Hvordan finne den rette balansen mellom forebygging, deteksjon og respons

Historically, cybersecurity has been focused so much on prevention. Today, that is where the most investments still are. However, investing only in this area becomes irrelevant with time.

In the beginning, the security level increases. But it flattens out over time because of the lack of investment in the abilities to detect and respond to the threats that could not be prevented. Get more out of your security budget, balancing out the scale with detection and response.

_{Source: Orange Cyberdefense}

As we’ve seen, prevention is important, but not enough. There is more than ever a need for detection capabilities to be able to see what passes through defenses.

In 2015, Anton Chuvakin, who was, at the time, an analyst at Gartner, came up with the SOC-triad concept. The SOC-triad is built around the idea that a SOC should have the following main pillars for the best possible visibility coverage:

• SIEM/UEBA
• Network Detection and Response
• Endpoint Detection and Response

Ideally, any company should have all of the above even if, of course, each detection pillar has its strengths and weaknesses.

In our experience, the quickest way to get visibility of your environment is to start with the endpoints. The endpoint is central for an attacker and is often the focal point of an attack. It is the place where you can pick up the most comprehensive information about how an attacker is operating. And so when it comes to getting visibility fast, a good Endpoint Detection and Response (EDR) agent has the least dependencies on the end-user organization to provide the broadest coverage of breach detection.

Like most cases in cybersecurity though, it is not only a technology choice but also equally important to have the right skills and processes to be able to understand the visibility given by the technology.

Always strive for the best possible prevention, the more effective it is, the more you will filter out through prevention systems, and the less there will be to analyze which passes through in the detection end.

For instance, many of the major enterprise breaches have affected companies that have invested a lot in security teams (including people and processes), and they have had detection technology and there have been alerts generated indicating the breach. But the people, process, and technology have not been aligned causing floods of alerts which makes it hard for analysts to find the breach needle/s in the haystack of alerts.

Processes should be repeatable (and automated wherever possible), consistent and most of all, should be understood and regularly practiced by those tasked to deliver them. When it comes to detecting and responding to threats – like anything – practice makes perfect.

Without detection capabilities, you will have no ability to see what is passing through your defenses. And the absolute best possible point to see everything is on the endpoint as you will be able to monitor processes, memory, users, traffic (before it’s encrypted), etc.

There are a lot of technologies out there that have the capabilities to collect telemetry data from endpoints but the key point from a technology perspective is how the collected data points are being processed in the next step. Having a technology that is built to aid the analysts to find the breach “needles in haystacks”, connecting the dots into a timeline, will save a lot of time and effort in the analysis phase.

The only drawback is that you cannot install a sensor or agent on all devices in your network, hence the SOC-triad makes for more complete visibility and coverage in the longer term.

So whilst the endpoint is often a good place to start, you must also have an eye on the future. How will you build a detection strategy? What established frameworks will you use to help guide that strategy? And how will you deliver once you have that visibility?

These are all questions Orange Cyberdefense helps its customers to answer – either through guidance and a consultative partnership or more often than not, to also be involved in delivering on this strategy and extending the teams of our customers through Managed Detection and Response services.

Time to detect is crucial. But time to provide an appropriate response to limit the damage of a breach is also important.

Response could be anything from isolating affected endpoints, resetting user passwords to starting a more thorough incident investigation. But also, more process-related tasks like when to escalate an incident to management, how to communicate with external parties (such as law enforcement, media, etc.), and how to handle different types of cybersecurity incidents (a phishing incident will likely be handled very different to a DDoS attack for example).

The key point is that you need to know your response capabilities and also how to use them even if your IT systems are down; for the latter do you have contact details for key stakeholders only in a digital format or also printed? This also touches on the importance of a BCP (Business Continuity Plan), but that is a subject for another post.

In today’s threat landscape, detection and response capabilities are a must. It is also crucial that this follows the endpoint as much as possible regardless of where they are (on/off-premise). This is driven even more in these COVID-19 affected times where the remote workforce has vastly increased causing a lot of challenges to control and manage endpoints.

Reach out to us if you want to discuss the detect and respond aspect of your security strategy further.