Posted October 10, 2019
So many alerts, so little time: It’s a common refrain among security analysts, who might see up to 10,000 security alerts generated by cybersecurity point solutions in one day.
Each of these alerts could be an indicator of something catastrophic – like a potential ransomware attack that might lock down mission-critical data and disrupt operations. The fallout can be devastating and expensive.
In Atlanta, one city-wide ransomware attack ended up costing the city $17 million in remediation efforts. Cognizant, the IT services provider, made an official statement that their Q2 2020 revenue was impacted in the range of $50 to $75 million due to ransomware attack.
Frustratingly, many alerts are false positives. But when all it takes is one uninvestigated event to turn operations upside down, you have to chase every lead – all 10,000, in some cases.
Adding fuel to the fire, cyber attacks are taking place as frequently as ever. At least 8 billion records have been compromised through data breaches between January 2019 and April 2020 , which is well ahead of pace of previous years. Meanwhile, there’s a severe shortage of security expertise to stave off these threats. It all adds up to a cyber threat landscape where there are many threats and few defenders, and those defenders we do have are swamped by torrents of daily alerts.
Something has to give. That’s why, as we progress through 2020, many CISOs have their sights set on improving threat detection technology and response capabilities.
1. Threat Modeling and Intelligence
Perimeter security as we know it was designed for networks with clearly defined perimeters. Cloud computing and mobility have changed the concept of a network. Perimeters are far more distributed, and almost abstract. You can’t build a fortress around what you don’t entirely understand. Case in point: Most enterprise security leaders couldn’t tell you if their security tools are actually working.
Consequently, some CISOs are shifting the focus from “detect and block” to “understand and mitigate.” This entails simplifying the security stack , as well as well as obtaining the right cyber threat intelligence and using that intel to perform holistic threat modeling. The goal here is to anticipate adversarial actions on your network rather than react to them.
When you can do that, security teams will have a much easier time contextualizing the potential impact of network events.
2. Cyber Deception Technologies Are Maturing
Honeypots have been used to bait threat actors for years, and they can provide valuable threat intelligence.
Modern threat deception technologies take this concept to the next level. Like honeypots, deception involves creating decoy assets on a network. For instance, you might create false network entry points or file stores that an intruder attempting to access the network (or who is already on it) would be lured into. This would clue security teams into the presence of a threat actor while providing invaluable information about what that hacker is after.
Since legitimate users have zero reason to interact with a decoy, there are virtually no false positives with deception technology. In this sense, deception speeds up threat detection, which expedites response times.
While still maturing, early research has documented a 91% decrease in dwell time for users of threat deception technology. Promising, to say the least.
3. Zero-Trust Security Is Trending
Zero-trust security is more or less exactly what it sounds like. Users, devices, systems etc. both inside and outside the network are never presumed “trustworthy.” Instead, every request for access is contextualized based on factors such as location, time of day, what other processes are running, type of device, etc.
This is in stark contrast to the ideas that some things on the network can be trusted and others cannot. For today’s networks, zero-trust is a bit of a no-brainer. Bring-your-own-device policies, remote access, mobile devices and cloud apps – all of which exist under the specter of credential theft and account hijacking – have made it harder to tell an internal user from an external bad actor. With a zero-trust framework, every user and asset on a network is more closely scrutinized.
A variety of technologies are utilized in zero-trust security, from advanced analytics and Artificial Intelligence that can better contextualize network activity to multi-factor authentication, enhanced identity access management, and better cyber threat intelligence, just to name a few.
Simplification, Intelligence, and Advanced Analytics Rule the Day
The preventative cybersecurity paradigm has outlived its worth. The new prerogatives in cybersecurity include:
- Simplifying the security stack for greater network visibility.
- Enhancing the quality of cyber threat intelligence to deepen insight into risks and threats.
- Using advanced analytics and deception for cyber threat mitigation and expedited detection and response.
To learn how LookingGlass can enable your deception technologies, see our webinar on improving security operations with deception technology or contact us directly.