Detection, the second of the three keys to effective cybersecurity, is essential to identifying existing weaknesses and breaches and having them resolved.
One of the realities of today’s cybersecurity threatscape is not if you will be breached, but when, and how often. As good as cybersecurity is becoming - i.e. prevention solutions provide a 99.9 percent or higher detection rate for common malware - effective cybersecurity depends upon three pillars - prevention, detection and resolution - with the latter two required to address those situations where prevention isn’t enough.
In the majority (93 percent) of cyber breaches - over 740 million in 2015, and 340 million in the first half of 2016 - attackers take minutes or less to compromise systems and data exfiltration occurs within minutes in close to a third (28 percent) of the cases. Even more worrisome, the mean time to identify (MTTI) a data breach was 201 days, and a mean time to contain (MTTC) was 70 days.
Unfortunately, MTTI and MTTC scores aren’t the only areas where detection gets a failing grade. Up to 70 percent of data breaches are detected by third parties rather than by organizations’ own security operations teams, possibly because they are detecting too much.
Organizations are seeing and evaluating tens or hundreds of thousands of alerts daily. On average, 29 percent of all malware alerts received are investigated and an average of 40 percent are considered false positives.
Still, with the average total cost of a data breach up to $4 million - the average cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 in 2015 to $158 in 2016 - timely detection is critical to business success, if not business survival.
‘IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. Organizations need to detect and respond to malicious behaviors and incidents, because even the best preventative controls will not prevent all incidents.’
Given the high costs of data breaches and stolen or lost records, it’s no surprise that detection is getting a lot more attention. By 2020, 60 percent of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 20 percent in 2015.
Prevention does the heavy lifting when it comes to effective cybersecurity, but detection is essential for identifying the small but incredibly dangerous few that breach the perimeter. It is this vital second pillar that enables their removal and resolution of any issues resulting from that breach or other cyberthreat, as we’ll examine in part three.
Comprised of five steps designed in a feedback loop, the Rapid Detection and Response Model helps organizations accelerate their ability to detect, investigate and stop attacks.
RDRM Step 1: Identify
Purpose: Create situational awareness of the organization’s threat environment by identifying technology and process gaps that lead to blind spots.
RDRM Step 2: Prepare
Purpose: Close gaps that hinder the ability to efficiently detect, respond to and resolve incidents.
RDRM Step 3: Detect
Purpose: Identify security incidents
RDRM Step 4: Respond
Purpose: Confirm and investigate security incidents to understand what occurred and assess the impact.
RDRM Step 5: Resolve
Purpose: Create and implement a remediation plan to remove all points of entry available to the threat.
Far from sci-fi depictions, artificial intelligence – through machine learning algorithms and big data – is key to defusing today's evolving cyberthreats.
WannaCry ransomware, expected to cost up to $4 billion, could have been drastically curtailed with automated patching.