Is your manual Incident Response up to snuff?
Do you believe what the security experts say? That bad actors will penetrate your network, so it’s not a question of “if” but “when”? Believe it or not, it’s true. The evidence is clear that even well-funded security teams can’t keep hackers out. The paradigm has shifted and the new focus needs to include how to detect and stop attackers once they infiltrate your network.
Why has this happened? Are hackers better than they used to be? Are programs more vulnerable? It boils down to a couple key assertions:
- There’s real money in it. Cyber criminals are making some serious cash by creating software as a service malware for others to use. It’s a well-run business with upside in the millions. New cyber-attack strategies allow for less risk and we see very mature development models being implemented to produce malware and other hacking tools.
- Securing the human is hard. People are often at the center of the problem. We are easily manipulated by videos of cats, offers of free stuff or tricked into clicking something we shouldn’t. Plus, we like our gadgets that connect to the internet. IoT, the “Internet of Things”, should really be called the “Internet of Threats.” Even well trained organizations will have employees clicking on malware, falling for phishing attacks or admins simply making human errors that opens a hole in their security.
Accordingly, there are two key metrics we want to look at to address cyber security; MTTD (Mean Time To Detect) and MTTR (Mean Time To Respond). If you can detect and respond quickly enough, you can prevent data exfiltration or data encryption from ransomware even when cyber criminals do get past your defenses. The priority must be detection and containment. Cyber Security staff can play a key role in this but they cannot do it alone. To address the modern threat landscape, we must have some security automation and orchestration in place to be truly effective.
The amount of time an infected endpoint is attached to your network exponentially increases the risk of data leakage, ransomware or malware damages. Here is where security automation and orchestration join the fight. The MTTR can be reduced to minutes (even seconds in some cases) by disabling accounts, quarantining infected endpoints, updating access lists on switches or even creating firewall rules with a security automation toolset.
Some organizations have the luxury of a 24×7 SOC (Security Operations Center), nearly all of which will leverage some form of automation. However, for organizations who do not have the luxury of a SOC, automation becomes essential. When security automation is in place, senior security personnel can address more complex issues and triage quickly with more confidence. For example, infected endpoints can be delegated to the helpdesk to clean or wipe the machines to protect the network integrity.
As with all security exploits, time is the adversary. Some things just can’t be allowed to operate in your environment for an extended period, such as ransomware attacks and data exfiltration activities. These exploits need to be shut down immediately or risk a big financial impact. What would it cost your company if it lost essential data permanently due to ransomware? What would be the effect on your brand? Would you lose your customers’ trust? Would you still be in business if certain data was stolen or leaked to the public? Sad, but very real considerations which need to be addressed.