Next-gen intrusion detection: supporting CSOs/CISOs’ breach response by shining a light on malicious activity!
By Michael Rezek, VP BD and Cybersecurity Strategy, Accedian
The Chief Security Officer (CSO) increasingly sits at the heart of the modern organization. In fact, two-thirds of them now report directly to the CEO or board. But among an ever-expanding set of responsibilities, few come with as much pressure as those related to breach response and investigation. The bad news for CSOs is that security and data breaches are almost inevitable given the size of the corporate attack surface and the cybercrime economy today. Yet with the right strategy, backed up by next-generation intrusion detection (IDS) tools, CSOs have a great opportunity to tackle threats early on before they’ve had a chance to impact the organization. In so doing, we can fulfil our mission to mitigate cyber-risk and support long-term business growth.
It’s a “when” not “if” situation for cyber breaches CSOs have an increasingly wide remit in the modern organization.
Their roles could include:
Physical and digital security
Development and management of global security policy
Employee education and awareness programs
Adherence to industry standards
Collaboration with other execs to prioritize security in new projects
Coordination with law enforcement, outside consultants and other third parties
However, among the biggest responsibilities for the CSO is coordinating incident response and investigation. Let’s be clear, today it’s a case of “when” not “if” an attack comes your way, so the key is to plan, plan and plan some more. The fallout from a serious breach of corporate or customer data, or major service outage, may not only be financial and reputational damage for your employer, it may even cost you your job.
From planning to learning – and shutting down breaches The underground cybercrime economy is estimated to be worth as much as $1.5 trillion annually — it provides a readymade market for stolen data and a handy source of malware and hacking tools, advice and how-to guides, and even “as-a-service” offerings which allow non-tech experts to launch effective cyber-attacks. The result? Over 8.4 billion records were exposed worldwide in Q1 2020, a 273% increase from the previous year. Meanwhile, ransomware attacks soared 20% year-on-year in the first half of 2020.
It is the CSO’s job to make sure the organization is as resilient as possible to such attacks, and if attackers do manage to breach corporate defenses, that they are discovered and kicked out before they have a chance to do any damage.
Typical incident response steps may include: Planning: development of an incident response plan with appropriate stakeholders from around the business, and regular testing. Detection: with the right tools like next-gen IDS, spotting unusual behavior such as lateral movement inside the network as early on as possible. Containment: working with other parts of the business to minimize the impact of an attack and prevent any further damage. Recovery and remediation: cleaning-up systems, restoring data from back-up if necessary, resetting passwords, patching vulnerable endpoints etc. Then bringing business-critical systems back online. Learning: enhancing incident response plans and building resilience into the IT architecture based on the experience of dealing with a new attack.
Shining a light on the network with next-gen intrusion detection Crucially, the extent to which your organization is exposed to cyber-risk during an incident will be heavily dependent on the kind of visibility and control your cybersecurity controls provide. Unfortunately, many CSOs don’t find out until it is too late that their patchwork of point solutions (firewalls, endpoint AV, gateways, etc.) don’t provide the kind of holistic insight they need. Legacy IDS in particular is no longer fit-for-purpose: it can’t spot unknown threats or suspicious behavior inside the network and is afflicted by excessive logging costs and clunky manual processes. The result is that if threat actors breached the network but failed to set off perimeter and endpoint alarms — i.e. by logging in with stolen/phished/cracked employee credentials — they could remain undetected for days or weeks. The longer the dwell time, the more expensive the breach clean-up and related costs. Just consider an attacker capable of stealing key customer and business data before deploying ransomware to encrypt critical IT systems. You would have no idea how to answer the questions demanded of you by regulators and board members. Next-gen IDS enabled by pervasive network traffic analysis is different. It’s designed from the ground-up to provide insight into advanced threats and suspicious behavior across cloud, on-premises and network edge environments. Powered by machine learning, it’s crucially able to spot malicious activity early on to shine a light on the bad guys and ensure you can remediate with confidence. Our new white paper tells this story in more detail, describing a ransomware attack at a fictional bank via scenarios with and without next-gen IDS.
To find out more, download the whitepaper here.
Author - Michael Rezek - In his role as VP Business Development and Cybersecurity Strategy at Accedian, Michael leverages sales, strategy, and engineering experience to direct business case development involving multidisciplinary teams to translate technology and innovation into commercial enterprise value including M&A. His areas of expertise include Layer 2-7 network technologies; cybersecurity; and performance management. Michael holds a Bachelor’s degree in electrical engineering from Youngstown State University, and a Master’s degree in electrical engineering from the Georgia Institute of Technology. He is a former professionally-licensed engineer in multiple states, and is a published author of the Cisco Press book, "Building Multiservice Transport Networks."