Cyber breaches are repeatedly making headlines and affecting the organizations regardless of preventive measures deployed to counter the cyber threats. It is mostly happening due to ever-diminishing perimeter boundaries and data becoming new perimeter for organizations, increasing reliance on business partners for delivering the services and adoption of commoditized IT services to accelerate the go to market efforts of the business. Cyber perpetrators are taking advantage of these extended ecosystems and launching the attack by exploiting the weaknesses present in the systems of the overall supply chain of the organization. As these breaches proving inevitable, it is becoming critical for an organization to improve the incident detection and response capabilities, and accelerate the efforts towards becoming resilient to cyber-attacks.
From the analysis of earlier attacks, attacks are going unnoticed for a long time resulting in deeper penetration and proportional impact on the organization. The faster you detect the attack, lesser the penetration/propagation and lesser impact. Hence, it is key for organizations to improve the detection and response capabilities.
In our view, the organization should also evaluate the organization’s operational resilience and ability to manage cyber risks during the normal operations and times of operational stress and crisis. Leverage the results of this evaluation to prioritize the areas to improve the capability to withstand the cyber-attacks and ability of detection and response.
Following suggested practices may become handy for the organization to improve the detection and response capabilities.
Improving the detection capability
The organization should consider augmenting the existing preventive measures with advanced network and host level detection/response tools, and behavior analytics tools to detect targeted attacks.
Ensure you have good security monitoring platform in place with the capability of advanced detection, correlation, and contextualization with the capability of monitoring the cloud instances.
Organization should consider establishing the Tiered security monitoring with separation of responsibilities of monitoring/triaging, analysis & investigation, incident response and need based skill augmentation for malware analysis, advance response, and forensic investigations.
Dedicated and regular efforts should be spent on collecting and analyzing the threat intelligence from the external and internal sources with the focus on identifying specific precursors of attack and indicator of compromises.
Security analysts should leverage this intelligence and engage in performing regular proactive threat hunting activities within the environment to detect the existing compromises and lateral movements of the attacks.
Security Operations team should be equipped with improved visibility of security related activities by integrating the network telemetry, logs and events from the underlying infrastructure, logs and events from cloud infrastructure and contextual environmental information into organizations’ Security Information and Event management (SIEM) platform.
Establish contacts with your respective information sharing groups (ISACs) and Country CERTs to gather the proactive intelligence and to gain a support during incident resolution.
Passive listening to the hacker forums and related dark readings to know the attack trends, techniques and processes.
- Regular monitoring of the risks of digital platforms to know the external threats to your external digital channels.
Approach for improving response capabilities
Organization should consider creating a Cyber Fusion Team (Virtual team with cross-functional representation from various business and support functions) to react to cyber incidents.
Organization should have playbooks ready for responding to various security breaches with the clear guidelines about containing, eradicating and remediating the incidents along with the necessary communication to various stakeholders.
The inclusion of wargaming like exercises to check the preparedness for responding to the cyber-attacks and bringing external evaluator to benchmark and evaluate the breach readiness.
Conduct the regular cyber drills to check the service continuity plans.
- Training the stakeholders as per their roles on handling the cyber-attack scenarios and response thereof.
In an environment of inevitable cyber-attacks, organizations should aim to become cyber-resilient by improving the detection and response capabilities with the objective of reducing the dwell time (time since the breach happened and cleared) and lateral movements of the attacks. There is urgent need of rebalancing the defense to cope up with the emerging cyber threats. The traditional focus of spending most of the security budget on prevention technologies should be changed and balanced with the equal focus on investing into better monitoring and response technologies, supporting skills and processes.
Authored By - Prashant Deo
TCS Enterprise Security and Risk Management
Rate this article: