Detecting cyber breaches requires both a thorough understanding of your environment and the latest cyber threats that will likely target it. Only then can detection become truly proactive.
Despite the large investments organisations have made over the past decade in security monitoring and detection technologies, the fact remains that most cyber breaches go unnoticed within organisations until they are revealed by external entities.
"Having the ability to detect a cyber-attack quickly is critical to an effective response strategy."
Partner, Technology Risk
There have been a number of highly publicised, high profile cyber-attacks at global behemoths and each day there are many more. In most cases, security technology was in place that detected the first indicators of compromise, and yet the warnings generated were not investigated further. Valuable and expensive information that should have been harnessed for incident detection was either over-looked or discarded.
This was due to a range of reasons including:
There is no silver bullet nor a one-size solution that fits all. Each organisation needs to understand the location of their critical data assets, understand the risks to these assets, and have the appropriate controls in place to mitigate the risk.
An element of the controls should, at the very least, include logging and monitoring capabilities for the technologies involved in protecting and processing your most critical data assets, to detect any events associated with the data.
Where security technologies are already in place, these should be reviewed to ensure they are operating optimally and any identified gaps should be checked and remediated. Furthermore, as new threat identification techniques and detection technologies emerge, their potential use should be evaluated to understand if they can add value to your existing cybersecurity detection program.
Unfortunately, many organisations see cyber security breaches as a sign of weakness. As a result, they are unwilling to share information about how an attack occurred. We believe this has to change. It is only by building hubs of shared information that we will gain the upper hand. Certainly our adversaries gather strength from shared information. They are very happy to advertise how they bypassed a system online, posting their achievements on various forums.
Every day security analysts are faced with piecing together disparate parts of complex events of interest related to emerging and sophisticated threats. Just as cyber criminals are collaborating to share information and techniques within their global networks, organisations should come together to share their experience and findings and leverage these to help others. It is only then that the community as a whole starts to catch up with those who are perpetrating the crimes.