far greater success rate of attacks. This leaves organizations both large and small to face up to an uncomfortable truth – that a network compromise is now a practical inevitability.
Detection Over Prevention
However, this doesn’t mean that the destiny of every organization is a headline-hitting, reputation-shredding data breach.
There is a distinct difference between compromising a network and the successful extrication of data. A successful hack takes time, and when a malicious actor targets an organization’s network, a process unfolds from intrusion through to data breach. It is this timeframe that needs to become the new battleground for cybersecurity. If detection and remediation processes are efficient and agile enough, cyber-criminals will leave empty handed.
Aberdeen Group’s Quantifying the Value of Time in Cyber-Threat Detection and Response report demonstrates the extent that speedy remediation has on business impact. Limiting the dwell time of an attacker to 30 days reduces of the impact on a business by 23%. Shortening that to seven days results in a 77% reduction, and a single day reduces impact by as much as 96%.
New Goal, New Tools, Mew Metrics
As detection is now as, if not more, important than prevention for limiting corporate impact, security operation centers (SOCs) are increasingly employing new tools and solutions to expedite the detection process. Security information and event management (SIEM) technologies, alongside User and Entity Behavior Analytics (UEBA) are now two key technologies forming part of the cybersecurity professional’s arsenal. Both solutions automate the detection of anomalous network activity, flagging them to human operators for analysis.
Reducing the burden of detection on the security team is more important than it might seem at first blush. The cyber-skills gap both here in the UK and abroad doesn’t look to be closing anytime soon, and time-strained and budget-stretched security teams can ill-afford to spend time on detecting intrusions. In a survey we commissioned earlier this year, nearly a third of large UK companies admitted that that they lack both the time and the staff to identify and mitigate modern cyber-threats.
Through use of automated detection solutions the bulk of cybersecurity professionals’ work can now rest with remediation efforts, rather than in detection. Centring around key metrics including mean time to detect (MTTD), mean time to respond (MTTR), time to qualify (TTQ) and time to investigate (TTI), security analysts’ tasks can focus on creating faster and more efficient workflows from collection, discovery, qualification, investigation, neutralization to ultimate recovery, with intelligence gathered and work performed in the preceding stages informing the current stage.
Within this model, each network intrusion by an attacker ultimately feeds more data back to the security team, allowing opportunity for reducing one, if not all of those key metrics. The longer a security team is using these technologies and processes, the more robust and mature their security operations become. If this maturation process can keep step with the rapid development of new malwares and threats, security centers could see far fewer cyber-criminals making off with valuable data.