Faced with a shortage of skilled IT security staff, prioritising alerts can be an important strategy. By creating a set of defined processes and routines, security teams can review sets of data regularly in order to spot anomalies
As organisations face a growing number of cyber-threats, their ability to quickly detect and mitigate the effects of a security incident is becoming an important differentiator that can impact a company's reputation, brand and ultimately market success. For IT security teams, this means trying to make sense of an ever-expanding volume of security alerts and identifying serious threats before they cause lasting damage to your company's network. To do this effectively, companies must gain a holistic view of their entire security ecosystem to accelerate their ability to detect and respond to threats.
Historically, it may have been possible to create some semblance of order by creating a protective security bubble around an organisation. But repeated breaches have challenged this thinking as emerging threats continue to grow. According to a recent AlienVault survey, security professionals are most worried about threats that are constantly evolving and can evade traditional security defences. As an example, polymorphic malware is now thought to account for 97 percent of successful malware infections. What this means is that in most cases, new threats are difficult, if not near-impossible, to identify and stop.
Attackers continue to seek out new exploits and techniques to leverage, so it's almost impossible to know what tomorrow's cyber-attacks will look like, or where these might come from. However, embracing the chaotic nature of cyber-security can give us new insights, power and wisdom. Just as a hot air balloon pilot can ‘steer' a balloon to a desired location by understanding the complex, chaotic dynamics of the atmosphere, a greater awareness of the unpredictable patterns of the cyber-landscape can offer security teams a new way to combat cyber threats. For security teams on the ground, this can mean trying to spot patterns within the increasing noise of security alerts. What are the strategies that can help them make sense of this data and identify potential problems as – or even before – they arise?
Faced with an avalanche of data, and a shortage of skilled IT security staff, prioritising alerts can be an important strategy. By creating a set of defined processes and routines, security teams can review sets of data regularly in order to spot anomalies. For example, one set of tasks could be completed daily (such as alarm review, event review, and tuning), and a different set of tasks could be completed on a monthly basis, such as vulnerability scanning, asset audit or reporting. By following such routines, teams can establish baseline patterns that can help them better spot anomalies and incidents when they occur.
To expand the reach of your resources, crowd-sourced threat intelligence should also be leveraged to pull in additional knowledge and expertise from outside of your organisation. With such open access to threat data, IT security teams can harness the power of the larger community, accelerating their ability to detect and respond to emerging threats and saving them both time and money.
Choosing the right tools to defend your organisation against attack can also help security teams make sense of all the data available. For example, by choosing a single, unified security product that can detect various types of attacks, companies can train their staff to use just one product. Security Information and Event Management (SIEM) systems are often a popular choice for threat detection, because they collect data from different sources. However, traditional SIEMs generally don't include other critical capabilities such as incident response. When selecting a solution, organisations should look for a platform that has a range of essential security controls built-in and ensure that these controls provide the outcomes that are relevant to your business. For example, if your organisation uses multiple cloud applications and services, it's important to be able to monitor for potential threats across both your cloud and on-premises infrastructure.
The move from prevention towards detection and response offers great promise for security teams, providing them with the opportunity to respond more effectively to the cyber-threats of the future – whatever they may be. But trying to make sense of a seemingly chaotic security environment takes a combination of the right product, plus practice and discipline. Prioritising detection and then implementing regular routines and strategies to enhance security monitoring can improve your overall cyber-security posture in a complex and ever-changing threat environment.
Contributed by Javvad Malik, security advocate at AlienVault
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.