The security industry has a mindset problem. For years, businesses have operated with the "might" mentality -- that they might get attacked someday, unless they do something to prevent it. The reality, though, is that all organizations, whether they are public, private or non-profit, are being analyzed, tested and exploited by malicious entities constantly. These entities' motivations may differ between industries, but the fact is that someone, somewhere is trying to break in, and the odds are in their favor.
If you acknowledge that you are under attack -- today, right now -- then it becomes possible to shift your mindset towards protecting your organization. Focusing on detection and remediation gives you a better chance of limiting the damage to your business once an incident happens.
However, in order to respond to an incident, you first have to recognize that one has actually occurred. The statistics are still quite troubling in this area, with the majority of breaches being identified by external third parties and not by an organization's internal teams. Verizon's 2017 Data Breach Investigations Report found that 89% of all breaches caused by miscellaneous errors were discovered by external parties -- 76% of which were a customer. This leaves little opportunity to remediate the threat in a meaningful way, i.e. prior to data exfiltration.
Once you understand that (unfortunately) you as an organization are unlikely to identify a certain portion of threats, ensuring that you maximize your detection capabilities is critical. Here are a few ways to do so.
- Reduce false positives. The primary means of maximizing detection capabilities is by reducing false positive alerts coming from your existing security infrastructure. Once the fidelity of alerts viewed by the security operations center (SOC) is acceptable, this is where your incident response plan comes into play.
- Have a plan (any plan!). Having a plan for incident response is crucial. There are multiple frameworks, products and guidelines that can be leveraged for this purpose, so it's important to find the one that makes the most sense for your business. An organization must have a predetermined incident response plan to have any chance of success.
- Practice makes perfect. If you work under the assumption that a breach is imminent, you will be better prepared to react when an incident occurs. Build a red team and test your infrastructure and SOC's response times. The incident response process needs to be a well-oiled machine, and the only way to accomplish that is by conducting hands-on drills.
Of course, this is not to say that prevention should be ignored. There are still necessary tactics that should be put in place to help your organization's overall security, such as limiting access to critical infrastructure -- if someone doesn't need access to "X," they should not have access to "X." This applies to both users and machines -- web server "Y" should not be able to reach database "Z" unless absolutely necessary.
And while investing in quality security products remains important in any enterprise security strategy, they need to be coupled with a security team that knows how to implement these products and get results. These security products are simply tools in a human analyst's security tool belt. Firewalls, intrusion prevention systems, anti-virus solutions, SIEMs and sandboxes all exist to reduce risk and exposure, but at the end of the day, a well-trained analyst is an enterprise's best defense.
Many will argue that subsets of artificial intelligence (AI), such as machine and deep learning, are a bigger key to success than actual employees. However, those of us who are realists understand that while these technologies may be effective in certain, specific use cases today, we are decades away from AI replacing most solutions (and humans) that are employed today.
With your security team -- and ideally, the full organization -- on board with an "imminent breach" mentality, the chances of limiting damage when an attack hits are much higher. By coupling a strong security team with the right tools and processes for when -- not if -- the worst happens, your organization will be in a stronger position to protect itself.
— Craig Dods is the Chief Architect for Security within Juniper Networks' Enterprise Business.