Breaches often take weeks or even months to uncover, but the right strategy combined with strong endpoint detection & response (EDR) tools can make all the difference. We examine seven vital factors to consider.
Many different elements need to come together for an organization to secure its data properly. Most companies adopt a security strategy that focuses on prevention, but the idea that you can completely lock down your systems and prevent all incursions is a fallacy. Data breaches are every bit as inevitable as death and taxes; almost all organizations are going to suffer a breach at some point.
Swift detection & response is vital because it gives attackers less time to dig in and move laterally through your network, reduces the risk of regulatory fines, and helps you avoid reputational damage. And it also reduces the cost of a data breach. The longer it takes to detect, the more expensive a breach will be, so the fact that it takes companies 196 days on average to detect a breach, according to the Ponemon Institute, is cause for concern.
Achieving the necessary speed requires getting into the right frame of mind and adopting the best EDR tools. To assist you in your task, we’re about to outline the seven deadly sins of detection & response.
Lack of endpoint visibility
The average IT environment today includes countless devices running different operating systems. Complexity is growing as the IoT, remote workers, and third parties add more potentially exploitable endpoints into the mix every day. Every organization needs to take steps to secure unmanaged devices and eliminate the IoT blind spot. Complete, real-time visibility into every endpoint on your network should be a priority.
Failure to analyze data
Maybe you’ve deployed a great EDR system and it’s configured correctly, but now your security team is buried under an avalanche of incoming data and they’re struggling to pick out the valuable insights that need to be acted upon. There are really two issues here: You need the right tool for your business, properly configured, and you need the resources to analyze the incoming data.
Like the boy who cried wolf, any security tool that churns out a high volume of alerts that include false positives runs the risk of switching people off. When alert fatigue kicks in, security teams start to ignore things that merit further investigation. It’s impossible to cull all the bogus alerts, but you have to work to make sure that legitimate alerts don’t pass by unnoticed. If it turns out that a genuine issue was ignored, then you need to take a hard look at your procedures.
Overreliance on common indicators of compromise
Whether it’s a virus signature or a domain name with a shady reputation, there are certain indicators of compromise (IOCs) that offer a shortcut to uncovering a breach. By all means watch out for these IOCs, but don’t rely on them solely. Smart attackers know the IOCs just as well as you do and they’re adept at obfuscating and disguising their attacks. Monitoring for suspicious behavior and unusual patterns should also be a part of your defense strategy.
Lack of qualified talent
We know the cybersecurity skills shortage is a major issue for every organization and it’s getting worse with every passing year, but even the best EDR tools in the world are going to prove ineffective without qualified analysts behind them. People with the right skills can sift through the data, reduce false positives, and help you squeeze real value from your EDR defenses. Your IT department is probably overstressed, so look to bring in expert services to lessen the load and fill the talent gap. Outsourcing and consultancies can help detect and mitigate problems and run due diligence to deliver the insights you need.
Failure to outline response
It’s all well and good being able to rapidly detect a breach, but if it’s not swiftly followed up with the necessary action, then it’s not helping your organization. A clear triage strategy is required to ensure that serious breaches are dealt with immediately. Set stringent guidelines for reporting and investigation, set clear responsibilities and make sure that the findings inform and drive remediation plans in a timely manner. It’s easy to make a bad situation worse if you lack a clear policy that’s properly enforced.
Forgetting to measure and improve
The pursuit of security is endless and there’s always room to improve your strategy. No matter which tools and expertise you employ, it’s crucial to measure their effectiveness. If your team can’t handle the alert volume, then give them more resources or find a way to prioritize those alerts more effectively. If there’s a big gap between discovery and remediation, you need to set targets and find ways to close it. Work out which metrics are most important to your business and create a feedback loop so that they drive continuous improvements in your strategy.
Most organizations are going to be guilty of a couple of these sins; some may even be guilty of all of them. Repentance is not enough. If you want to improve your detection & response times, then you need to act. Establish visibility, assign the right talent and resources to properly analyze data and alerts, employ sophisticated and varied monitoring techniques, learn from your mistakes and always strive to improve.