How do I select an attack detection solution for my business?
Around the world, organizations are facing a tremendous increase in cyber risk. A recent research reveals that 31% of companies now experience a cyberattack at least once a day, a trend that’s expected to skyrocket as cybercriminals employ AI and automation to increase the sophistication and effectiveness of their attacks.
To select a suitable attack detection solution for your business, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.
David Batty, Principal Engineer, FireEye
When selecting an attack detection solution, no single product will provide the adequate detection needed that is required to detect and defend against the current advanced threat landscape. The holistic aspect of defending against threat actors requires technology, expertise, and intelligence.
The technology should be a platform of integrated technologies providing detection at each point of entry that a threat actor may use such as email, endpoint, network, and public cloud. These should not be disparate technologies that don’t work together to holistically defend the organization.
We must use technologies that can scale against threat actors that have a very large number of resources. The technology should also be driven by intelligence cultivated from the frontlines where incident responders have an unmatched advantage. It is also important to remember that post-exploitation, threat actors masquerade as your own employee’s making it difficult to know legitimate from non-legitimate activity occurring on the network or your endpoints.
This is where intelligence and expertise is extremely valuable to determine when a threat actor is operating within the organization. Being able to identify the threat actors “calling card” and potential next moves, is paramount. While many solutions will claim they defend against advanced threats, it is important to understand the experience that a vendor has and how that is included into their product offering.
Nick Ellsmore, Global Head of Strategy, Consulting & Professional Services, Trustwave
There are many routes to choose from when considering an attack detection solution to implement – IDS, IPS, EDR, SIEM, UEBA, etc. But the true key to selecting a solution for your organization is understanding the “fit-for-purpose” required. Here is a framework for identifying what purposes your product pick needs to serve:
- Understand data use: You need to consider where and to whom the solution will send an alert once an attack occurs — and what the recipient will do with that information. If your recipient can’t action the alerts, something more hands-off will be a better option.
- Be aware of architecture and use cases: Network-centric solutions are often going to be challenged by the pandemic-era work-from-home model with direct connectivity. If the endpoint is your perimeter, and it probably is, you need end-point controls.
- Know your enemy: Threat modeling will always help with control selection. It’s important to consider where your attacks are most likely to come from. For example, if insider threats are your main concern, UEBA is going to be a good option; if you’re expecting your web application is the prime target, UEBA won’t help.
- Understand solution coverage scope: If you want to have complete security coverage, you’ll need multiple solutions. To avoid gaps, you’ll need to understand each of the solutions well.
Christopher Fielder, Director of Product Marketing, Arctic Wolf
When choosing a detection product for your organization it’s important to remember that one size rarely fits all. That is why it is so important to understand both your security strengths and weaknesses and find a product that will tailor fit to your environment.
Start by considering how well you are staffed. This helps to determine if you are in a position to evaluate and respond to each detection manually, or are you willing to trust a product that will take automated action on your behalf.
Beyond this, we recommend choosing a product with a diverse set of detection mechanisms that can be customized and tuned. This will allow you to properly shape the product’s detections to your environment and eliminate being overwhelmed with false positives.
Another key element is to ensure the product is capable of covering your full architecture since holistic visibility is essential. A product that only covers a portion of your operating systems or network segments can lead to missed detections.
Finally, be familiar with how well the product works with your existing technology stack. Choose a product that can integrate with tools you already utilize rather than one that is siloed. This will allow you to use additional sources of telemetry for detections and streamline your investigation process.
Anuj Goel, CEO, Cyware
The amount of threat intelligence that modern organizations receive in a day is overwhelming for a single human or small security team to manage. The key to bolstering your security program is finding a solution that brings together historically siloed security information to empower collaboration around threat response and uses automation to increase security analysts productivity.
Enterprises should look for a solution that provides:
- A cyber fusion center: many solutions offer SOAR as a disparate, siloed tool. Organizations looking to get the most out of their security solution should choose a vendor that offers end to end threat management capability, e.g., case management, SOAR, real-time alerting, in combination with threat intelligence automation, as these tools deliver greater visibility into security operations and allow for information sharing between customers and partners to speed up the threat response process.
- Automation of threat intelligence: as the amount of threat indicators continues to grow, Threat Intel Analysts have become overwhelmed and spend time on repeating the same task multiple times. Automation features within a security solution allow teams to reallocate resources to more pressing needs, such as incident response and application security.
- Collaboration tools for threat sharing: collaboration in the cybersecurity community has become a proven strategy for addressing the growing threat of cyber-attacks. Enterprises should choose platforms that create avenues for collaboration and provide end to end threat visibility.
