A recent set of surveys of over 1500 security practitioners in North America and Europe, Middle East and Africa (EMEA) by the Ponemon Institute confirmed that the attackers are still winning the race, despite organizations spending and staffing more to beat the attacker’s clock. The insight from these surveys found that 20% of financial services respondents rely on “gut feel” to identify an advanced attack. This ‘gut feel’ response increased to 48% of retail industry respondents. This is a telling indictment of the effectiveness of current security measures to prevent, detect and respond to advanced threats.
This is because the attacker tool kit and approach has fundamentally changed where well- researched targeted campaigns are becoming the norm, not the exception, and existing organizational focus, process and tools are not set up to beat them.
The majority of security spend (both in terms of tools and resources) is currently focused on either the early stages of an advanced attack, or the very last stages of an attack:
- The early stage: This is where organizations are investing the most in staff and technology. The goal is to prevent the attackers from getting into the network in the first place. This is where 90% of security spend has been focused. However advanced attacks with a carefully crafted email to an employee, for example, can easily bypass these prevention controls. And that has become the new “normal.”
- The “forensic” stage: (Or the “too late” stage.) In this stage, organizations use tools and expertise to try to find out what exactly took place and how to react next once it’s been established that an attacker has gotten in. This stage is about piecing together how the attacker got in, what they did inside, and identifying the information they left with. This typically requires specialist expertise and tools that are very expensive and time-consuming to deploy and use. It is unsustainable as the targeted attack that gets through is the rule, not the exception.
What’s missing is more developed picture of what is happening when a threat gets in but before the attack has been carried out. This is where the current blind spot is for the vast majority of organizations and why “dwell times” are getting worse, not better.
Advanced Threat campaigns may exfiltrate data in minutes, but it can take days or weeks to get to that stage. What about putting more focus on finding the middle stages of an attack being carried out in your network? For those old enough to remember the old Wendy’s ads that took off in the 80’s: “Where’s the beef” of a more effective security strategy against advanced threats?
Organizations need to shift focus to the “middle stage” of the attack cycle in order to identify and contain advanced threats faster and more accurately. This requires a wholesale shift in approach at all levels:
- Organize to understand attackers that are coming and where they may target so you can watch there first.
- Require SOC teams or an IR function to look for what is coming, not only responding to critical events or alerts.
- Build organizational competency to map indicators of attacks to core assets and locations
- Prepare to proactively hunt down attacks that might be lurking within the network, and/or look for the unknowns
This shift in approach requires SHIFTING investment from the prevention layer, one that is increasingly ineffective at blocking an advanced threat attack; and BUILDING a stronger detection and response layer versus solely relying on outside specialists to come in when an incident does arise. In this new “normal” of advanced threat attacks, more ‘beef to the security response program on a day-to-day basis is needed.
Do you have enough ‘beef’ in your security programs enough to find the middle of the attack cycle?
The post “Where’s the beef” in your security strategy? appeared first on Arbor Insights - Our People, Products and Perspective.