As the number of attack vectors increases, making it easier for cyber criminals to find ways around the controls it is more important than ever to have a proactive and layered approach to cybersecurity. However, organizations of all sizes need to face an uncomfortable truth, that some type of compromise is inevitable – whether caused by an outside hacker or a mistake by your own staff.
What you may not realize is that not all compromises are “smash and grab” type attacks. There is a difference between being able to compromise a network and successfully accessing and extricating data, which often takes time. This gap of time leaves an opportunity to defend, and highlights the importance of detection.
Aberdeen Group’s Quantifying the Value of Time in Cyber-Threat Detection and Response report demonstrates the extent that speedy remediation has on business impact. Limiting the dwell time of an attacker to 30 days reduces of the impact on a business by 23%. Shortening that to seven days results in a 77% reduction, and a single day reduces impact by as much as 96%.
Detection is best done with correlation of log data to look for patterns that could indicate a threat or significant changes from baseline. SIEM tools or MSSPs that can incorporate log feeds from multiple vendor technologies can be used to do this with an internal Security team or an outsourced Security Operations Center (or combination of both).