In emergency medicine, the “Golden Hour” is defined as the first hour after a traumatic injury, when emergency treatment is most likely to be successful. So essentially, it is that critical time that can be the difference between life and death.
I find that the concept applies itself to many other phenomenon as well and the world of IT security is no exception. A new global report on security strategies and response time from Enterprise Strategy Group (ESG) found that security professionals are inundated with security incidents, averaging 78 investigations per organisation in the last year, with 28% of those incidents involving targeted attacks—one of the most dangerous and potentially damaging forms of cyber-attacks.
Cyber-attackers are using a combination of social engineering techniques, publicly-available social networking services, and stealthy malware to trick end-users, circumvent security controls, and compromise systems. While these offensive tactics are fairly straightforward, cybersecurity defenses remain haphazard at best. Security professionals often have limited knowledge about the latest hacking tactics, techniques, and procedures (TTPs).
Incident detection and response are held back by a series of time consuming tasks, manual processes, and inefficiencies that elongate response time leading to damage control and cleanup. Security monitoring tools have limited visibility into users and technologies while security point tools lack the level of integration needed to coordinate and monitor security defenses across the network. Alarmingly, there is an unfair fight where cybersecurity offense often overwhelms cybersecurity defenses. Businesses need to change their security strategies to be able to deal with incidents within the most crucial timeframe after infection, before serious damage can be inflicted, that is, the “golden hour.”
But let me elaborate on each of these factors that are inhibiting this response time:
Integration: The lack of integration and communication between security tools creates bottlenecks and interferes with an organisation’s ability to detect and respond to security threats. The very common patchwork architectures of dozens of individual security products have created numerous silos of tools, consoles, processes and reports that make scoping and taking action far too time consuming. Compounding the issue is the fact that these architectures are creating ever greater volumes of attack data that drown out relevant indicators of attack.
To counter this, chief information security officers (CISOs) must replace individual security point tools with an integrated security architecture. This strategy works to improve the sharing of attack information and cross-enterprise visibility into user, endpoint, and network behaviour, not to mention more effective, coordinated responses.
Data comprehension: This points directly to data collection from all quarters. While network-related data is well captured by enterprises, data on user behaviour is often missed signaling an insufficiency of data collection. The security organisation needs more help to contextualise the data to understand what behaviour is worrisome.
Analytics: This brings me to the next point, that is analytics. Organisations need to evolve from simply collecting volumes of security event and threat intelligence data to more effectively making sense of the data and using it to detect and assess incidents. Anchoring a cybersecurity strategy with strong analytics, can help move from volume to value. Cybersecurity strategies must be based upon strong security analytics. This means collecting, processing, and analysing massive amounts of internal and external data.
Automation: That said, enterprises are often faced with volumes of data investigations with limited resources and skills to tackle it, pointing to an urgent need for automation tools. Because organisations will always struggle to keep up with the most recent attack techniques, CISOs must commit to more automation such as advanced malware analytics, intelligent algorithms, machine learning, and the consumption of threat intelligence to compare internal behavior with incidents of compromise (IoCs) and tactics, techniques, and procedures (TTPs) used by cyber-adversaries.
Expertise: The security organisation often finds itself lacking knowledge of the threat landscape and security investigation skills, suggesting that even better visibility through technical integration or analytical capabilities will be inadequate if incident response teams cannot make sense of the information they see. I strongly believe therefore, that as the threat landscape comes increasingly complex year on year, CISOs should commit to continuous cybersecurity education for themselves and their teams. This should include an annual series of courses that provide individual professionals more depth of understanding of threats and best practices for efficient and effective incident response.
In all of this, I think one parting thought should be at the back of all CISOs minds. Organisations can largely be bucketed into two categories; those that have been infected and know it and those that have been infected and don’t know it. While legacy security architecture may get them to a point where they have been able to detect an attack, chances are that a lot has already been compromised. To get to a breach within the “golden hour”, the need of the hour is a much more modernised security architecture.
The writer is managing director—India and SAARC at Intel Security