Why the tried and tested prevention approach needs support
As the world increasingly goes digital, bad actors and external threats are exploring various new avenues to exploit organisations across all sectors, from healthcare to aviation and beyond. From ransomware to phishing attacks, threats are drastically evolving, which is why in the modern age, simply relying on a preventative approach alone is no longer a sufficient strategy. This is particularly evident in the case of recent cyber attacks such as the one on British Airways in 2020. BA’s systems had been compromised for two months before becoming aware of the issue, leading to both personal and credit card data of customers to be stolen over this period.
Businesses that don’t invest in a detection strategy are unable to effectively discover how and when a breach has happened, and are most likely to pay the highest penalties, as reported in IBM’s Cost of a Data Breach Report. Currently, the average time to detect a breach is 280 days, a staggeringly high figure, while the average cost of a data breach racks up to $3.86 million. And it doesn’t take much for an attack to escalate into a catastrophe; all that is needed is one email with malware that can lead to cyber attackers gaining full control within a week. For security professionals, adopting a managed detection & response (MDR) strategy provides the appropriate tools to be effectively prepared.
Utilising artificial intelligence in MDR
With cyber attackers able to act quickly, adopting an MDR strategy can ensure that an organisation acts with similar speed to tackle the threat, drastically cutting the potential costs involved with having to deal with a cyber incident. To truly understand why an MDR strategy is a crucial investment, it’s important to look at its key components of processes, technology and people.
At the core of an effective MDR strategy is threat intelligence, threat hunting and penetration testing, plus deployment and management of security monitoring and incident response. These solutions support the NIST framework, allowing organisations to identify, protect, detect, respond and recover from cyber threats. Underpinning these services is detection and response technology that is increasingly powered by artificial intelligence (AI) and machine learning (ML).
ML, as a key part of AI, is capable of learning and adapting over time from analysing human behaviour, and this can also be applied to the cyber security space. Take for example a phishing email that is sent to an organisation by an attacker. With cyber security professionals defining set parameters of what would constitute a risky email, ML can check for key giveaways and either block the email from reaching its recipient or allow it through while flagging it as a potential risk. If allowed through and ultimately proven to be malicious, ML can feed this data back into its model and continuously learn the signs and hallmarks of any future malicious emails that may be sent to an organisation and block future threats.
As previous experiences are accumulated, technologies such as ML can work out how to respond accordingly to a new cyber attack. With attackers also using ML in some cases to improve their rate of success, adopting ML in the organisation is crucial to cover every attack vector that a cyber hacker may explore.
When looking specifically at malware, AI has a key role to play here too. In the case of spyware, where an employees’ activities and information are logged and used maliciously by an attacker, AI can become aware of the compromise and share information with other devices on the company network, providing visibility of its footprint and ultimately protection against further malicious damage by disrupting the existing activities and blocking future instances. Undoubtedly, these emerging technologies are playing a key role in underpinning MDR strategy, but that’s not to say that the role of the security professional is made redundant.
Striking the balance with a hybrid security operations centre
Many organisations may currently utilise a security operations centre (SOC) to manage their cyber security, which consists of a specialist team that solely deals with 24/7 continuous protective monitoring. This may be outsourced or in-house and there a benefits and draw backs to both. Running a SOC in-house can pose difficulties in terms of skills and people needed, while opting for a completely outsourced SOC may not be suitable for an organisation that wishes to develop its already existing in-house team.
Conversely, a hybrid SOC considers the skills and value of cyber security teams, in-house engineers and blends this with the knowledge and expertise of an external provider. Integration with external expertise can allow for access to the people that support the processes they don’t have the in-house skills for, such as threat hunting, threat intelligence, machine learning, analytics and developing security content, while allowing in-house security professionals to focus on other business projects in the organisation. For the C-suite, this approach allows them to develop their employees, enabling them to gain new skills in detection and response from tapping into this external knowledge, while saving costs on hiring a comprehensive in-house team to tackle emerging threats.
Adopting a modern approach to battle modern threats
The events of the last year, particularly the large-scale shift to remote working and increased utilisation of cloud-based systems, has unfortunately opened up the battlefield for cyber attackers. Now is the time for organisations to fight fire with fire and adopt holistic security technologies and stacks that have AI and ML powering them, while utilising a hybrid SOC approach with support from the appropriate external provider. Doing so can allow businesses to truly benefit from an MDR strategy that priorities detection as much as prevention.