Most businesses don't understand how to manage risk. In fact, most people don't. Yet, we live in a world full of risks. We generally get more anxious when getting onto an airplane than into a car, even though there is a one in 83 lifetime probability of dying in an auto crash while only one in 5,000 of doing so in an airplane. People also feel safe in their homes, even though that's where most accidents and tragedies actually strike.
Anyone who has taken a cursory look at risk understands that people may intellectually comprehend that a plane trip is safer than a car ride to a local store, but that doesn't resonate emotionally with most. They haven't internalized the fact, and therefore they react emotionally to the fear of flight.
This same dissonance also exists when it comes to managing IT security risks. Why is this important for security and business managers to understand? Because security budgets and plans today are based more on emotion than fact. Money is poured into things that businesses perceive will provide protection – firewalls, intrusion prevention/detection systems, anti-malware, security information and event management systems – while they often don't make similar investments that matter equally, such as incident response.
As we've seen in the past few years, despite the significant investment in defensive technologies, most systems are still getting breached. According to a Ponemon Research study of 583 U.S. companies, 90 percent of respondents reported being breached in the past year. Also, 50 percent stated that they have little confidence in their firm's ability to fend off future attacks.
Another recent Ponemon Institute study pegged the average time for an organization to resolve a cyber attack at 18 days. That's more than three business weeks.
The facts are clear: breaches are inevitable and they take too long to resolve. So, why the continued focus on defensive technologies when billions have already been spent well past the point of diminishing returns? And, why is there a historically low investment in incident response when it's clear that an investment into more intelligent incident response will lower the impact and cost of breaches?
“Most businesses don't understand how to manage risk. Yet we live in a world full of risks.”
– Anthony Di Bello, product marketing manager for Guidance Software
By taking a more data-driven – and more reasonable – approach to data security, organizations can make security risks much more manageable. By using a security information and event management (SIEM) system to collect and correlate data from their applications, servers, networking equipment and security technologies, large organizations have visibility into hundreds of thousands of security alerts every day. However, it's still very difficult to prioritize and respond to those events that matter the most.
The good news is that improvements in automating security event response are making companies more agile, and speeding up the response time so that security and response teams can have a better and faster picture of the situation they're in and the risks they face.
One such improvement is connecting all of that security event data occurring throughout the enterprise with what's actually occurring on user endpoints, where many breaches originate, and that can be acted on quickly. Without such visibility into real-time endpoint activity, the probability that successful attacks will go unnoticed increases significantly, as does enterprise risk.
However, by integrating the SIEM with endpoint intelligence and forensic tools, it's possible to capture the necessary data right on the endpoint as soon as possible. For example, if a user who is authorized to access the network attempts to access unauthorized applications or resources, intelligence from the endpoint itself can be configured to capture relevant system information at the very time a breach occurs. This ensures an accurate view of exactly what activity was underway at the time the user attempted to access the unauthorized resources.
Additionally, as alerts from security defenses are generated and captured by the SIEM, snapshots can be taken immediately of all hosts involved in the event. This ensures a real-time glimpse into the state of the computer at the time of the alert, revealing known, unknown and hidden processes, as well as running dynamic link libraries and network socket information.
By combining endpoint breach data and forensics with SIEMs in this way, breaches will no longer be something that organizations won't realize are underway. They'll be able to quickly identify the breach, determine its scope and potential damage, and mitigate any future damage from happening.
The result? Enterprises will be able to manage their risks better. They'll understand the who, what, where and how of a breach that are needed to properly understand and contain a threat. This rapid access to near real-time information about attacks in progress takes the emotion out of security and incident response because administrators will have the data needed to respond quickly and effectively. This way, no matter how high the risk levels rise, organizations will find that their risks have become more manageable.