The recent rise in large-scale cyber-attacks, like with WannaCry and NonPetya, as well as the growing presence in high-profile data breaches, as seen with Deloitte, Whole Foods, Sonic and more, has underlined in the boldest possible terms the imperative that organizations face today to shift their thinking about security technologies. No longer are prevention technologies enough to prevent the worst consequences of data breaches. In light of an ever-expanding universe of malware, ransomware, advanced persistent threats, and more, cybersecurity must also include solutions that detect active compromises inside IT environments.
This can only be done with a robust security program that focuses on incident detection and response (IDR). Here are seven ways for organizations to improve their IDR capabilities.
Get Visibility
You can’t protect what you can’t see. While achieving sufficient internal and external network visibility can be challenging, the consequences of being unprepared when an incident occurs far outweighs the time and effort spent identifying what you’re trying to safeguard and the best ways to do so.
Knowing which systems and technologies your company utilizes and the type of data that’s being collected and stored will help you build the internal intelligence you need to shape your IDR plan.
Collect Data
Centralized logging can also require a significant amount of work and configuration, but it too is essential to an effective IDR program. Indeed, log analysis and endpoint monitoring solutions have become major cornerstones for most organizations, as they bring the two most necessary security event sources together to make correlation and deeper analyses possible.
In addition to enabling the detection of threat activity in real-time, robust data collection solutions simplify both investigations into historical events and internal coordination during the remediation process. Investing time and resources in an effective data collection system will go a long way toward improving internal security.
Monitor Your Entire Attack Surface
Cloud services and other modern tools have accelerated productivity for today’s mobile workforce, but this means these tools need to be data sources for your cybersecurity program.
You cannot detect stolen accounts or compromised data without direct visibility into cloud solutions and the endpoints such as mobile devices and laptops used by your remote workforce on other networks.
The more data you have on both usual and suspicious activity in these growing use cases, the better your chances of detecting an attack before it reaches critical infrastructure and data is stolen.
Work with Your People
No be-all, end-all tool will solve all of your IDR issues. It takes a collaborative team of IT professionals and security experts, as well as a combination of tools, to effectively and effectively detect threats.
Without buy-in across IT, the necessary partnerships needed to automate the data collection process can become a regular battle for the security operations team. Since the traditional role of IT is focused on maximizing productivity by optimizing all internal systems, they are unlikely to recognize the importance of uninterrupted security monitoring without help.
Including all IT stakeholders in your cybersecurity program and influencing them to prioritize security along with uptime is an absolute must.
Recognize the Attack Chain
The ways in which threat actors breach a company can vary, but what remains constant is that an intruder will follow most of the steps on the attack chain – a chronological sequence of attacker behavior as a breach unfolds.
The attack chain commonly follows five steps:
- Infiltration and persistence
- Reconnaissance
- Lateral movement
- Mission target
- Maintaining presence
When a malicious action is observed, future detection is enhanced by tying the event to the right step in the attack chain, determining which data would show further evidence of an attack, and building alerts to trigger should it occur again.
For example, if it is identified that an attacker ran a portscan from the first compromised endpoint, this is reconnaissance and your team needs to make sure you have internal IDS or honeypots capable of alerting your team when a port scan is run from an unusual device.
Understand Likely Threats
Your own internal knowledge is one of the most important keys to developing a highly effective IDR program. This includes prioritizing the attacks you’re most likely to see based on your business, internal systems, the data you hold which could be monetized, and more.
With this model, understanding how an attacker can reach a specific component of your enterprise – whether it be systematic or data-related – is of utmost importance.
Thousands of possible disaster scenarios could occur. Realizing which pose the most relevant threats and the biggest risks to your organization will enable you to most effectively prioritize the technology and processes needed to develop your security program.
Establish an Organization-Wide Workflow
When it comes to incident response, your entire enterprise will likely play some sort of a role. To meet this challenge, your IDR program must include a formal chain of command for response and crisis communications.
For example, if the attacker targets the company’s website, the IT team will be heavily involved in keeping the site up, running, and available. In the case where a larger incident exposes sensitive information, the public relations and internal communications teams need to be informed early enough to have a public statement ready before outreach occurs. And in the event that customer information is leaked, knowing who is reaching out to clients to inform them of the situation should be the number one priority.
Laying out who does what in advance will not only save the company endless confusion, but build confidence in customers that they can continue trusting their data to your organization.