Is Detection the Future of Cybersecurity Planning
Cybersecurity is top of mind for many organizations of all sizes and industries. Given the current risk climate, organizations are realizing they need to continue to change and prioritize their cybersecurity strategy in order to protect their business.
Small businesses, who may have thought themselves safe from large cybersecurity threats are beginning to focus more of their attention on cybersecurity as more data continues to support the notion that they are often targets of cyber criminals. A recent study from IBM noted that small businesses may face disproportionately larger costs relative to larger organizations from a breach. They found that the total cost for the largest organizations (more than 25,000 employees) averaged $5.11 million which is $204 per employee while smaller organizations with between 500 and 1,000 employees had an average cost of $2.65 million or $3,533 per employee. This disparity can make it even more difficult for smaller businesses to recover financially from a breach.
Data breach prevention tactics including anti-virus software, network perimeter security, and end-user training have become a commonplace part of many organization's cybersecurity toolbox. While security perimeter continues to change as smartphones and cloud apps make it easier to share data, collaborate on projects and access anything at anytime and anywhere including sensitive work files, organizations have larger hurdles to jump when protecting their networks.
While using prevention-based tools as mentioned above is an important aspect of any organization's cybersecurity plan shifting to detection based tools is equally as vital. Prevention-based tools simply cannot provide the level of security needed to keep an organization secure. Prevention technology works well but it fails to address what happens beyond the perimeter of your defenses- which is where most modern day cyberattacks originate. It also fails to detect the threats that have successfully penetrated your defenses and are moving laterally through your networks.
Many organizations do not realize that they have been breached until months after the fact, when it is already too late and much of the damage has been done. IBM Security's Recent Cost of Data Breach Report for 2019 found the most cyberattacks sit unrecognized 206 days before being found. They also found that it takes on average 73 days to contain the breach. By this time, most of the damage from the breach has been done. Prevention technology simply cannot stop highly targeted, sophisticated and multi-staged attacks.
Shifting Focus to Detection
Organizations need to rebalance their approach to cybersecurity to one that values both Prevention and Detection, as a perfect prevention system simply does not exist. Organizations should operate under the assumption that it is not a matter of IF their organization's systems will be compromised but a matter of WHEN.
To focus on detection organizations should implement a comprehensive strategy that allows them to better hunt for, identify and ultimately stop abnormal user activity before it leads to internal and external-induced data breaches. One way to do this is by using a SIEM.
Using a SIEM to Detect Abnormal Activity
As Organizations shift to looking at Detection in addition to their Prevention strategies in their cybersecurity plans a SIEM is an important tool to consider. SIEM is an acronym for Security Information and Event Management. SIEM solutions provide a holistic view of what is happening on a network in real-time.
A SIEM works by collecting and reviewing your log files in real time. All of your network devices generate log files when any events or actions occur. If, for example, a new software is installed to your computer and your computer starts talking to another computer in China and a new network process is started, log files are automatically generated. These log files typically just sit on your device and are purged by the device after a period of time. These log files are actually very important in detecting an anomaly on your network if they are monitored. A SIEM does this monitoring for you. Read more about SIEMs and how they can benefit your business here.
As cybersecurity threats continue to evolve and become more complex, organizations must begin to rethink their plans and strategies. While prevention is an important tool, you must also consider how to detect inevitable breaches so that you are prepared to respond rapidly before too much damage is done.