The UK crime rate recently doubled after the ONS included cybercrime in its calculations for the first time, showing that cybercrime is a real and present danger. Businesses everywhere are rightly concerned. It’s impossible to know who the next victim will be, since there’s no pattern to those being targeted. In the last six months alone, we’ve seen telecoms firm TalkTalk, online 'dating' site Ashley Madison, and, most recently, the electronic toy-maker VTech, all suffering the public humiliation of a breach.
This is even causing paranoia amongst consumers, with research revealing that four in five are concerned that hackers have stolen their data without anyone realising. Whichever way you look at it, the outlook is pretty bleak; but rather than just giving up and going home, it’s time for businesses to put on their running shoes and get back in the game.
Overcoming the hurdles
Before they can tackle the cyber threat effectively, it’s important to realise that no business can be impervious to attack; if a hacker is determined enough, they will eventually succeed. As such, businesses can’t afford to focus only on prevention, as successful attacks could sneak below their radar and stay hidden for days, weeks, or even months before anyone realises. In fact, the Ponemon Institute’s Annual Cost of a Data Breach Survey found that the average time to detect a malicious attack can be up to 256 days. That’s over eight months!
In some cases, though, it’s even worse. Hilton Worldwide recently identified two separate breaches of customer card details stretching back twelve months. This detection deficit is a major mismatch with public expectations; research shows that ninety four per cent of people think businesses should be able to detect a breach within just one day.
Detecting a cybercrime
However, whilst it’s easy for consumers to demand detection in minutes, the reality of doing this is far more complex. The volume of potential threats being picked up by the array of security systems defending today’s organisations create a lot of noise, making it difficult for security teams to see the wood through the trees. Amongst the genuine threats, there are a lot of false positives, making it difficult to prioritise effectively.
The other problem is one of focus. Rightly, organisations will concentrate their defences on their most business-critical assets and high-value data. However, this often leaves a blind-spot in detection. Hackers have clocked onto this, which is why the initial point of entry is unlikely to be the ultimate intended target. Hackers find a chink in the armour, and then use this as a landing spot to test systems and sneak toward their intended target. The longer they have access, the bolder they get, and the more damage they can do. Furthermore, once they land inside your environment, what are they? They’re insiders. And detecting malicious insider behaviour, especially in dynamic environments with lots of diversity and entropy is hard.
This is why it’s so critical to reduce the attack surface – or spread of the attack – by detecting threats in their early stages, before the hacker has had time to move into additional systems or exfiltrate any sensitive data. The only way that businesses can achieve this level of visibility and responsiveness is if they can spot a breach happening in real time. To do this, organisations need continuous monitoring on every endpoint device, with automated triggers around unusual activity that provide security teams with context about threats.
No prizes for second place
However, detection is only part of the battle; businesses are equally under pressure to respond quickly in the aftermath of a breach. For example, whilst TalkTalk was relatively quick to realise it had experienced a breach and swiftly notified the public, there was major fallout over its inability to identify how many customers had been affected and which data had been compromised. This initially led the company to overstate the scale of its problem, creating an uproar that could have been reduced significantly if security teams had access to more detailed information.
This is why being able to provide an instant impression of what has happened when a breach occurs is so vital. Security teams need to be able to provide the business with details of which systems were affected, what data has been taken, and how they were breached. Having the ability to track the kill chain in the event of a successful breach, following the trail of actions that hackers took inside their systems is essential. As such, businesses need to maintain always-on, continuous recording on every endpoint within their IT infrastructure, so that they can 'replay the tape' and understand what has happened. This will help inform a better response and a clearer understanding of the risk exposure. Along these lines, the business also needs confidence that it truly eradicated the infection and didn’t miss some systems that were compromised with backdoors or new accounts added to them.
To make a physical analogy, if your home is robbed and you get the robber out, but you don’t notice they changed the locks on your doors, they’ll be able to come back more easily next time. Ultimately, the attacks facing today’s organisations are increasingly complex and multifaceted, so businesses require an equally multi-layered approach to security in order to deal with them effectively.
Focusing on known attacks, or detection alone, will create weak points in enterprise defences, and hackers will be only too willing to take advantage of them. The ability to detect, prevent, and respond to security threats in equal measure is essential if businesses are to put themselves back on the front foot and start winning the race against their adversaries.
Ultimately this is an economics problem, and until we as united security defenders and organisations begin to make compromise less lucrative, the attacks will continue to rain down.
Ben Johnson, Chief Security Strategist, Carbon Black