Light Dark
August 19, 2022 By Serge Woon 4 min read
Data Protection
Endpoint

The cost of a data breach has reached an all-time high. It averaged $4.35 million in 2022, according to the newly published IBM Cost of a Data Breach Report. What’s more, 83% of organizations have faced more than one data breach, with just 17% saying this was their first data breach.

What can organizations do about this? One solution is endpoint detection and response (EDR) software. Take a look at how an effective EDR solution can help your security teams. 

What is a data breach?

A data breach is a cyberattack where a threat actor infiltrates a data source and exposes sensitive, confidential and protected data. This can occur as a result of ransomware attacks, phishing or malware attacks or other types of data theft. Whatever the source of the breach, it always leads to a loss of trust and damages the victim’s good name. It leaves many questions. How did the attack begin? How many devices did it strike? Have attackers stolen data? If yes, how much and from where?

Sharing an example of how threat actors might launch a phishing attack, Stephanie Carruthers, chief people hacker for IBM X-Force recounts:

“We had a client that wanted us to launch a phishing campaign against a hundred of their employees. We started to look through the company’s website and blogs, and we found a website where employees can post reviews about their employer. One common issue that we saw, which a lot of people complained about, was the parking at their job. So, we crafted a phishing campaign that actually explained how starting Monday, it was going to be assigned parking, and they just had to view the map to see their space, or else they would get towed. And that was one of our successful campaigns because we saw what people absolutely hated, and we tried to fix it in a way. And just by that website where we found all that information, it made our campaign extremely successful.”

What to do after a data breach

After a breach, cyber defenders or blue teams work under a lot of pressure to find answers quickly. Often there is a state of temporary shutdown, resulting in loss of revenue and critical data, which threatens business continuity. After the attack, defenders try to find the infrastructural weaknesses that lead to the attack and fix them. At the same time, they try to neutralize persistent and dormant threats to avoid a second infection.

Attacks often don’t happen randomly. They’re often well-planned by the attackers, who follow a staged process, like what is shown in the MITRE ATT&CK framework, to reach specific goals.

Read the Report

3 stages of a data breach where EDR can help

For defenders, consider data breaches in three primary stages: pre-attack, the actual attack and post-attack. EDR can come into play during each of them.

Pre-Attack Stage of a Data Breach 

At this stage, the organization’s infrastructure appears to be running normally. However, behind the scenes, threat actors may already be busy with reconnaissance. They harvest email addresses and other company information useful for sneaking in.

Often, at this stage, attackers will test defenses to find possible entry points. EDR solutions can improve awareness by offering deep insight into the endpoint and server environment. They offer the telemetry needed to detect an attack in real-time, giving defenders the chance to defend themselves. The threat hunting portion of an EDR can also help in this stage by searching for newly discovered malware or suspicious activities.

Actual Attack Stage 

During the attack stage when the actual malware has been delivered — via email, web, USB keys or other means — speed of reaction is of the essence. Defenders need to neutralize the threat before it can do harm or spread across the entire infrastructure.

Attackers often use targeted malware. So, signature-based defenses like antivirus software that lack behavioral detection don’t help. However, with an EDR solution, defenders can detect the threat quickly by analyzing the attackers’ behavior. They also have several options at their disposal to automatically delete the malware, create blacklists, isolate affected endpoints and track the malware to find out what the attacker is targeting.

To be clear, the last option should only be used by seasoned defenders. Novice defenders should set their EDR in a protective mode, which blocks and remediates malware by itself.

Post-Attack Stage

The primary objective during the post-attack stage is to get back to a normal state fast. It is critical to minimize losses and reduce other operational damage.

A modern EDR solution can collect information about the attack and help reconstruct it to find out how the attack took place in the first place and reveal the weak spots that need to be fixed immediately. To make sure persistent or hidden threats are removed to avoid reinfection, defenders can use the threat hunting capabilities of the EDR tool to hunt for the presence of specific indicators of compromise (IOC), binaries and behaviors in real-time and remediate them. This will help the compromised organization recover and get back to business swiftly.

How to prevent a data breach

Statistics from the Cost of a Data Breach report show that security breaches at organizations with fully deployed security artificial intelligence (AI) and automation cost $3.05 million less than breaches at those without. To help prevent a data breach from happening, companies can employ these five best practices:

  1. Limit or restrict access to sensitive or valuable data
  2. Train your employees on common threats and protocols to follow
  3. Monitor your network remotely, around-the-clock
  4. Leverage advanced security protection
  5. Develop a security breach response plan.

Cybersecurity is a process, not specific tools. Any tool by itself will not keep your organization safe, but it will help to protect you as part of a well-thought-out cybersecurity strategy backed by processes and people. At the same time, having an EDR solution as part of your security strategy is beneficial as cyberattacks on endpoints will continue to grow, get executed faster and become more sophisticated.

EDR offers detection and remediation capabilities that prove valuable to any organization during all stages of a data breach. For more information on choosing the right EDR solution for your business, download the EDR Buyer’s Guide.

 |  |  |  |  |  |  |  |  |  |  |  | 
Serge Woon
Technical Director for IBM Security ReaQta

More from Data Protection
March 27, 2024

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

March 12, 2024

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature