Cybersecurity has always been a cat and mouse game. As cybercriminals diversified their range of attacks, adding more sophisticated tactics and software, cybersecurity professionals retaliated, writes Ross Brewer, VP and MD EMEA at Security Information and Event Management (SIEM) product company LogRhythm, pictured.
They created new blockades that blunted these threats, forcing an evolution in criminal methods. And so the cycle repeated over and over for the last three decades.
It’s not surprising then that today’s threat landscape is more sophisticated and diverse than ever and, as the cycle continues, will only become more so. However, organisations worldwide are being compromised by sophisticated cyberattacks at a greater frequency than ever. A 2018 CyberEdge survey of 1,200 global IT security shows that 77 per cent of respondent organisations were compromised during the 12 months leading up to the study.
A greater success rate for attacks is not solely down to increasingly complex techniques and methods. The barrier to entry for the budding cybercriminal has dramatically lowered over the past several years. Indeed, the likes of malware-as-a-service enables those with barely a hint of programming knowledge to try their hand at cybercrime. Finding and purchasing tailored malware to suit your needs is about as difficult as buying a personalised greeting card. Sophisticated attacks can now be coordinated by unsophisticated assailants. This new environment of volume and variety in cyberthreats is forcing enterprises to face up to a difficult new reality – a breach or compromise is inevitable.
Tackling this issue requires a new approach to cybersecurity. Traditionally, addressing the cybersecurity challenge has always been prevention-centric, focused on access control and blocking known threats. This approach, whilst still important, is unsuited to preventing advanced and persistent threats, socially engineered attacks, and insider threats. More advanced threats can go undetected for years, as we saw with Marriott’s breach in late 2018, when a backdoor into their systems went unnoticed for four years.
The battleground has changed, and rather than focusing on trying to create impenetrable armour for their networks, forward-thinking organisations are focusing on two key metrics – mean time to detect (MTTD) and mean time to respond (MTTR). As prevention is nigh on impossible, detecting a threat, and subsequently shutting it down earlier in the Cyberattack Lifecycle, is a more realistic goal for future security.
Organisations that have come to this realisation are increasingly shifting their resources and focus to strategies centred on rapid threat detection and response. Security information and event management (SIEM) technologies, alongside User and Entity Behaviour Analytics (UEBA) are two key technologies that automate the detection of anomalous network activity, flagging them to human operators for analysis.
According to International Data Corporation (IDC), spending on security-related hardware, software, and services in 2022 will be 45 per cent higher than it was in 2018 ($133.7bn versus $92.1bn), and much of this investment will funnel into significant changes to security operations centres (SOC), with SIEM and UEBA likely on corporate shopping lists.
However, cutting down the time from detection to remediation is not solely a matter of investing in and deploying new technologies. Organisations must realise an enterprise capability for detecting and responding to threats across the holistic physical, virtual, and cloud-based IT environment. This is even more complex for industries such as critical infrastructure and manufacturing, which have to extend this further to encompass the operational technology (OT) environment.
Of course, this is all easier said than done, and organisations looking to make significant reductions in MTTD and MTT need to develop a Threat Lifecycle Management Framework (TLM). Collaboration across security, IT and OT teams is essential if an organisation hopes to achieve rapid and effective results. TLM follows seven distinct steps: collection, discovery, qualification, investigation, neutralisation and recovery. An effective TLM framework is highly interrelated, enabled by intelligence gathered and work performed in the preceding stage.
What’s important is to understand that TLM is not solely a software-driven framework. An optimal TLM aligns people, processes, and technology. Technology in and of itself is not a silver bullet, and to realise an improved security posture and reduce cyber risk, organisations must assess and improve the maturity of their security operations with a framework like Threat Lifecycle Management.
