If you’ve ever gone shopping for cybersecurity products, you’re aware of the vast amount and variety of products that are available. In most cases, the question isn’t if a solution exists for a certain problem, it’s which solution you would prefer, the best vendor, etc. With a limited security budget, the biggest challenge is choosing which products to purchase.
When making these decisions, some answers are easy. If your organization has web applications and stores or processes sensitive or valuable data, a web application firewall (WAF) and data leak prevention (DLP) solution are essential. However, beyond these, every additional device purchased requires more man hours to properly monitor. Understanding the challenges of incident response is essential to making the right choices when going shopping for cyber.
Inside Incident Response
In incident response, the further you go in the process, the more expensive it is for your organization. Ideally, you’d love the attackers to just give up and go away, but if that doesn’t work, the next best thing is for your defenses to be impenetrable and leave them scratching their heads on how to get inside. If the hackers manage to penetrate your network, the costs and other impacts to your organization mostly depend on how long they’re inside causing trouble before you find them and send them packing.
Unfortunately, most hackers are in it for the long haul. Data is “the new oil”, and stealing and reselling data is a good way to make a profit (especially since they can sell the same data to multiple customers). Hackers tend to go for the “low hanging fruit” (it’s more cost-effective), so taking actions to defend your network, like performing penetration testing and deploying defenses like WAFs and DLP solutions, are a good idea.
Unfortunately, the hackers will eventually get into any network. As a defender, you have the unenviable job of closing every potential vulnerability in your network defenses, but an attacker only has to find one exploitable vulnerability in order to get inside and start causing trouble. You can have the best defenses in the world, but the one phishing email that slips through and is clicked on by an unwitting employee means there’s malware in your network.
At this point, you’re at the detection stage of the process. The faster that you find and eliminate the threat, the lower the hit on your bottom line. Unfortunately, this is where many organizations fall down in incident response. The average dwell time (or time from initial compromise to detection) is 78 days, meaning an attacker probably has complete access to your network for a couple of months before you catch a whiff of them.
The Incident Response Challenge
Why is this dwell time number so high? It seems crazy that it would take months before you notice an attack. The simple answer is that incident response is really, really hard. Hackers are experts at what they do, and what they do is break into organization’s networks and cover their tracks. The problem is complicated further by the fact that there is a wide variety of possible attacks and attack vectors that they can use.
On the one hand, some attackers specialize in flying under the radar. In many cases, they’re in no particular hurry, so taking days or weeks or even months to perform a scan of your network and find vulnerabilities is no big deal. Many intrusion detection systems work based upon event correlation: a single oddity is considered an anomaly but multiple anomalies may mean an attack. If these anomalies all happen close together, an alert goes out, but if they’re spaced over hours or days, they slip on by. While it’s possible to configure systems to report on every possible anomaly, your incident response team is going to drown in false alarms and probably miss the real attack since they’re too busy with a thousand wild goose chases.
On the other hand, other attackers don’t care about subtlety. These are the Distributed Denial of Service (DDoS) and ransomware attackers, who are perfectly willing to let you know that you’re under attack but willing to stop for a fee. These attacks require a different approach and different tools than the previous type in order to maintain operations.
Worse, some attackers are rude enough to take both approaches at once. They’ll use a DDoS attack as a distraction, knowing that you’ll be so busy running around trying to fix the problem to notice them slipping malware into and data off of your systems. If you allow the DDoS to distract you, you may not know about the data loss until the story hits the headlines.
Picking the Right Tools
The bottom line is that you can’t afford every cybersecurity toy out there and will have to make some hard choices. Before going shopping, it’s important to take a good look at your organization and the most likely threats to your business. Your network security team can only look at some many dashboards and process so much information, so choosing tools that integrate well and ease the load on them is essential if you’re going to get your money’s worth out of them (too many alerts is just as bad as too few). Pick out the solutions that you need the most so that you have the ability to catch that hacker trying to sneak in malware under the cover of a DDoS attack.