Security strategies focused solely on breach prevention are no longer enough to keep your organization safe from cyber attacks. Traditional security controls such as firewalls, intrusion detections systems, border routers, virtual private networks and endpoint protection tools continue to be important, but need to be part of a broader defense-in-depth strategy that emphasizes both quick breach detection and response. A “defense-in-depth” approach is the practice of arranging multiple levels of safeguards that help fortify one another.
A Convergence of Trends
Multiple trends are driving the need for this change. Perhaps the most pressing is the fact that cybercriminals have become better at breaking in, despite all the security technologies thrown against them in recent years. Statistics from the Identity Theft Resource Center and CyberScout show that in 2016, U.S.-based organizations reported a total of 1,093 data breaches, 40 percent higher than the 780 breaches reported in 2015. Hacking, skimming and phishing continued to be the top attack causes for data breaches for the eighth year in a row.
Many attacks continue to be opportunistic in nature -- an organization becomes a victim simply because it happens to have an exploitable vulnerability that an attacker is randomly scanning. Many others, however, are targeted and involve the use of sophisticated malware tools and advanced persistent threats. Goals like stealth, dwell time and lateral movement on a network have become more important to attackers than the mass volume, smash-and-grab attacks of the past.
In addition, the adoption of cloud services and mobile computing, and the growing interconnectedness of enterprise networks, have significantly expanded the attack surface and given adversaries more opportunities. In this environment, it is unrealistic and impossible for organizations to expect to block every single attack directed at their network.
Raise Entry Barriers
The goal of any breach protection strategy should be to make it as hard as possible for intruders to break in. If attackers do get in, the strategy should be about spotting and stopping them quickly to minimize damage.
On the breach-prevention front, organizations should bolster perimeter technologies with additional capabilities such as deep packet inspection, intrusion prevention, application-level policy enforcement and application whitelisting.
Traditional signature-based endpoint protection tools are no longer enough. The 2016 Verizon Data Breach Investigation Report shows that threat actors almost never use the same malware to attack a target more than once, and 99 percent of all malware hashes are seen for less than 58 seconds. In addition to signature-based antivirus technologies, organizations need to build or hone their capabilities in areas such as behavior-based malware detection, sandbox analysis, exploit detection and zero-day threat detection.
Hone Threat Detection Capabilities
Capabilities such as behavioral monitoring and real-time analytics have become increasingly important from a threat detection and mitigation standpoint. Adversaries have become adept at concealing their presence and movement inside networks with many capable of remaining undiscovered for months.
Organizations need to be able to gather, inspect and correlate data from multiple network and endpoint sources — and often in near real-time — in order to spot the telltale signs of malicious activity. Such intelligence-driven practices can also enable threat hunting, or the practice of proactively seeking threats on your network instead of waiting to discover them after a breach.
Add Context To Risks and Threats
Equally important are processes for assessing and prioritizing risks and security incidents. By establishing processes, the response is more informed, effective and timely. Organizations need to be able to add context to security threats and incidents. Knowing what data or assets are at risk and how critical they are to the business can go a long way in determining the appropriate response and boosting overall situational awareness.
Enable a security information and event management (SIEM) capability
SIEM tools can help you collect, correlate and analyze log and alert data from security and network systems scattered across your enterprise. The near real-time data analysis enabled by such tools can help you spot patterns and trends indicating potentially malicious activity on your network that might have been missed otherwise. Most important, an enterprise SIEM capability can help prioritize incident response by enabling you to identify and focus on the threats that matter the most.
Compliance is another major reason to consider a SIEM capability. The centralized data correlation and analysis offered by SIEM tools and services make it easier for organizations to track and monitor security requirements pertaining to regulations like HIPAA, PCI and SOX.
SIEM capabilities are especially critical considering the sheer volume of log and alert data generated by security and network systems on a daily basis. Organizations, especially large ones, need an automated way to harness the data flood and extract actionable information from it. Without a SIEM capability, a lot of the data generated by security systems would end up being useless noise.
Does your company have a system in place to prevent against cyber attacks? We’d love to hear from you! Please leave a comment below.