The rules of engagement for automating cyber-security

Kane Hardy explores how the rise of automated attacks dictates the need for automated defence.

Kane Hardy, VP – EMEA, Hexis Cyber Solutions
Kane Hardy, VP – EMEA, Hexis Cyber Solutions

One quick glance at the headlines shows that organisations are struggling to mitigate the risk of security breaches. Among others, Carphone Warehouse and Royal Bank of Scotland have been publically named as casualties of sophisticated cyber intrusions.

Typically it takes 197 days for a retailer to detect intrusion on their networks so Carphone Warehouse was ahead of the curve in identifying the attack within a two-week window. However, hackers had already stolen the personal details of up to 2.4 million people demonstrating the damage that can be caused in just a short space of time.

It's a sad fact that cyber-security stories usually only come to light once things have taken a turn for the worse. Personal information has been stolen, private emails intercepted or systems are seriously disrupted.

In part, this is because enterprises are spending valuable man-hours chasing down false positive and ghost alerts. The amount of information being generated by network devices is overwhelming security experts who need to confirm that endpoints have been infected, and how they've been infected, but without the skilled resources to respond fast enough.

Prevention is not enough!

Given that the cost of a cyber-security compromise has risen by 30 percent to approximately £7 million ($11.6m) per year, it's imperative that organisations are able to minimise the amount of time between detection and removal to limit the damage that a breach can do. Prevention can no longer be relied upon to be 100 per cent effective. In addition, traditional signature-based defence, like anti-virus or network perimeter solutions do not block every threat.

Such detection mechanisms are very manual, requiring security professionals to spend hours going through log files and running reports. In contrast, attackers are moving much quicker and increasingly using automated tools to attack fortress walls until they crumble. The constant stream of successful attacks highlights that existing security models are just not enough. It takes a long time to discover if an endpoint is infected and often an active threat is not found until the network is compromised.

On the other hand, it's rare that organisations take proper precautions by crafting a comprehensive cyber-security plan that effectively defends against, and deals with, a potential network breach in real time. A new security model is needed so that organisations can successfully mitigate incidents and deploy machine-speed responses to any incidents from fast moving cyber-criminals.

Assume the worst

In an evolving threat landscape the nature of attacks is continuous, which means that continuous response needs to be top of mind. Attacks are becoming more frequent and complex so organisations need response systems that scale.

Tools like network-based sandboxing solutions are not going to cut it alone as malware is increasingly sophisticated and able to evade it. Instead, such techniques need to become one component of a larger defence strategy that assumes adversaries will be successful at getting in.

At the heart of successful security strategies is gaining increased visibility into the threat activity that is operating within the IT environment. Security teams need defence from within, something we call the “defender's advantage”, by being able to understand what is happening on the endpoint and correlating it with what is happening within the network to pinpoint where security needs to respond.

With real-time detection in place, organisations can start to introduce policy-based responses that respond to potential threats at machine-speed which prevents damage before being compromised.

Given the regularity with which hackers slip through perimeter defences and engage in advanced persistent attacks, continuous monitoring provides an extra layer of security that stays vigilant when preventive measures fail.

Fusing network and endpoint detection is the first step in enabling organisations to operate at the same speed as cyber-criminals and deploy defence mechanisms that limit the risk of exposure.

Contributed by Kane Hardy, VP – EMEA, Hexis Cyber Solutions