Attack vs Defense: Five ways to even the cyber battlefield

In the disastrous cyber war mismatch, the attackers have the edge, but cyber defenders can catch up with, and even surpass, the enemy. (One of the ways may surprise you.) 

Somehow, the numbers do not make sense. 

Companies invest almost $81 billion annually on cyber security, according to Gartner, while Lloyd’s reports that 92 percent of EU businesses have still been breached. Remember Yahoo, Target, Home Depot, and all the others? What gives? Can it be that the attackers have outsmarted the defenders? Sadly, the answer is yes. This infographic clearly illustrates the mismatch:
 

*Based on data from the Ponemon Cost of the Data Breach report and Verizon DBR 2016

But all is not lost if companies follow these five winning strategies. 

Way 1 - Know the Facts 

To beat the enemy, you must first understand him. Just how did the attackers manage to infiltrate your seemingly impenetrable security walls? Or overcome multi-million (?) -dollar security operations arrayed against them? Attackers scout their targets in advance and tailor their malware to evade common perimeter defenses. Then they launch stealthy, multi-stage attacks inside the network - moving laterally among servers and endpoints, communicating with command and control servers, and exfiltrating data. And the average time it takes for companies to identify an attack is- 256 days. By that time, of course, the damage could be irreparable. 

Way 2 - Turn Disjointed Defense into Coherent Strategy 

You can’t fight complex multi-vector, multi-staged attacks with single-vector point tools and unfocused investigations. Develop a coherent strategy that allows you to prioritize alerts and, turn information gathered from various sources into a complete attack picture with a timeline/storyline that makes sense. A coherent approach, which enables you to focus and act fast, also prevents attackers from getting through and dwelling in your network for far too long. Most importantly, such a strategy puts an end to alert fatigue, lengthy and time-wasting investigation processes, and incomplete attack intelligence. Say goodbye to high false positive rates, wasted efforts, increased costs, and lack of data on which to base an effective incident response. 

Way 3 - Move from Alert-Driven to Intelligence-Driven Operations

Unfortunately, the shortage of cyber skills and resources is a very real problem. Few organizations have enough skilled security analysts to efficiently use the tools they already have to investigate all the cyber alerts that are surfacing. This - coupled with a disjointed defense approach that includes a lack of integrated forensics between network and endpoint - leave the company’s already lean cyber resources hopelessly mismatched against the attackers.   

The answer, of course, is a different approach - a move from manual alert-driven operations to automated intelligence-driven investigations. Automate the processes that human analysts use to gather leads, collect forensic evidence that corroborate or refute them, and build a complete picture of every incident.   

Adopt technology that leverages the intuition and experiences of the human analyst to complete and improve the process. By automating security investigations, your organization can not only detect a great deal of important data, but also make the most of it: To achieve this you need coverage across your endpoints, network and files, and you need context by combining the evidence with deep forensics. So rather than sifting through alerts, collecting forensic evidence, finding connections, and determining the attack storyline, an intelligence-driven system continuously looks across detection sensors and questions forensics to automatically build the attack storyline, improving the efficiency and effectiveness of your security operations. 

Way 4 – Combine Machine Intelligence with Human Intelligence to Create a Sum Greater Than Its Parts 

Synergies between machine intelligence and human analysis and intuition create an ever-strengthening ability to fight cyberthreats. Many technologies get their strength based on white listing and other rules created by humans, so they miss attacks that don’t match the rules. Other solutions focus only on anomaly detection, triggering an overwhelming number of false positives. Combining machine-driven learning with human insights can deliver much better results than either side separately. Explore the up and coming technologies that detect attacks by combining artificial and human intelligence that reduce false positives and create a complete picture of the attack chain, while recommending mitigation steps. 

Way 5 - Think “What Would Sherlock Holmes Do?” 

Don’t laugh, but doesn’t catching and investigating cyberattacks feel a bit like old-fashioned detective work? And who better personifies a great detective than Sherlock Holmes? But, you may ask, what does this fictional investigator from Victorian England have to do with today’s hyper-connected world and 21st century security analysts? 

More than you think! Yes, Holmes was always called in AFTER the crime was discovered, had the luxury of picking his cases, and had the good fortune of having Dr. Watson and his excellent forensic skills to help him get the information he needed to solve the crime. On the other hand, today’s security analysts must sift through tons of data just to DISCOVER if there is indeed a case and must investigate dozens of them simultaneously. 

Now imagine if you automated your cyber investigations. This would give your security analysts a “cyber-partner” to handle the initial stages of security investigation that take so much time – reviewing alerts, triaging, gathering forensic evidence, validating leads and dismissing false positives, and identifying possible connections for follow up. An automated Holmes -like security operation would provide the full context of every incident – the entire storyline across the attack chain, along with the raw forensic data relevant to every stage. It would simulate what good analysts do: continuously assess all of the facts, determine which ones are relevant, choose the next step in the investigation, and finally establish a coherent attack storyline. And it would share its findings in a clear, intuitive way, handing over the final analysis to the human analyst. In this way, just like Sherlock Holmes, every security analyst will have only a small number of incidents to investigate each day, each clearly laid out with all of the forensic evidence required to make decisions and respond quickly. 

End the mismatch. Even the battlefield with the winning strategies above. And, yes, think WWSHD (What Would Sherlock Holmes Do?). It couldn’t hurt. 

Noam Rosenfeld, Senior VP Research & Development, Cyber Intelligence Solutions, Verint Systems and Former Head of Cyber Defense Department in the IDF   

Image Credit: BeeBright / Shutterstock