The cyberthreat landscape continues to change at a rapid pace, with attackers finding their way into some of the world’s largest, most well-resourced organizations. It seems nothing can stop the criminals from continually picking the locks.
Even the most advanced approaches and technologies cannot guarantee that a network won’t be compromised. These approaches can deter, but they cannot prevent.
To win, we must adopt a new security paradigm. We must accept that we cannot always prevent an attack — but we can minimize its impact on the business. We must shift our focus from preventing threats, to rapidly detecting, analyzing and responding to them.
It’s the new normal.
But this kind of proactive security strategy requires highly skilled analysts, a proven process and best-of-breed technology. As a result, many businesses are turning to managed security service providers (MSSPs), rather than going it alone. With an MSSP, they get the people, process and technology needed to protect their data and their business.
You can learn more about MSSPs in our new ebook, “Managed Security Service Providers For Dummies.” It covers today’s shifting IT landscape, guidance for how to transition from DIY to a MSSP approach, success stories and more.
The primary focus in a security operations center is the people — the security professionals who know how to detect and respond to threats. They have a deep understanding of what “normal” looks like, so they can detect anomalous activity when it happens, and then quickly remove it from the environment.
Security analysts start their careers reviewing alerts and logs and conducting analyses on their findings. The more protocols, packets and events they handle, the more equipped they’ll be at identifying and understanding threats.
Later, they choose one or two specializations and begin mentoring new analysts. They also increasingly participate in shaping the processes within the security operations center — such as creating signatures based on network events or researching the latest tactics, techniques and procedures adversaries are using.
The most senior analysts in the security operations center serve as thought leaders. They focus less on reviewing events and more on mentoring other analysts, training and tackling more-complex forensic investigations. They are responsible for developing and enhancing the operation center’s collection and detection capabilities.
Together, the security operations center team works to stay one step ahead of the criminals. When done well, this cybersecurity strategy makes the adversaries’ work more complex, more expensive and more likely to fail.
Traditional cyberattacks focused on a single technique, such as DDoS, virus, Trojan and file-based attacks, and were consistent across platforms. But today’s rapidly evolving threats are far more advanced and apply non-linear techniques, such as memory-based malware.
As attacks become more continuous and varied, it is vital to take a holistic security approach — one that revolves around four stages: deterrence, detection, response and reporting.
The first step involves taking proactive and predictive steps to prepare the battle-space, in anticipation of an attack. This includes understanding the threat landscape, establishing operational plans and procedures and assessing business risk.
Sophisticated attackers know how to get around traditional defense methods. But by employing real-time threat intelligence and proactive cyber hunting, it is possible to maintain awareness of your environment and quickly identify any anomalies.
As soon as a network or host level anomaly is detected, it’s time to respond with swift and sure action. This involves triaging and investigating the situation, and executing pre-established and pre-approved cyber response actions to mitigate the threat.
After a security event, stakeholders must be notified promptly. This “flash” report will provide details of the detected activity, including a description of the threat and its severity. Additionally, weekly and monthly reports provide an activity summary and forward-looking intelligence, to help stakeholders make changes to reduce their risk.
Host-based detection tools, network-based detection/prevention tools and analytics are the “triple-stack” toolset needed to support operations center analysts. There are other tools that complement the triple stack, but these three focus areas represent the essential core.
- Host-Based Detection
Host detection is the first essential tool and is typically a kernel-level agent that resides on each host. It provides telemetry back to the security operations center, giving visibility on host behavior — monitoring everything from host process creation to host behavior correlation.
- Network-Based Detection and Prevention
At the network level, it’s important to have in-line protection as well as network intrusion detection. In-line protection not only helps prevent an attack, but also provides network information that can help analysts identify changes in network traffic. Network intrusion detection systems attempt to identify malicious action — such as denial of service attacks, port scans and attempts to break into computers — by monitoring network traffic.
To identify breaches as they’re happening, security information and event monitoring (SIEM) systems correlate the information provided by the host and network-level tools. When correctly configured and monitored, SIEM software can reduce the time between when the attack occurs and when the operations center responds.
Dangerous and sophisticated attacks are a daily challenge for security teams everywhere. But you can strengthen your security posture. By turning to an MSSP, you can take advantage of the people, processes and technology that they have already set in place — for an effective security solution that can respond to the ever-changing security landscape.
Learn more in our new book, “Managed Security Service Providers For Dummies.”