How do you know if you’ve been breached? That is one of the first five questions I ask when consulting a CISO or discussing Security On-Demand services with clients and customers. It’s a simple but important question that is much harder to answer than you might expect, especially if you have a young or immature security program.
Unfortunately, it is not uncommon to hear something like, “Well, we don’t really have a strong process in place, usually it’s when something breaks and someone calls the help desk” or “Well, we have anti-virus and firewalls so those block most things and we do periodic reviews of the logs”. Such strategies are ineffective at identifying most breaches and certainly at minimizing the attacker’s dwell time on your network. A LogRhythm study revealed that, “about four in ten IT decision makers report they lack confidence in their systems and processes to discover all potential breaches.”
Here are 4 Ways to Know if You’ve Been Breached:
- External Breach Notifications (i.e. a fraud department, customer complaints, site/product malfunctions)
- Your Managed Security Service notifies you of anomalous behavior
- Through a log analysis service, you can see any unauthorized user behavior, and abnormal server behavior or unapproved data transfers
- Threat Hunting services let you look at your current systems to find the attack.
External Breach Notifications
Too often, it is not uncommon for companies to never discover a data breach on their own, rather they are informed by an external entity that there is some abnormal activity and they may be breached. According to the 2017 Verizon Data Breach Investigations report, the rate of external notification reached 27%, which was an increase of 25% over the previous year. In fact, I can’t think of a single data breach involving the retail sector in which point-of-sale credit card data breach was discovered and disclosed by the breached company themselves. For example, of the major credit card breaches that have been disclosed, in nearly every instance the breach was discovered by a financial institution’s fraud department analyzing anomalous credit card activity that all pointed back to a particular company. They then informed the company of the potential breach.
External notification is generally an indicator of protracted dwell time. What makes this so scary is how long the attacker has been on the company network by the time the detection was discovered, usually 4-6 months at a minimum. That is a huge amount of time for the hacker to establish persistence and steal not just your credit card data but other sensitive data as well. And it is a well-known fact that the longer the dwell time, the bigger the impact on the business. A research report by the Aberdeen Group determined that limiting dwell time to 30 days results in a reduction of the impact on business by 23%. Compressing it even more delivers stronger results for business – when dwell time is confined to seven days, the impact is reduced by 77% and taking it down to one day almost eradicates the impact with a 96% reduction of business impact.
How to Know if You’ve Been Breached
So what can you do instead of just waiting for something to break or for that call from the bank? It all starts with having visibility into what is happening on your network and workstations. This requires collection and storage of data logs and employing a security monitoring service that can alert you when suspicious or anomalous activities are occurring. The latter part of the previous sentence is where the organizational challenges lie because, as the Verizon Data Breach Report reveals, the majority of companies (usually more than 70%) suffering a data breach actually had security event log data that would have alerted them to it, if they had just looked and analyzed the data.
Such a service needs to be more than just basic monitoring provided by Security Information and Event Management (SIEM) platform. These do a fine job generating alerts based on indicators, but are wholly insufficient to catch real threats and thorough data breaches. In order to effectively decrease the time to detection and catch the attack before exploitation, you need to employ not just standard detection, but a marriage of pro-active threat intelligence and advanced behavioral, network, and asset analytics.
How to Use Threat Intelligence in Threat Detection
Threat intelligence provides pre-threat indicators that ensure your security monitoring and detection are tracking the latest threats, monitoring for them, and understanding attacker behaviors before the attack launches. It also provides context for your security operations and analysts to more quickly identify threats and understand the criticality of an event. Thus decreasing false positives and increasing the percentage of real incidents you need to address.
Behavioral, network, and asset analytics do proactive hunting, essentially, through your data logs looking for behaviors that are either abnormal for your users, network, or computers or match attacker and malware behaviors. These provide a significant improvement in alert fidelity. A ThreatConnect study found that more than 50% of the 351 organizations surveyed, regardless of mature platform or size, said their threat intelligence system in place prevented phishing attacks (67%), ransomware attacks (58%), breach of customer data (60%), insider threats (57%), business email compromise (55%), and supply chain attacks (49%).
Why Use Managed Threat Detection and Response?
Employing security monitoring and detection is an absolute must to ensure you are providing as secure an enterprise as possible. Without it, you are essentially blind to what is occurring on your network and may never know that hacker has breached your defenses. For less mature security organizations, this is easier said than done because a lack of cybersecurity talent and data overload make this challenging. Without the internal staffing and expertise to implement and manage threat intelligence and security operations, very few organizations will succeed. Even organizations that have fully mature threat intelligence programs said they don’t have the staff or resources to monitor all cybersecurity threats they face.
This is where managed security service providers like Security On-Demand can have a big impact and help organizations accelerate their security maturity and mitigate risk at a much lower cost than doing it yourself. With experienced cybersecurity staff, proven threat hunting technologies and effective processes in place, Security On-Demand can answer the question of whether or not you have been hacked.
About Security On-Demand
Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.