In the quest to stay competitive, businesses big and small are digitizing operations, moving assets to the cloud, adopting Internet of Things (IoT) solutions and automating processes. But with every new app or service designed to streamline operations and drive business, an organization’s attack surface expands, giving threat actors more room to wreak havoc.
Protecting an organization against cyber threats has become a daunting task. Cybercrime these days is a business in nearly every sense of the word. The business of cybercrime, like every other business today, is growing in sophistication. The GandCrab ransomware family, for example, rose to prominence in the first half of 2018 thanks to its as-a-service model, recruiting attackers as affiliates in a larger organized cybercrime scheme.
Today, ransomware operators are making millions in the United States, sometimes overnight, as they hack municipal systems across the country. The 2018 Marriott hack that compromised the data of 500 million guests is also a good example of how threat actors can stay undetected for years, exfiltrating data to sell on the dark web. The lodging giant allegedly unknowingly inherited the problem when it bought Starwood Hotels and Resorts, which had been hacked years before the purchase.
Today’s cybercrime operations are sophisticated, leveraging multiple attack vectors – social engineering, fileless malware, zero-day exploits and others – letting threat actors linger in the targeted infrastructure. The cost of cyber-incidents has increased 72 percent over the last five years to an average of $13 million, and the number of breaches has increased 62 percent, according to Accenture’s 2019 Cost of Cybercrime report.
Cybersecurity skills shortage
A security team must have the ability and the capability to identify an attack, understand how it happened in real-time, predict what is going to happen next and then take the necessary action to contain that attack. At the very least these teams must make it as difficult and as expensive as possible for their adversaries to move through the attack life cycle and achieve their objectives. Beating skilled adversaries requires highly skilled analysts, and while they are in high demand, we are operating in a period crippled by the global cyber skills shortage.’
According to the Information Systems Security Association (ISSA), a community of international cybersecurity professionals, the cybersecurity skills shortage is worsening for the third year in a row and should be cause for concern among business leaders in every geography. The study, released in May this year, found the cybersecurity skills shortage impacts 74 percent of organizations worldwide. Unfortunately, the increasing number of data breaches reported globally per year reflects this sad truth and supports the notion that, right now, the bad guys are winning.
When companies do manage to hire effective security analysts, they are often under-leveraged due to alert fatigue. Even if an organization has invested seriously in security solutions, those tools can be poorly configured and trigger a barrage of false-positive alerts. Security analysts can miss real threats under the burden of so many false alarms.
Building an efficient and effective security operation is not easy. It requires an understanding of the threat landscape, a sound security strategy and the right team to execute it. If IT staff stretched beyond their abilities try to build and run the security program on the side, chances of success are unlikely.
And while experienced cybersecurity analysts are difficult to find, expensive to recruit and even harder to retain, that’s not the most difficult part of the problem. Today’s business environments are complex, harnessing hybrid cloud, microservices with cross-platform automation and orchestration to ensure ‘always available’ data. Building a cohesive and effective security operation in the circumstances is complex, and requires hard-to-find professionals to do the work, as well as the correct combination of process and technology to support them. Analysts must be backed by a thorough understanding of the threat landscape and how it applies to the enterprise they are seeking to defend.
The reality is while customers increasingly recognize the importance of security to their business and the vulnerability of their systems, most lack the resources to mount an operation capable of detecting and responding to sophisticated and commodity threats.
For organizations facing this challenge, the question becomes how to achieve a modern Security Operations Center that offers enough visibility to detect and respond to commodity and advanced attacks without busting the budget. The answer? Outsourcing.
A people solution for a people problem
The number of large and well-resourced companies that we read about every day, or see on the 6 O’clock news tells us, unequivocally, that security is no longer just a technology problem – it’s a people problem too.
Building an effective security operation in today’s threat landscape requires an approach that acknowledges that attacks will happen. Modern operations must bring together people, process and technology, in an operation that assumes attackers have already phished their way onto the network, to proactively hunt them down and then rapidly respond to that attack before significant damage is inflicted. To do so, yesterday’s ‘prevent’ mantra must be replaced with operations that prioritize ‘detect’ and ‘respond.’
Managed Detection & Response
Thousands of tools claim to identify and block cyberattacks, and to a certain extent, this claim is valid. These tools are effective against many thousands of attacks deployed against organizations every day. Some use complex algorithms, innovative machine learning and artificial intelligence; these tools are critical. But sophisticated attackers, with legitimate credentials that have been phished or obtained through some other technique, operate below this threshold.
Proactive analysis, or cyber hunting, extends detection capabilities below this threshold to enable us to seek out and identify sophisticated attackers. Cyber hunting means different things to different people and there are multiple approaches, but the bottom line is, if done correctly, it means using security analysts who are highly trained, up-to-date and well equipped.
Like pretty much everything in the realm of technology today, cybersecurity operations can be outsourced as a service. Outsourcing provides a great solution for budget-strapped businesses that lack a dedicated team of security experts to triage incidents, build a security strategy, or access to tools that provide visibility across all technology assets.
Managed Detection & Response (MDR) boils down to an elite team of security experts tasked with monitoring environments 24/7 for stealthy and destructive malware, as well as interactive attackers on the network, even those with legitimate credentials (i.e. rogue employees). Your MDR team will not simply notify you and recommend appropriate action, it will also respond to the attack by deploying the necessary defenses to protect your infrastructure. MDR also reduces the number of vendors and tools to manage, reducing complexity and optimizing investments while accelerating threat response via an integrated security stack.
MDR operations are designed to allow CSOs and CISOs to sleep better at night and allow the business to focus on its core competencies. If done properly they bring together people, process and technology in an operation that harnesses the critical technological capabilities that are needed to protect businesses: endpoint protection and host visibility, security analytics and network visibility. Actionable reports served up monthly by the MDR vendor also enable chief information security officers to justify security investments in the boardroom.
Best of all, MDR services have already recruited expert analysts, built a complex forward-thinking operation, and properly aligned to the threat landscape, which they are validating every day, often at scale. With MDR, businesses can focus resources on core, profit-driven operations, while still being protected from the growing number of cyber-attacks.