Despite advancements in security technology and a wide array of preventive measures adopted by companies, we continue to see cyber attacks such as WannaCry, Mirai bot and Petya. A reason cyber attacks are difficult to prevent is today’s device-driven ecosystem (mobiles, wearables, Internet of Things), too many interconnected systems, a lot of open platforms available and huge data being transacted over global networks. There are sophisticated malware creators and cyber attackers who have a variety of opportunities to penetrate systems. The tried and tested phishing, volumetric DDoS and ransomware attacks continue to flourish. Prevention-focused security programs may have worked earlier, but they are not as effective today. Yet we have seen that much organisational effort and resource allocation goes towards prevention of security incidents, and much lesser towards detection and response. Malware attacks are a good example of how detection and response become crucial. Hackers are building higher levels of sophistication with each passing day. A few months ago, hackers used an advanced reconnaissance system to target tech domains, including those of Cisco, Microsoft and Google. It shows that even enterprises at the cutting-edge of technology, despite taking steps towards prevention, eventually fail to prevent a malware attack, and end up fire-fighting when an incident arises. Without sufficient response and remediation mechanisms, a lot of damage is done, including network crashes, before the situation is brought under control.
At the Gartner Security & Risk Management Summit 2017, analyst Earl Perkins spoke about shifting your security focus to detection, response and remediation. The logic is that those who would want to penetrate your IT systems would eventually get through, irrespective of your investments in preventing attacks. The success of your IT security programs does not depend on trying to prevent the attack, but in the ability to predict, detect and respond to attacks on time. So, rather than focus on building stronger and taller gates, it makes sense to have an outside-in approach to security incident detection and response. Data and analytics are critical components of a predictive and responsive risk mitigation and incident management set-up. Techniques like behavioural analysis of networks, real-time threat monitoring and retrospective tracking of network activity allows IT teams to detect and understand the nature of an attack before it happens.
One of the challenges of creating a highly responsive security management environment is aggregating and analysing network and system information. The process works only if:
Real-time data is available; Security teams have the right tools and expertise to take timely decisions; The organisation has a responsive mechanism, including standardised and tested policies to mitigate the risk; and Security personnel have well defined run books that state what needs to be done during and after an attack.
CIOs looking to adopt a responsive approach to security management need to consider new, managed security offerings, referred to by Gartner as Managed Detection and Response Services (MDRS), which provide powerful analytics, skilled professional, 24×7 detection and response, and state-of-the-art remediation processes. Gartner projects that 15% of midsize and large organisations are expected to use MDRS, as against 1% at present. Organisations that currently use a managed security service provider would be in a better position to move to the MDRS, since they would already have certain standard response and remediation mechanisms in place. In addition, for companies that are starting out with security infrastructure, there is a great opportunity to leverage best-in-class managed security service provider and build even stronger detection and response capabilities at the outset.
Kamat is an Associate Vice President – Product Management & Marketing – Netmagic (An NTT Communications Company)