Organizations need to go beyond prevention techniques and invest in detection and response capabilities.
Most enterprises have long been focused on preventing the bad guys from getting in to their networks and systems. Historically, the especially security conscious enterprises -- ones that understood their organizations were a target -- were focused not just on prevention, but also on detection and response to security incidents. The IT security landscape has changed – the reality of today’s security landscape is that it’s not a question of if you have been hacked, it’s whether or not you know about it. Detection and response capabilities are more important than ever before.
The risks to your physical business office and assets, as well as the mitigation techniques you can take to protect your assets from this risk, are much more obvious than when it comes to the cyber world. Fifty years ago, good physical security for many businesses was a locked door – it was enough to keep most bad guys out. Today, a locked door is barely a deterrent; yes, you still need to lock the door, but that needs to be reinforced with a security system to detect if an intruder has gained entry. That security system needs to be connected to a monitoring agency that is alerted of the break-in and notifies the police so they can respond in a timely manner and catch the intruder to prevent serious loss of assets.
Security Operations: Into the Cyber World
The new cyber security reality is very similar to that of the physical security reality. It’s not enough to simply lock the door with technology. You must have the tools and operational capacity to detect a potential breach, investigate, and respond to the incident in an appropriate way. Just like a motion sensor or smoke detector does not stop the burglary or fire itself, you need a way to be alerted to dangerous activity. Cyber security needs tools and people to detect, alert, and respond to the potential cyber security incident.
Also like a motion sensor or smoke detector, Security Information and Event Management (SIEM) tools -- even those with very refined policies -- will have false alarms, and it requires a human being to investigate the threat and determine if it is valid. It’s true that machine learning (ML) and artificial intelligence (AI) systems have started to improve, but they are still not as good as an experienced cyber security analyst. It takes a human response to assess and respond appropriately to all but the most basic emergencies.
Some incidents must be escalated to various levels of management for response, depending on the type of event, its severity, and the degree of response required. Systems need to be shut down to prevent further issues and be returned to their pre-intrusion state, plus fixes, before being returned to service. This can be painful for a business but is required to protect valuable assets. Further, significant events that impact the public will require reporting to government authorities, likely leading to more headaches for the enterprise. But even so, early detection and having an appropriate response strategy can prevent the bad from getting far worse.
Example similarities between physical security and cyber security
Whether it’s fire and burglary, or cyber-attack, response time is critical. Having a planned security operations response to a detected security incident is as important as early detection for managing impact. Similar to a fire or a burglary, a timely response will control the spread of the security incident and minimize damage.
In 2019, large and small organizations must focus their cyber security investments on the tools and operational practices to detect and respond to security events, attacks and breaches – large and small. Responding appropriately to small events stops many of them from escalating into larger breaches.
Developing human awareness and prepared response depends on what you are trying to protect. Cyber security events and incidents are commonplace for most organizations, so being able to detect and respond needs to become just as common. Just like protection of physical business assets from fire or theft, cyber security response must be pre-built into business and IT operations systems and processes. One significant difference is that while fire and theft events are relatively rare, cyber security attacks are relentless.
Invest in Expertise
Cyber security expertise has become a difficult human resource to hire. Some businesses should consider outsourcing some cyber security functions to ensure they have the required expertise available. Consider outside assistance for regular security reviews, security policy and procedure development, and security incident detection and response. Most IT departments do not have these capabilities internally.
Businesses must invest a significant percentage of their cyber security budget on detection and response capabilities, or risk significant business losses due to cyber security threats. Every business sector and business size are targets because every business is part of an economic ecosystem, and the weakest link will be the most likely target. This investment must include improved tools for incident detection, security policies and procedures to allow for timely and appropriate response, and experienced people to respond to the threats.
Original Source : Scott Murphy, NoJitter.com