Prevent, DETECT, Respond: Detecting Security Breaches Before It’s Too Late

Talk to any cloud customer about security and their thoughts will probably focus on one of two directions: preventing breaches and dealing with the fallout. But there’s a stage in between that doesn’t get discussed a lot, and it’s a critical one: detecting the breaches. The most recent Verizon Data Breach Investigation Report shows that since the report was created (nine years ago), attackers have consistently (75% and higher) compromised assets in a matter of days. Defenders, on the other hand, have only been able to identify breaches in a matter of days less than 25% of the time. According to the VDBIR, this gap “smacks us with the fact that the bad guys seldom need days to get their jobs done, while the good guys rarely manage to get their done in a month of Sundays.”

That said, while getting attacked is never a good thing, it doesn’t mean that all is lost. By installing watchdogs in your system, you have the power to make a difference between a brand-destroying disaster, or a breach that’s merely inconvenient.

There’s no getting around the fact that breaches happen. Whether it’s a lone hacker poking around your system or a crime ring across the ocean, malicious actors are smart, relentless and well-trained. Developing a strong multi-layered security posture is always the way to go, but it can’t be the only weapon in your arsenal. Your organization needs an intelligent plan to detect and contain breaches promptly, if you want to prevent widespread data loss and an irreparably damaged brand.

Take a look of the below tactics and get prepared now so that you’re not caught unaware, if and when you’re attacked.

Beef up your security.

Conduct comprehensive risk assessments that look at your system weaknesses, possible threats and their potential impact, then take corrective measures. Proactive monitoring, scanning and remediation, along with a security-based architecture design, are all part of a more robust security posture. That might fall into your “I already knew that” category but a lot of organizations and providers still aren’t doing it.

Also important: tools that automatically implement security countermeasures to prevent further attacks while engineers investigate and confirm or assess a potential incident. This is a quick and clever way to prevent data loss.

Reduce your attack appeal.

You might imagine hackers as planning major data heists with big targets – but most hackers are opportunistic hunters on the lookout for low-hanging fruit. You can take yourself out of their crosshairs by minimizing your attack surface. By locking down potential attack vectors, you not only eliminate points of entry, but reduce your own investigation time; there just isn’t as much territory to worry about. Eliminating low-hanging fruit generally yields the highest return in terms of mitigating potential attacks – 20% of the work for 80% of the gain.

Bonus tip: through careful IP reputation management and threat intelligence – preventing known bad actors from even accessing your infrastructure, you can ward off bad traffic and over time and become less visible to would-be attackers.

Pay attention to anomalous activities.

We know how easy it is to dismiss alerts and anomalies, especially those generated by ill-tuned devices – there’s simply too much noise. But that’s exactly how so many recent big breaches started, which means that you must assign someone to tune and interpret alerts so that they are distilled into legitimate actionable events and determine if the event is simply a fluke or something more serious. Taking CSIRT action on every anomaly just isn’t practical; engineers who possess the right investigative tools and the knowledge to efficiently investigate potential events will be far more effective at mitigating data loss. A direct and efficient examination and documentation plan are vital to prevent inconsistencies and expedite breach detection.

Turn your data into your watchdog.

Sometimes it seems that all the data coursing through your networks is just bits and fury, signifying nothing. In reality, it can be your best friend by acting as a guard dog. Collect forensic data and archive it in a way that maintains its integrity – then correlate and trend it so that it tells you a story over time. Using this macro level information can help determine a benign anomalous event from a potential breach where other systems stay quiet. Keep in mind that for this to be effective, you must collect data consistently; if you wait until suspicious activity occurs to begin collecting evidence, it won’t be sufficient to provide the complete and contextual picture you need. This data will also prove critically useful during investigation.

Finally, consider taking advantage of third-party security data. Whether it’s known malicious IPs, APT threats or similar threats, your organization can use this data as building blocks and additional tools in bolstering your security posture.

We know it can be tempting to just assume you’re not an appealing target to hackers. But any organization can be at risk, a fact that is doubly alarming when you realize that many breaches are engineered to work in stealth mode, without alerting the system administrators. As always, the smart path is to err on the side of caution and install a detection plan that protects your organization.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals