In September, more than 500 million Yahoo! customer accounts were found to have been compromised, marking one of the largest data breaches on record. Astoundingly, the initial infiltration took place in 2014, meaning two years passed before Yahoo! caught wind of the intrusion. What’s more, it took an additional two months for the internet media giant to disclose the breach, and their indecent response clearly left much to be desired.
If nothing else, the event serves as an example of how challenging threat detection and response is even for large companies. In the spirit of NCSAM, let’s look at the top ways to detect and respond to cyberthreats in your organization.
- 24/7/365 Real-time monitoring: Cybercrime never sleeps, and neither can your organization’s threat detection strategy. Up-to-the-second details about activity on your network are the only way that threats can be caught before they cause serious damage. After all, it only takes three seconds for many forms of ransomware to start encrypting data once downloaded. It’s vital, then, that your organization has a network monitoring tool or service in place to identify threats the moment they arise.
- Threat analysis: The problem that traditional network monitoring tools such as security information and event management pose is their inability to sift out false positives effectively. To really be able to tell the sheep from the wolves, it’s important to a use a combination of analytics and human expertise.
- Automatic alerting: Every organization needs to establish a framework that ensures the appropriate stakeholders are notified immediately when threats are of a certain caliber or level of progression. The sooner the right people are notified of an incident, the more swiftly and efficiently they can respond to it.
- Create an incident response plan: Quick thinking is vital in any cyberthreat scenario, but no amount of reflexiveness compares with preparedness. Organizations must assign response roles to department heads, managers and, to an extent, even the lines of business. Each individual in a company needs to know what his or her role is in responding to a cyberthreat, and this demands that they be educated on these protocols ahead of time.
- Remediate the threat: An organization’s first priority should be to contain the current threat. If there has been a data breach, pinpoint the source of exfiltration and plug it. If ransomware or other malware has gotten onto the network, quarantine the affected systems. These responses should not be knee-jerk reactions, but rather, the application of a premeditated course of action. Just like a slow response can result in greater damage, rash or desperate reactions reduce the likelihood of a swift, smooth remediation.
- Employ damage control: Some threats are nipped in the bud without any casualties. Others, however, will incur damages that need to be addressed right away. It’s important that an organization’s chief information security officer of other predesignated IT manager inform the CEO of any losses. From here, the CEO can then update other stakeholders tactfully, and in such a way that will not incite alarm, but will instead quell the most immediate concerns. Doing so successfully will require anticipation of what these concerns might consist of, and a discussion for how they can be best addressed.
Achieving all of the above by relying solely on in-house expertise is much easier said than done, which is why so many mid-market organizations are now turning to managed detection and response (MDR) services. Unlike the security information and event management (SIEM) software of old, MDR provides a security operation center that is supported by the knowledge and expertise of dedicated security engineers. These professionals can essentially act as consultants that use a combination of analytics and qualitative cybersecurity assessments to enhance your organization’s overall detection and response strategy, and ultimately cultivate a culture of cybersecurity awareness.