For two decades, security has evolved around the defensive framework of protecting assets, infrastructure, and information — all of them based around the principles of confidentiality, integrity, and availability. But as IT diversifies and grows increasingly complex, we can no longer afford to base our security on such outdated concepts. More and more, discovery and response are becoming focal points for strategic areas.
We call this evolution cyber resilience.
Much discussion has centered around cyber warfare (see our World War C report) and advanced targeted attacks. The challenge is twofold: how do I know if I have been targeted, and how do I marginalize the impact? While key national capabilities may help deal with such challenges, they can seem like virtual reality for many national and local agencies.
Among our customer base, we are seeing the harsh reality:
- Between 12–18 attacks occur per month per government customer
- These attacks have been targeted and advanced enough to bypass the traditional security controls in place
- The majority of such attacks are aimed at a single organization
We cannot ignore those statistics. Fortunately, perceptions are changing. Security leaders are beginning to realize that breaches are inevitable. To quote a CISO I met recently at the InfoSecurity Leadership Summit: “We should be measured not by the effectiveness of our security, but instead by our effectiveness to respond to incidents.” In other words, managing the business impact of cyber attacks hinges on organizations’ ability to discover and respond to security incidents.
A financial services group recently stated that completing an initial analysis of potential threat indicators takes seven hours on average. To invest that much time for each potential attack is both costly and time consuming. Old-school manual analysis can’t scale.
The upcoming EU Cyber Security Directive (also known as the Network and Information Security Directive) is well-aligned with this shift toward cyber resilience. The directive will require organizations — including any related to critical national infrastructure and many Internet services in the EU — to identify and qualify incidents in a timely fashion. The directive also could penalize organizations for avoidable breaches. The change highlights the necessity of discovering and qualifying incidents in a timely manner, as well as taking the correct steps to respond.
Amid a sea of data, many organizations struggle with incident discovery. This information overload is bound to increase. Today’s SIEM tools report millions of potential security events, and analyzing them is both slow and expensive. At the same time, the companies’ response strategy in companies is mixed. Some don’t have one, some are documented, and many aren’t tested.
To evolve beyond cyber defense to cyber resilience, we must realize that targeted attacks are mushrooming. If an attacker takes the time to personalize the attack, the goal is access information and assets that are specific to that organization. The impact of such an attack is far greater than a generic attack that targets generic resource or information.
If we accept that an attack is designed to hit a specific organization, then each organization must mature its own discovery capabilities. We cannot wait 243 days to recognize an advanced targeted attacks, the median lag today.1We must discover attacks within hours, if not minutes.
We also must marginalize the business impact. That effort involves not just containing the attack, but completing forensics to understand the scope. This effort includes finding out:
- Exactly what and where it reached into your infrastructure and information systems
- What the attacker actually did
- What the attacker wanted
This evolution requires very different tools and skills than those used in traditional threat blocking. Each organization must decide whether to develop their own security operations center and incident response capabilities or leverage external services.