Nowadays, most CISOs readily acknowledge that it's not a matter of “if” they'll be breached, but “when.” In fact, amidst a rapidly shifting threat landscape that is fueled by a burgeoning cyber crime economy, many organizations are asking themselves "Are we already breached and just don't know it?"
The new cyber threat reality is even more concerning when you consider the data that amplifies the fact that most organizations are ill-equipped to recognize the signs of a breach. Verizon's annual "Data Breach Investigation Report" showed that more than 70 percent of reported breaches originally went undetected by the breached organizations even though evidence of the breaches existed in the log data more than 80 percent of the time. Verizon also reported that more than 75 percent of breaches involved the use of weak or stolen credentials, which means that the breached organization were unable to recognize the difference between normal activity and the behavior of a “bad actor” pretending to be a trusted employee.
So what's needed to address the new threat reality for most organizations?
It starts by acknowledging that if the bad guys want to get in, they will. A recent Gartner report predicts that “prevention is futile in 2020” and that IT security teams need to focus more on real-time monitoring, detection and response capabilities. In fact, Gartner predicts that 60 percent of enterprise information security budgets will be allocated for rapid detection and response capabilities, up from less than 10 percent in 2013.
Ask yourself if your organization would be alerted if the following scenarios occurred in your enterprise:
- An administrator created a new user account, then escalated the privileges for that account, then tried to use that new account to access confidential information, and then deleted the account.
- Confidential information was being transferred, presumably by a trusted employee, up to a cloud storage provider such as Box.com or Drop Box.
- An employee logged in from their desk at your headquarters then two hours later appeared to be logging in through the VPN from Eastern Europe.
As evidenced by many recent high profile breaches, today's most impactful attacks are difficult to detect and often employ customized malware capable of silently bypassing existing security mechanisms. The good news is that evidence of a compromise can be detected early if organizations have deployed a defensive strategy leveraging pervasive visibility and advanced analytics. As an attacker, or the malware they have employed, begins to seek out its target, they will leave fingerprints as they move within the IT environment. These fingerprints can be found in the log and machine data that is generated can be captured across the whole IT environment – achieving pervasive and continuous visibility. When this visibility is leveraged via machine based analytics, anomalous behavior can be detected, leading to the identification of advanced threats early in their lifecycle and prompting swift and effective responses and countermeasures before data is exfiltrated.
A security intelligence platform that unifies traditionally disparate technologies including SIEM, log management, file integrity monitoring, host forensics and network forensics will position an organization well for the inevitable. If you answered “absolutely” to each of the scenario questions above, congratulations! If you didn't, now is a good time to consider security intelligence.