Tim Junio, SVP Products, Palo Alto Networks
Security teams need a detection and response platform that eases every stage of security operations, from threat hunting and detection to triage, investigation, and response.
The ideal solution should support capabilities that work in harmony to lower risk and simplify operations:
- Great threat prevention: must start with rock-solid threat prevention that blocks the 99%+ of attacks that can be blocked automatically. With best-in-class threat prevention, teams can focus on uncovering and stopping stealthy threats rather than chasing opportunistic attacks that have bypassed defenses.
- Comprehensive, rich data: Detecting and investigating threats requires complete visibility across an organization, including all network, endpoint and cloud assets.
- AI and machine learning: To identify unknown threats and keep up with rapidly evolving attack techniques, detection and response platforms must support machine learning and analytics. Machine learning models the unique characteristics of malicious files and baseline the expected user behavior to detect sophisticated attacks.
- Simplified investigations with cross-data insights: To quickly confirm attacks, analysts need actionable alerts with rich investigative details. By stitching together network and endpoint data, they can view the root cause of alerts from any source. Incident management provides a complete picture of an attack, while incident scoring helps analysts focus on the threats that matter.
With these integrated capabilities, organizations can effectively mitigate attacks and keep users and data safe.
Ed Martin, Director of Product Management, Secureworks
Companies of all sizes continue to struggle with detecting and responding to threats as adversaries have adapted their tactics to be more sophisticated, and harder to detect.
Managing the large volumes of data that legacy tools like security information and event management (SIEM) and next-gen SIEM generate can overwhelm teams and potentially limit visibility of advanced threats. According to Enterprise Strategy Group (ESG), 30% of IT/Cybersecurity professionals across multiple industries surveyed feel that these tools are not as effective at identifying unknown threats.
This has led many organizations to consider the role Extended Detection & Response (XDR) can have on accelerating SecOps efficiency and SOC modernization. The idea is that unlike SIEM, which ingests dana in large volumes and requires analyst resource hours to identify real threats, XDR can accelerate threat detection by filtering noise to enhance visibility of the threats that matter.
To outpace and out maneuver adversaries, companies need to look for a cloud-based, scalable solution that looks across the entire ecosystem – cloud, endpoint, and network. Lastly, it is important to find a partner that takes a collaborative approach to cybersecurity. The combination of human intelligence, machine learning, and deep learning algorithms is what is required to stay ahead of new attacks in today’s changing threat landscape.
Ahmed Rubaie, CEO, Anomali
Attackers want to disrupt business, access data, and perpetrate fraud. Just knowing what spurs them on is only part of the battle. Effective attack detection solutions must provide multiple capabilities, several of which include:
Visibility. It’s essential to have a comprehensive picture of adversaries operating across all layers of the internet. Solutions should provide a window into the deep and dark web, APT activities, and campaigns run by less sophisticated actors using phishing and other simple techniques.
Detection. It’s critical to know immediately when your organization is being targeted and when attackers have penetrated your environment, as speed and accuracy are crucial when it comes to limiting the costs associated with breaches and attacks.
Integration. Imagine having the most accurate attack detection solution available but no way to respond? Enterprises have an average of 45 security solutions deployed, which include everything from firewalls to email security gateways. With the ability to integrate into existing technologies, your organization can automate response and further reduce the chance of threat actors making their way in.
XDR. At first glance, this may not seem like a “capability.” However, security is about to experience a major movement into Extended Detection and Response (XDR), which will mark a new era in attack detection and response. Any technologies you invest in should recognize this imminent trend.
Tom Van de Wiele, Principal Security Consultant, F-Secure
Selecting an attack detection solution is not a one-size-fits-all process and requires knowledge about your business operations, its dependencies, and your future technical roadmap. That means knowing what to protect and against whom.
The better you understand your own business and what it requires, the more informed your choice can be on where and how a managed attack detection service could be beneficial. The buyer needs to know how and where potential attacks might manifest themselves, and what the business impact would be if attackers were to be successful.
Once established, it needs to determined what can be done in-house and what the total cost of ownership would be when it comes to the required technology, infrastructure and training, compared to involving a strategic partner or managed service. Attack detection services recruit specialists, and benefit from specific infrastructure and technology choices that might otherwise be too costly.
Hiring a service is only part of the equation and won’t automatically result in being able to better respond to attacks. Ultimately, success will be determined by how your partner integrates into your existing processes – something that requires time and regular attack simulation training. This, along with specific crisis management exercises, will ultimately determine your success in withstanding and responding to real attackers in a timely fashion, limiting the impact and damage.