Every year is declared the year of the breach. Breaches are growing in magnitude and damage done to customers, businesses and even nation-states. But most of the reported breaches indicate that organizations are unaware of ongoing attacks and the exfiltration of sensitive data from their networks for weeks, if not for months.

Why does it take so long for organizations to detect attacks? And why does it take federal authorities to inform breached organizations of an ongoing attack?

There are many reasons why organizations get breached. It could be tied to cybercriminals’ motives, which can vary from financial gain to hacktivism to state-sponsored espionage. Attackers can worm their way in due to lack of appropriate access controls, inability to manage vulnerabilities within the environment, lax security controls for vendors and third parties accessing critical enterprise systems, low security awareness among employees and more.

In this article, we focus on areas where many organizations fail to stop attacks before they become full-blown breaches.

Rapid Detection, Rapid Response

Industry studies have shown that the ability to quickly detect and respond to attacks within minutes or hours versus days or weeks has a significant positive impact on the organization. Security defense-in-depth architecture should be the foundation of any information security strategy.

However, with the evolving threat actors and attack vectors, the ability to rapidly detect threats and effectively respond to them is essential to protecting information assets and managing risk. Being able to quickly detect and respond to issues requires a combination of skilled resources, streamlined processes and robust technology.

Having these capabilities installed in your enterprise can prevent security incidents from becoming major breaches. Start by identifying and monitoring assets to locate issues early in their life cycle. Then you can respond quickly, following a comprehensive, preset plan.

Know Your Assets

Most organizations do not have an authoritative asset repository maintaining the details of all assets, such as owner, device type, operating system, etc. Whether you’re dealing with servers, network devices, user endpoints, printers, telephones or other assets, having a repository with current information is key.

In addition to having an asset repository, the information security team should have the ability to identify each and every device connected to the enterprise network at any given time. This will enable them to reach the right owners when the system is under attack or infected. They can then address the incident or quarantine the system before other systems are impacted. It also enables them to proactively identify and manage vulnerabilities to maintain the risk posture.

Monitor Those Assets

Most organizations do not collect and harness security intelligence generated by all the systems within the enterprise. Without the ability to detect suspicious or anomalous activities, it is difficult, if not impossible, to address or stop them. Security information and event management (SIEM) capabilities are very useful to collect and correlate the intelligence gathered internally.

Additional intelligence from external entities can be subscribed, if required, to proactively monitor the systems. However, not many organizations take advantage of this investment due to the lack of clear implementation strategy and inability to deploy efficient supporting processes.

Before implementing this technology, or any technology for that matter, an enterprisewide deployment strategy should be created. It begins with identifying all key assets (using the asset inventory) and categorizing those assets based on risk classification.

Use-case analyses should be performed to clearly identify all required critical events and validate information necessary to proactively detect threats. Consistent logging standards should be implemented to execute those use cases. The highest-risk assets — including firewalls, IDS/IPS, network devices, database and systems logs etc. — should be added in a phased approach until all required systems are integrated with the enterprise SIEM system.

Many organizations fail to optimize their monitoring policies, resulting in tremendous amounts of false positives. Sometimes this leads them to suppressing all alerts and making SIEM more of a log aggregator. This completely defeats the purpose of investing in a robust capability and does not derive good value from the investment. The security operations team should work with application, network and system administrators to fine-tune the monitoring policies to eliminate false positives and focus on flagging high-risk events.

Respond to Your Incidents

Just collecting intelligence and identifying anomalous activities will not help address incidents or threats; that requires a clearly defined playbook to respond to the anomalous events.

The first step is to develop a playbook to manage alerts by completing initial triage of the events, which will confirm whether they are valid or outliers. If those alerts are caused by a malicious attack or suspicious behavior, then an incident should be declared and appropriate incident response plans activated.

Incident response plans should be comprehensive enough to address any incidents or breaches at any given time. It should be able to instruct team members responding to any number of potential scenarios, including social engineering, spear phishing, ransomware, denial-of-service attacks and more.

The plans should also identify the key stakeholders and players from different teams who need to be involved. Addressing an incident requires a concerted effort from many teams, so having a list of contacts prepared is crucial when time is of the essence.

The response plans must have guidelines to activate the impacted systems after thorough checks are performed, which will help ensure no threat remains. Finally, the plan should require that a full incident report be generated and analysis performed to improve future response or update processes.

Preventing Breaches

Having an asset inventory, detection capabilities and a response plan will help organizations to detect incidents rapidly and respond appropriately before they become damaging data breaches.

Download the Ponemon Institute 2016 Global Cost of a Data Breach Study ]

More from Incident Response

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…