While much of cybersecurity is focused on prevention, the simple fact is that many attacks are successful. Even a sophisticated, expensive security system is going to be breached from time to time. Smart attackers try to fly under the radar, biding their time and extracting maximum value or causing maximum carnage, sometimes over a period of months or even years.
The specter of a major data breach always looms large in the minds of InfoSec professionals, but it’s not always external malware that’s behind it; insider threats can be the toughest to uncover. There’s also the risk of bad actors intent on causing reputational damage with peripheral attacks that are harder to interpret. The good news is that you can take steps to boost your chances of swift threat detection and effective action.
1. Understand your environment and risk tolerance.
Security should start with a complete inventory, a fully mapped environment, and a deep understanding of what your business is all about and therefore what you need to do to protect it. It should be obvious that you need to know about all the potential endpoints and secure unmanaged devices, but the idea of risk tolerance is less straightforward.
The fact is that you can’t cover every angle, so discuss your strategy with key personnel and identify which parts are core to your organization. Once you’ve worked out what information you need to control tightly, you can begin to put together the right tools and systems to safeguard it. With clear priorities, you can also ensure that the most important areas get the highest level of monitoring.
2. Establish a baseline for normal behavior.
Before you can spot the breadcrumbs that might lead you to a breach, you need to have a clear and accurate picture of what normal operation looks like. Consider employing user behavior analytics so that any suspicious activity on the part of employees can be flagged for investigation. This can be very useful to help you root out not just external attacks, but also insider threats and plain old mistakes that may cause exposure.
This is also an area where machine learning can play an increasingly important role. The difficulty with machine learning tools is that they can detect false positives, which can be disruptive and time-consuming to identify and resolve. You should use these tools to support your experts, rather than replace them.
3. Create a comprehensive incident response plan.
Every business should build a robust incident response plan to restrict the damage that any attack can wreak, reduce the recovery time to the absolute minimum, and limit the associated costs. Whether it’s a cyber attack, a natural disaster, or an ISP outage, you need to ensure that everyone knows what’s required of them and set clear responsibilities to get back to normal operations as swiftly and painlessly as possible.
By establishing a clear set of instructions and procedures to follow in the event that different problems arise, you can guard against the kind of misguided reactive panic that makes a bad situation worse. If you’ve already completed the last two suggestions, then crafting an effective response plan should be straightforward.
4. Analyze and learn from incidents.
The temptation to immediately slam the door shut when you detect a threat is understandable, but you should resist it. You can pull a weed out, but if you don’t get the roots it will return. Track the infection from the entry point to identify the back door. Every successful attack or breach is an opportunity to learn.
I believe root cause analysis is absolutely vital, not just to understand how and where your defenses failed, but also to learn how you can fine-tune your security systems to ensure that a similar approach will not work in the future. Exposing an incident and tracking it will help you strengthen your defenses, improve your incident response plans and identify weak spots in your systems or skill sets.
5. Create a skills map and test your team.
The cybersecurity skills gap is well established and while you can mitigate it to some extent by hiring additional talent, I believe it’s always going to be worth investing in and nurturing your existing talent. Creating a proper, company-wide security awareness training program is important, but you may need to get more specific and dive deeper with your InfoSec staff.
There are lots of different certifications and security training courses out there, but you should stop and consider what you actually need. Everything we’ve looked at so far can be used to craft a skills map highlighting the skills you need to effectively protect your environment and guard against the kinds of threats that your company has had to face.
Think carefully about specialization, because you don’t always want two general practitioners when you could have a brain surgeon and an oncologist. To build an effective team, you may need to create specialized roles — but you can develop your own training techniques using resources on the internet that don’t just teach but also test that knowledge in a real-world, practical way.
Keep these prerequisites at the forefront of your mind as you develop a security strategy. Allow them to inform and feed each other so your strategy evolves and security grows stronger after you encounter incidents. This is the path to building a solid foundation for truly effective advanced threat detection.
This article was originally posted on Forbes.com. Click here to read >