Why speed is of the essence with cybersecurity

Stopping threats sooner rather than later minimises the damage caused by a compromise, but many organisations lack the tools and staff to do this effectively.

By Tim Ferguson

Fri 8 Mar 2019 @ 16:18

When it comes to cyberattacks, the need to act quickly is paramount. If suspicious activity is not picked up quickly it’s highly likely that a compromise will travel through a corporate network that could result in a breach. Such a breach could disrupt operations or see customer data or IP fall into the wrong hands.

Such is the sophistication of modern cyberattacks, and the determination and persistence of cybercriminals, that it’s highly likely that corporate networks will be compromised in some way. Stopping these compromises in their tracks is therefore crucial.

There are six key stages in the Cyberattack Lifecycle: Reconnaissance, initial compromise, command and control, lateral movement, target attainment and, finally, exfiltration, corruption and disruption. As each stage is achieved, an attack will gain a stronger foothold, improving the chances of it achieving its aims.

Once the third stage of command and control has been achieved, the attacker can plan their next move with lateral movement possible once a persistent connection to the network has been established. Lateral movement will see more systems affected, allowing the attacker to identify the systems of value (target attainment), before exfiltrating or corrupting data, or disrupting operations.

Being able to detect and neutralise network threats quickly will help minimise the damage. If, for example, an attacker dwells within the network for weeks or months, the attacker will have had more time to compromise more systems, leading to a larger breach.

Research by Aberdeen Group found that limiting dwell time of a threat to 30 days led to the impact on business being reduced by 23 per cent. When dwell time is just seven days, the impact is reduced by 77 per cent, while a dwell time of a single day sees business impact reduced by as much as 96 per cent.

For organisations that want to proactively protect themselves, the objective should be to reduce the mean time to detect and to respond to threats. Unfortunately, there are challenges when it comes to detecting and responding to network-borne threats.

Traditional signature-based tools like intrusion prevention systems and next-generation firewalls are limited to detecting threats with only a single data point at a single point in time. This leads to a reliance on an approach than can be evaded, as well as a high number of false positive alarms – not ideal for security teams struggling with limited resources.

The volume of threats, meanwhile, leads to security analysts working across a range of systems (swivel chair analysis) and alarm fatigue, both of which reduce the chances of spotting every compromise or threat.

This is exacerbated by the fact that many organisations also have security teams that are short staffed or lacking in expertise. According to the (ISC)2 association of cybersecurity professionals, there is a deficit of nearly three million cybersecurity jobs globally.

Network detection and response (NDR) technology is able to address these challenges by boosting the efforts of security teams to detect, qualify, investigate and respond to advanced threats in corporate networks.

NDR technology analyses multiple data points to recognise threat indicators in real time before orchestrating a response with the help of automation. This latter capability means less time needs to be spent on manual tasks, allowing security analysts to focus on the higher-value activities.

The detailed network information and key forensics to investigate incidents provided by NDR also help teams lacking network forensics experts or the time to conduct detailed forensic investigation.

In addition, the group of technologies that make up NDR provides comprehensive network visibility, relevant insights and rapid response options, helping analysts discover, investigate and mitigate advanced threats across networks.

As well as being a valuable set of capabilities for organisations with overstretched security teams, NDR is particularly well suited to industrial organisations with operational technology (OT) security requirements, such as supervisory control and data acquisition (SCADA) systems.

NDR provides the real-time data and the automation that security teams need to detect and respond to threats earlier in their lifecycle. By restricting threats to the earliest stages of the Cyberattack Lifecycle, organisations will be taking a proactive approach to keeping their operations and data secure.

Learn more

Discover how LogRhythm network detection and response (NDR) can help your organisation rapidly detect, analyse and respond to threats.