A few weeks ago, my son brought home a science assignment called Jeremy the Germ, which described how germs propagate. Jeremy is a crafty germ who travels from a student’s sneeze to a pencil that is then shared with a classmate, who chews on it. (I know, gross.)

But this provides an easy entry for Jeremy into the girl’s immune system, where he waits and slowly turns into an infection. That leads to a cold, missed school and a not-so-good time for the young girl and her family.

When a Security Threat Becomes a Major Incident

Not unlike Jeremy the Germ, security threats today are sophisticated, persistent squatters in the security world. They use endpoints such as laptops, desktops, mobile devices and servers to gain access to data and the corporate environment. These hidden threats lie in wait — sometimes it can take almost six months before an organization discovers the threat.

Their goals can range from targeting specific data and gathering information to using legitimate tools and processes to move through the corporate network. Historically, organizations approached these security problems piecemeal, using network and other perimeter controls and then bolstering endpoints with signature-based or sandboxing protection.

But in this era of cloud, mobility and a rapidly proliferating cybercrime industry, building a larger wall, a deeper moat or a stronger defense-in-depth security is insufficient. Cloud, bring-your-own-device (BYOD) and the general consumerization of IT are outpacing the strategies organizations scramble to put in place.

No controls can guarantee complete security and protection. Instead, organizations need an approach that balances a certain level of acceptable risk with smarter detection and response to true threats. With so many technologies and processes out there, it can be overwhelming for organizations to determine the right path to protection. Here is one three-pronged approach that can stop a threat from turning into an incident.

Step One: Smarter Protection

To start, identify areas of risk in your organization and assign levels and criteria of acceptable risk. Foundational protection and prevention technologies that offer endpoint- and network-level controls are key to tuning a security dial toward that level of manageable risk.

Network controls may include firewalls, Web and email security. Endpoint protection and prevention controls include blacklisting/white-listing and various other capabilities in the technology stack such as host-based intrusion detection systems (HIDS), host-based intrusion prevention systems (HIPS) and data loss prevention (DLP).

Then there’s the godfather of endpoint protection: a robust, unified endpoint management platform to automate these security and operational functions. Regardless of the controls you choose, however, they need to be grounded in contextual threat intelligence.

Step Two: Continuous Monitoring, Detection and Operationalized Threat Hunting

Prevention is not foolproof. Even the most rigorous of hand-washing and hygiene can’t always keep germs like Jeremy at bay.

Use endpoint detection and response (EDR) technology built into an endpoint protection solution. EDR technology offers continuous recording and visibility into activity. That information can then be pumped into a security information and event management (SIEM) solution for endpoint and network telemetry.

When combined with continuous monitoring, analytics and threat intelligence, this end-to-end solution can contain potential threats faster, map the threat kill chain in minutes and operationalize a threat hunting platform. Rather than spending time digging into root cause analysis, playing whack-a-mole with endpoint, or cyclically re-imaging machines, EDRs narrow and determine the scope of the threat faster. They contain the endpoint without necessarily wiping it out altogether.

These technologies may require specialized skills and expertise that organizations don’t necessarily have in-house, but there’s no need to flip the switch on EDRs because of this. I recommend starting with a subset of endpoints such as high-value assets — those endpoints with critical data or potential for brand impact, for example. Or if you work with a managed service provider, ask about a continuously monitored solution that is not reliant on signatures or sandboxing technology alone.

Step Three: Continuous Incident Response and Management

Chances are, your organization already has an incident response (IR) strategy and a dedicated or outsourced IR team. However, even the best IR teams and processes fall short unless combined with EDR, network forensics and an automated incident management system. These building blocks accelerate incident response, reduce costs and get to containment faster.

Organizations that approach network and endpoint solutions as silos will end up with a fragmented, time-consuming IR process because incident management and forensics span multiple solutions and technologies.

The above framework is by no means the only approach to reaching your organization’s desired security posture. Jeremy the Germ made it into his target because he found a weak spot and was patient — and security threats will do the same. You must choose the right combination of people, processes and technologies for your ideal security posture, all while keeping protection, prevention, detection and response in mind.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…